From 4d1c19ffa9df75690af8776550c510713c284d37 Mon Sep 17 00:00:00 2001 From: Roi Lubetkin Date: Tue, 7 Jun 2022 12:11:22 +0300 Subject: [PATCH] fix(queries): align descriptionText to similar queries across different platforms --- assets/queries/ansible/aws/efs_without_kms/metadata.json | 2 +- .../aws/iam_policy_grants_full_permissions/metadata.json | 2 +- assets/queries/ansible/aws/instance_with_no_vpc/metadata.json | 2 +- .../ansible/aws/rds_with_backup_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../ansible/aws/sqs_policy_with_public_access/metadata.json | 2 +- .../queries/ansible/aws/sqs_with_sse_disabled/metadata.json | 2 +- .../trusted_microsoft_services_not_enabled/metadata.json | 2 +- .../ansible/gcp/rdp_access_is_not_restricted/metadata.json | 2 +- .../cloudFormation/aws/alb_listening_on_http/metadata.json | 2 +- .../aws/api_gateway_with_open_access/metadata.json | 2 +- .../aws/api_gateway_xray_disabled/metadata.json | 2 +- .../aws/cdn_configuration_is_missing/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/ecr_image_tag_not_immutable/metadata.json | 2 +- .../cloudFormation/aws/efs_not_encrypted/metadata.json | 2 +- .../aws/guardduty_detector_disabled/metadata.json | 2 +- .../aws/iam_password_without_lowercase_letter/metadata.json | 2 +- .../aws/iam_password_without_minimum_length/metadata.json | 2 +- .../aws/iam_password_without_symbol/metadata.json | 2 +- .../aws/iam_password_without_uppercase_letter/metadata.json | 2 +- .../aws/iam_policies_with_full_privileges/metadata.json | 2 +- .../aws/kms_key_with_vulnerable_policy/metadata.json | 2 +- .../aws/lambda_permission_misconfigured/metadata.json | 2 +- .../aws/lambda_permission_principal_is_wildcard/metadata.json | 2 +- .../aws/msk_cluster_encryption_disabled/metadata.json | 2 +- .../aws/root_account_has_active_access_keys/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../cloudFormation/aws/sqs_with_sse_disabled/metadata.json | 2 +- .../aws/viewer_protocol_policy_allows_http/metadata.json | 2 +- .../cloudFormation/aws/vpc_flowlogs_disabled/metadata.json | 2 +- .../dockerCompose/shared_host_ipc_namespace/metadata.json | 2 +- .../cloud_storage_bucket_versioning_disabled/metadata.json | 2 +- .../k8s/containers_with_added_capabilities/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/api_gateway_xray_disabled/metadata.json | 2 +- .../metadata.json | 2 +- assets/queries/terraform/aws/efs_without_kms/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/iam_policy_grants_full_permissions/metadata.json | 2 +- .../queries/terraform/aws/instance_with_no_vpc/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/rds_with_backup_disabled/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/sqs_policy_with_public_access/metadata.json | 2 +- .../aws/user_data_shell_script_is_encoded/metadata.json | 2 +- .../trusted_microsoft_services_not_enabled/metadata.json | 2 +- .../terraform/gcp/cloud_dns_without_dnssec/metadata.json | 4 ++-- .../test/positive_expected_result.json | 2 +- .../terraform/gcp/rdp_access_is_not_restricted/metadata.json | 2 +- .../kubernetes/container_is_privileged/metadata.json | 2 +- .../terraform/kubernetes/image_without_digest/metadata.json | 2 +- .../kubernetes/liveness_probe_is_not_defined/metadata.json | 2 +- .../kubernetes/memory_limits_not_defined/metadata.json | 2 +- .../kubernetes/memory_requests_not_defined/metadata.json | 2 +- .../net_raw_capabilities_not_being_dropped/metadata.json | 2 +- .../kubernetes/privilege_escalation_allowed/metadata.json | 2 +- .../terraform/kubernetes/psp_set_to_privileged/metadata.json | 2 +- .../rbac_roles_with_read_secrets_permissions/metadata.json | 2 +- .../secoomp_profile_is_not_configured/metadata.json | 2 +- 71 files changed, 72 insertions(+), 72 deletions(-) diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json index fbe560c0e4b..2ae721665ea 100644 --- a/assets/queries/ansible/aws/efs_without_kms/metadata.json +++ b/assets/queries/ansible/aws/efs_without_kms/metadata.json @@ -3,7 +3,7 @@ "queryName": "EFS Without KMS", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Elastic File System (EFS) must have KMS Key ID", + "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id", "platform": "Ansible", "descriptionID": "a01870d5", diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json index 154394c965a..a0aab44e8e4 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "category": "Access Control", - "descriptionText": "IAM policies allow all ('*') in a statement action", + "descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible", "descriptionID": "97b2a82d", diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json index ef2496112da..13e0be92697 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json @@ -3,7 +3,7 @@ "queryName": "Instance With No VPC", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Instance should be configured in VPC (Virtual Private Cloud)", + "descriptionText": "EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html", "platform": "Ansible", "descriptionID": "27754eca", diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json index 3583795f78b..ddcfbdb9f3b 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "category": "Backup", - "descriptionText": "RDS configured without backup", + "descriptionText": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period", "platform": "Ansible", "descriptionID": "51f94eee", diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json index 271fcc0754f..adec66726e5 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.", + "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "7c11444e", diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index cb33f8fb4ca..beb63b124d1 