Checkmarx · rafaela-soares · Aug 23, 2022 · Jun 28, 2022 · Jul 3, 2022 · Jul 13, 2022
@@ -1,9 +1,9 @@
 {
   "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b",
   "queryName": "API Gateway without WAF",
-	"severity": "MEDIUM",
+  "severity": "MEDIUM",
   "category": "Networking and Firewall",
-	"descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
+  "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn",
   "platform": "Ansible",
   "descriptionID": "8e789062",

@@ -3,7 +3,7 @@
   "queryName": "Authentication Without MFA",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication)",
+  "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html",
   "platform": "Ansible",
   "descriptionID": "36040ce0",

@@ -1,9 +1,9 @@
 {
   "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd",
-  "queryName": "Cloudfront Logging Disabled",
+  "queryName": "CloudFront Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true",
+  "descriptionText": "AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html",
   "platform": "Ansible",
   "descriptionID": "1bfc2dfd",

@@ -1,11 +1,11 @@
 [
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 2
   },
   {
-    "queryName": "Cloudfront Logging Disabled",
+    "queryName": "CloudFront Logging Disabled",
     "severity": "MEDIUM",
     "line": 62
   }

@@ -1,6 +1,6 @@
 {
   "id": "22c80725-e390-4055-8d14-a872230f6607",
-  "queryName": "Cloudfront Without WAF",
+  "queryName": "CloudFront Without WAF",
   "severity": "LOW",
   "category": "Networking and Firewall",
   "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service",

@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "Cloudfront Without WAF",
+		"queryName": "CloudFront Without WAF",
 		"severity": "LOW",
 		"line": 2
 	}

@@ -3,7 +3,7 @@
   "queryName": "CloudTrail Log File Validation Disabled",
   "severity": "LOW",
   "category": "Observability",
-  "descriptionText": "CloudTrail Log Files should have validation enabled",
+  "descriptionText": "CloudTrail log file validation should be enabled to determine whether a log file has not been tampered",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "04302074",

@@ -1,9 +1,9 @@
 {
   "id": "f5587077-3f57-4370-9b4e-4eb5b1bac85b",
-  "queryName": "CloudTrail Log Files Not Encrypted With CMK",
+  "queryName": "CloudTrail Log Files Not Encrypted With KMS",
   "severity": "LOW",
   "category": "Encryption",
-  "descriptionText": "CloudTrail Log Files should be encrypted with Key Management Service (KMS)",
+  "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html",
   "platform": "Ansible",
   "descriptionID": "d3b81fde",

@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "CloudTrail Log Files Not Encrypted With KMS",
+    "severity": "LOW",
+    "line": 2
+  }
+]
@@ -3,7 +3,7 @@
   "queryName": "DB Security Group With Public Scope",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).",
+  "descriptionText": "The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html",
   "platform": "Ansible",
   "descriptionID": "47a14ee4",

@@ -1,6 +1,6 @@
 {
   "id": "7db727c1-1720-468e-b80e-06697f71e09e",
-  "queryName": "ECS Service Admin Role is Present",
+  "queryName": "ECS Service Admin Role Is Present",
   "severity": "HIGH",
   "category": "Access Control",
   "descriptionText": "ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role",

@@ -1,6 +1,6 @@
 [
 	{
-		"queryName": "ECS Service Admin Role is Present",
+		"queryName": "ECS Service Admin Role Is Present",
 		"severity": "HIGH",
 		"line": 9
 	}

@@ -1,9 +1,9 @@
 {
   "id": "c2f15af3-66a0-4176-a56e-e4711e502e5c",
   "queryName": "Hardcoded AWS Access Key",
-  "severity": "LOW",
+  "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "Check if the user data in the EC2 instance has the access key hardcoded",
+  "descriptionText": "AWS Access Key should not be hardcoded",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "d764256e",

@@ -1,7 +1,7 @@
 [
   {
     "queryName": "Hardcoded AWS Access Key",
-    "severity": "LOW",
+    "severity": "MEDIUM",
     "line": 7
   }
 ]
@@ -3,7 +3,7 @@
   "queryName": "Hardcoded AWS Access Key In Lambda",
   "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "Lambda access key should not be in plaintext.",
+  "descriptionText": "Lambda access/secret keys should not be hardcoded",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html",
   "platform": "Ansible",
   "descriptionID": "fc78f6de",

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Number",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one number",
+  "descriptionText": "IAM user resource Login Profile Password should have at least one number",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "c4ca592e",

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "S3 bucket should have debug_botocore_endpoint_logs",
+  "descriptionText": "S3 bucket should have 'debug_botocore_endpoint_logs' defined",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs",
   "platform": "Ansible",
   "descriptionID": "2b508aee",

@@ -1,6 +1,6 @@
 {
   "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac",
-  "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+  "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
   "descriptionText": "Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.",

@@ -1,26 +1,26 @@
 [
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 9
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 23
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 37
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 51
   },
   {
-    "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible",
+    "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible",
     "severity": "MEDIUM",
     "line": 65
   }

@@ -1,6 +1,6 @@
 {
   "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb",
-  "queryName": "SQS with SSE disabled",
+  "queryName": "SQS With SSE Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",

@@ -1,21 +1,21 @@
 [
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 2
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 16
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 22
   },
   {
-    "queryName": "SQS with SSE disabled",
+    "queryName": "SQS With SSE Disabled",
     "severity": "MEDIUM",
     "line": 29
   }

@@ -3,7 +3,7 @@
   "queryName": "Stack Notifications Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "AWS CloudFormation should have stack notifications enabled",
+  "descriptionText": "AWS CloudFormation should have stack notifications enabled to be notified when an event occurs",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns",
   "platform": "Ansible",
   "descriptionID": "59f8905d",

@@ -3,7 +3,7 @@
   "queryName": "User Data Contains Encoded Private Key",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "User Data contains an encoded RSA Private Key",
+  "descriptionText": "User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html",
   "platform": "Ansible",
   "descriptionID": "45cb51c3",

@@ -3,7 +3,7 @@
   "queryName": "AKS Network Policy Misconfigured",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration",
+  "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy",
   "platform": "Ansible",
   "descriptionID": "75bbf826",

@@ -3,7 +3,7 @@
   "queryName": "Azure Container Registry With No Locks",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association",
+  "descriptionText": "Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html",
   "platform": "Ansible",
   "descriptionID": "7489a85f",

@@ -3,7 +3,7 @@
   "queryName": "CosmosDB Account IP Range Filter Not Set",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The IP range filter should be defined",
+  "descriptionText": "The IP range filter should be defined to secure the data stored",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter",
   "platform": "Ansible",
   "descriptionID": "7cb8bdbe",

@@ -3,7 +3,7 @@
   "queryName": "Public Storage Account",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Check if 'network_acls' is open to public.",
+  "descriptionText": "Storage Account should not be public to grant the principle of least privileges",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls",
   "platform": "Ansible",
   "descriptionID": "78d2c5b3",

@@ -2,8 +2,8 @@
   "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f",
   "queryName": "Redis Cache Allows Non SSL Connections",
   "severity": "MEDIUM",
-  "category": "Encryption",
-  "descriptionText": "Redis Cache resources should not allow non-SSL connections.",
+  "category": "Insecure Configurations",
+  "descriptionText": "Redis Cache resources should not allow non-SSL connections",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html",
   "platform": "Ansible",
   "descriptionID": "31e56819",

@@ -39,