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.", + "descriptionText": "S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "de0687eb", diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json index 1a514d90826..f0ae224fa25 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.", + "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "8232deb2", diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json index 81045ea2d71..4ab3918092d 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.", + "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html", "platform": "Ansible", "descriptionID": "772b17ca", diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json index 29b4b90ac1a..9092a332dc5 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json @@ -3,7 +3,7 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "SSH' (TCP:22) should not be public in AWS Security Group", + "descriptionText": "'SSH' (TCP:22) should not be public in AWS Security Group", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "ea2f2c57", diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json index f690ec87f2f..414f7d47a5c 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "SQS policy with public access", + "descriptionText": "Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html", "platform": "Ansible", "descriptionID": "dd40b568", diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json index 050c166f447..ce474521842 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS with SSE disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": " SQS Queue should be protected with CMK encryption", + "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module", "platform": "Ansible", "descriptionID": "7825cf30", diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json index 362374011ec..d5d95e1a0df 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Trusted Microsoft Services Not Enabled", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "Ensure Trusted Microsoft Services have Storage Account access.", + "descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass", "platform": "Ansible", "descriptionID": "e86db9c1", diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json index 4e3b187fec7..1ea4af954d8 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json @@ -3,7 +3,7 @@ "queryName": "RDP Access Is Not Restricted", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Check if the Google compute firewall allows unrestricted RDP access.", + "descriptionText": "Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html", "platform": "Ansible", "descriptionID": "23f68cd6", diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json index 56d8e10c769..8287ddeb661 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json @@ -3,7 +3,7 @@ "queryName": "ALB Listening on HTTP", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "All Application Load Balancers (ALB) should block connection requests over HTTP", + "descriptionText": "AWS Application Load Balancer (alb) should not listen on HTTP", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol", "platform": "CloudFormation", "descriptionID": "55f05412", diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json index ab245fa1c2e..4495ad48b36 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json @@ -3,7 +3,7 @@ "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.", + "descriptionText": "API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html", "platform": "CloudFormation", "descriptionID": "d8d6ab46", diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json index 59ebda78095..99b70ede84a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "API Gateway X-Ray Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "X-Ray Tracing is not enabled", + "descriptionText": "API Gateway should have X-Ray Tracing enabled", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled", "platform": "CloudFormation", "descriptionID": "7db1d7b0", diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json index 9cb4f8a5adb..4e37634143e 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json @@ -3,7 +3,7 @@ "queryName": "CDN Configuration Is Missing", "severity": "LOW", "category": "Best Practices", - "descriptionText": "Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.", + "descriptionText": "Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html", "platform": "CloudFormation", "descriptionID": "6a8090b9", diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json index 96decdfcdac..71d5678856b 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json @@ -3,7 +3,7 @@ "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "Security Groups set as default must be denied traffic.", + "descriptionText": "Check if default security group does not restrict all inbound and outbound traffic.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "50b0269e", diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json index 9c847ec39a9..f43e9d7aa24 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json @@ -3,7 +3,7 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "ECR should have an image tag be immutable", + "descriptionText": "ECR should have an image tag be immutable. This prevents image tags from being overwritten.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html", "platform": "CloudFormation", "descriptionID": "a4ed2a4f", diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json index ac96953478e..b527e6f9c6b 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json @@ -3,7 +3,7 @@ "queryName": "EFS Not Encrypted", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled", + "descriptionText": "Elastic File System (EFS) must be encrypted", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html", "platform": "CloudFormation", "descriptionID": "e168cb44", diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json index 0680b8e4625..ac87814e9f1 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "Make sure that Amazon GuardDuty is Enabled.", + "descriptionText": "Make sure that Amazon GuardDuty is Enabled", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html", "platform": "CloudFormation", "descriptionID": "cae19394", diff --git a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json index c4e88431ae8..8ad05f105f3 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Password Without Lowercase Letter", "severity": "MEDIUM", "category": "Best Practices", - "descriptionText": "IAM user resource Login Profile Password should have lowercase letter", + "descriptionText": "Check if IAM account password has at least one lowercase letter", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "b98bf93c", diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json index 98c2cd4f16e..b180319ec9b 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Password Without Minimum Length", "severity": "MEDIUM", "category": "Best Practices", - "descriptionText": "IAM user resource Login Profile Password should have at least 14 characters", + "descriptionText": "Check if IAM account password has the required minimum length", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "46859482", diff --git a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json index 47483e6b46f..73e7247234e 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Password Without Symbol", "severity": "MEDIUM", "category": "Best Practices", - "descriptionText": "IAM user resource Login Profile Password should have at least one symbol", + "descriptionText": "Check if IAM account password has the required symbols", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "7ec4df0d", diff --git a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json index 9466754a7ce..56e5a268330 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Password Without Uppercase Letter", "severity": "MEDIUM", "category": "Best Practices", - "descriptionText": "IAM user resource Login Profile Password should have at least one uppercase letter", + "descriptionText": "Check if IAM account password has at least one uppercase letter", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user", "platform": "CloudFormation", "descriptionID": "9d55d1e4", diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json index 3a0d1f4d4f5..34ba4d5260a 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Policies With Full Privileges", "severity": "HIGH", "category": "Access Control", - "descriptionText": "IAM policies shouldn't allow full administrative privileges", + "descriptionText": "IAM policies that allow full administrative privileges (for all resources)", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "platform": "CloudFormation", "descriptionID": "faa72156", diff --git a/assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy/metadata.json b/assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy/metadata.json index e65a0ca843b..66b9a20e069 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy/metadata.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy/metadata.json @@ -3,7 +3,7 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Checks if the policy is vulnerable and needs updating", + "descriptionText": "Checks if the policy is vulnerable and needs updating.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy", "platform": "CloudFormation", "descriptionID": "1f88b704", diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json index d86e1072584..eb1cddf936a 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json @@ -3,7 +3,7 @@ "queryName": "Lambda Permission Misconfigured", "severity": "LOW", "category": "Best Practices", - "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'", + "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'", "descriptionUrl": "https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html", "platform": "CloudFormation", "descriptionID": "dec6dd24", diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json index e0e54633407..50d6e770117 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/metadata.json @@ -3,7 +3,7 @@ "queryName": "Lambda Permission Principal Is Wildcard", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Lambda Permission Principal should not be wildcard.", + "descriptionText": "Lambda Permission Principal should not contain a wildcard.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html", "platform": "CloudFormation", "descriptionID": "cfa9120c", diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json index 866c0a6ec25..a3f7db1a0c0 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Ensure MSK Cluster encryption in rest and transit is enabled.", + "descriptionText": "Ensure MSK Cluster encryption in rest and transit is enabled", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html", "platform": "CloudFormation", "descriptionID": "c8e65b67", diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json index 6406984f501..bcb023a5fba 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/metadata.json @@ -3,7 +3,7 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Check if the root user has any access keys associated to it.", + "descriptionText": "The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "platform": "CloudFormation", "descriptionID": "195ebcdb", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index 2e51b1768c6..aa8a974fe77 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets sould not be readable and writable to all users", + "descriptionText": "S3 Buckets should not be readable and writable to all users", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "68456465", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json index d71751834d8..766356fe807 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets sould not be readable and writable to all users", + "descriptionText": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "25d149a4", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json index ed55a5045ad..2fd15659044 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.", + "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "0a34aa34", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json index d0699a20cab..694d0f6442c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow List Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.", + "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "755801fc", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json index df7c1cb5965..c27040fea18 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Put Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.", + "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation", "descriptionID": "9d094f81", diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json index b083cefa73b..f1a241fb205 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/metadata.json @@ -3,7 +3,7 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "Security Groups allows all traffic for SSH (port:22)", + "descriptionText": "'SSH' (TCP:22) should not be public in AWS Security Group", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "d515d6dc", diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json index 171502e2eaf..42092e5376d 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/metadata.json @@ -3,7 +3,7 @@ "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action", + "descriptionText": "SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy", "platform": "CloudFormation", "descriptionID": "a4bd80b0", diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json index da6063d38eb..a0a4d802b0e 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS with SSE disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "AWS SQS Queue should have a KMS Master Key defined", + "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid", "platform": "CloudFormation", "descriptionID": "7c3c1b44", diff --git a/assets/queries/cloudFormation/aws/viewer_protocol_policy_allows_http/metadata.json b/assets/queries/cloudFormation/aws/viewer_protocol_policy_allows_http/metadata.json index af8f3838bd8..1292725157f 100644 --- a/assets/queries/cloudFormation/aws/viewer_protocol_policy_allows_http/metadata.json +++ b/assets/queries/cloudFormation/aws/viewer_protocol_policy_allows_http/metadata.json @@ -3,7 +3,7 @@ "queryName": "Viewer Protocol Policy Allows HTTP", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Ensure that the Viewer Protocol is only HTTPS Compliant", + "descriptionText": "Checks if the connection between the CloudFront and the origin server is encrypted", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html", "platform": "CloudFormation", "descriptionID": "bf860aba", diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json index 285f743d993..14e3a5da997 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "VPC FlowLogs Disabled", "severity": "LOW", "category": "Observability", - "descriptionText": "VPC hasn't got any FlowLog associated", + "descriptionText": "Every VPC resource should have an associated Flow Log", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html", "platform": "CloudFormation", "descriptionID": "0fb02ca5", diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json index e0aecb726d3..0b2e053f79b 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json @@ -3,7 +3,7 @@ "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", "category": "Resource Management", - "descriptionText": "The host IPC namespace should not be shared.", + "descriptionText": "Container should not share the host IPC namespace", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir", "platform": "DockerCompose", "descriptionID": "987dc2d7" diff --git a/assets/queries/googleDeploymentManager/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/googleDeploymentManager/cloud_storage_bucket_versioning_disabled/metadata.json index 3c60a3b4601..79e0e952e8c 100644 --- a/assets/queries/googleDeploymentManager/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/cloud_storage_bucket_versioning_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "HIGH", "category": "Observability", - "descriptionText": "Cloud Storage Bucket should be enabled", + "descriptionText": "Object Versioning not fully enabled on Cloud Storage Bucket", "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", "platform": "GoogleDeploymentManager", "descriptionID": "9b7ba7de", diff --git a/assets/queries/k8s/containers_with_added_capabilities/metadata.json b/assets/queries/k8s/containers_with_added_capabilities/metadata.json index f59cb74256b..dfaee44a60d 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/metadata.json +++ b/assets/queries/k8s/containers_with_added_capabilities/metadata.json @@ -3,7 +3,7 @@ "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Containers should not have added capability", + "descriptionText": "Kubernetes Pod should not have extra capabilities allowed", "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "platform": "Kubernetes", "descriptionID": "719acefd" diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json index c298a28dbc5..a37522ce747 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -3,7 +3,7 @@ "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", "severity": "MEDIUM", "category": "Build Process", - "descriptionText": "Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", + "descriptionText": "Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", "descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "platform": "Kubernetes", "descriptionID": "f4e48914" diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json index cc4b8f1693c..a15fda3a0a3 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "API Gateway X-Ray Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "X-ray Tracing is not enabled", + "descriptionText": "API Gateway should have X-Ray Tracing enabled", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled", "platform": "Terraform", "descriptionID": "21e236a0", diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 9bfd24263b6..8eacd54d32d 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -3,7 +3,7 @@ "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations", + "descriptionText": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#network_mode", "platform": "Terraform", "descriptionID": "61f295c5", diff --git a/assets/queries/terraform/aws/efs_without_kms/metadata.json b/assets/queries/terraform/aws/efs_without_kms/metadata.json index cd6e64f20a7..b05108360c5 100644 --- a/assets/queries/terraform/aws/efs_without_kms/metadata.json +++ b/assets/queries/terraform/aws/efs_without_kms/metadata.json @@ -3,7 +3,7 @@ "queryName": "EFS Without KMS", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Elastic File System (EFS) must have KMS Key ID", + "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id", "platform": "Terraform", "descriptionID": "c5dfddad", diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json index 1b74cade4b3..f2aabdf844f 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Check if any ElasticSearch domain isn't encrypted with KMS", + "descriptionText": "Check if any ElasticSearch domain isn't encrypted with KMS.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain", "platform": "Terraform", "descriptionID": "65a94cf1", diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json index 7e0cfc14261..f2e2d29bebd 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "category": "Access Control", - "descriptionText": "IAM policies allow all ('*') in a statement action", + "descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy", "platform": "Terraform", "descriptionID": "f20cf2cf", diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json index 87e7e1b261b..5d1f961f37e 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/metadata.json @@ -3,7 +3,7 @@ "queryName": "Instance With No VPC", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Instance should be configured in VPC (Virtual Private Cloud)", + "descriptionText": "EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance", "platform": "Terraform", "descriptionID": "225a9f30", diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json index 725b135eb5d..9836773c0f5 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "Check if Neptune Cluster Storage is securely encrypted", + "descriptionText": "Neptune database cluster storage should have encryption enabled", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted", "platform": "Terraform", "descriptionID": "06036045", diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json index 086438a0b83..3f51ec5b746 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "category": "Backup", - "descriptionText": "RDS configured without backup", + "descriptionText": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance", "platform": "Terraform", "descriptionID": "73fdfe55", diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index 9fecf23a646..bbed2be1f08 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 bucket with public READ/WRITE access", + "descriptionText": "S3 Buckets should not be readable and writable to all users", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", "platform": "Terraform", "descriptionID": "d535387f", diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json index b69947720a1..15a83afdb02 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.", + "descriptionText": "S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", "platform": "Terraform", "descriptionID": "2ac6911f", diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json index e1c6e7f9146..dc982571553 100644 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/metadata.json @@ -3,7 +3,7 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "SQS policy with public access", + "descriptionText": "Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy", "platform": "Terraform", "descriptionID": "534fb194", diff --git a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json index d2f4bdc245d..197151507e6 100644 --- a/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json +++ b/assets/queries/terraform/aws/user_data_shell_script_is_encoded/metadata.json @@ -3,7 +3,7 @@ "queryName": "User Data Shell Script Is Encoded", "severity": "HIGH", "category": "Encryption", - "descriptionText": "Base64 Shell Script must be encoded", + "descriptionText": "User Data Shell Script must be encoded", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64", "platform": "Terraform", "descriptionID": "c1d49ed2", diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json index 2e91730392f..e20415ea7e3 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Trusted Microsoft Services Not Enabled", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "Trusted MIcrosoft Services are not enabled for Storage Account access", + "descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass", "platform": "Terraform", "descriptionID": "2d2af667", diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json index 4afc5ad8a0a..6a1dfa04b31 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/metadata.json @@ -1,9 +1,9 @@ { "id": "5ef61c88-bbb4-4725-b1df-55d23c9676bb", - "queryName": "Cloud DNS without DNSSEC", + "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Cloud DNS without DNSSEC", + "descriptionText": "DNSSEC must be enabled for Cloud DNS", "descriptionUrl": "https://www.terraform.io/docs/providers/google/d/dns_managed_zone.html", "platform": "Terraform", "descriptionID": "5598ed06", diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json index 03da04787da..331cfe387e7 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloud DNS without DNSSEC", + "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 10 } diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json index 88a198658bc..0ff79ff59e3 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/metadata.json @@ -3,7 +3,7 @@ "queryName": "RDP Access Is Not Restricted", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Check if Google Firewall ingress allows RDP access (port 3389)", + "descriptionText": "Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall", "platform": "Terraform", "descriptionID": "f8156d3b", diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json index 7261d586265..afaa0cd5011 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json @@ -3,7 +3,7 @@ "queryName": "Container Is Privileged", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Do not allow container to be privileged.", + "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", "descriptionID": "e2be4ab9" diff --git a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json index 10f0e7b09cf..652bf8df7b5 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json @@ -3,7 +3,7 @@ "queryName": "Image Without Digest", "severity": "LOW", "category": "Insecure Configurations", - "descriptionText": "Sees if Kubernetes image has digest on", + "descriptionText": "Images should be specified together with their digests to ensure integrity", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", "platform": "Terraform", "descriptionID": "fec9b353" diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json index 106af0a2645..2f2e9817987 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json @@ -3,7 +3,7 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "LOW", "category": "Availability", - "descriptionText": "Liveness Probe must be defined", + "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe", "platform": "Terraform", "descriptionID": "e5105a57" diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json index 4dc5394e78d..ec252726f84 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json @@ -3,7 +3,7 @@ "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "category": "Resource Management", - "descriptionText": "Memory limits should be specified", + "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", "platform": "Terraform", "descriptionID": "c957affa" diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json index 54938ebb367..0483f7537aa 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json @@ -3,7 +3,7 @@ "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "category": "Resource Management", - "descriptionText": "Memory requests should be specified", + "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", "platform": "Terraform", "descriptionID": "a77e5da7" diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json index b412580668a..7b5bd31b7b8 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json @@ -3,7 +3,7 @@ "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Containers should drop 'NET_RAW' or 'ALL' capabilities", + "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", "platform": "Terraform", "descriptionID": "548d4eac" diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json index 9e62ee34421..cd2e11fb110 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json @@ -3,7 +3,7 @@ "queryName": "Privilege Escalation Allowed", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Admission of privileged containers should be minimized", + "descriptionText": "Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation", "platform": "Terraform", "descriptionID": "e693ddd6" diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json index 3e31100dd37..503b20f3b34 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json @@ -3,7 +3,7 @@ "queryName": "PSP Set To Privileged", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Do not allow pod to request execution as privileged", + "descriptionText": "Do not allow pod to request execution as privileged.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", "platform": "Terraform", "descriptionID": "5ca96212" diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json index dcb682959ba..fcc7b68dfa2 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json @@ -3,7 +3,7 @@ "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Minimize access to secrets (RBAC)", + "descriptionText": "Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", "platform": "Terraform", "descriptionID": "a4fb7558" diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json index b973d3900f8..4c4001f0157 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json @@ -3,7 +3,7 @@ "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Check if any resource does not configure Seccomp default profile properly", + "descriptionText": "Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", "platform": "Terraform", "descriptionID": "ad5436a1"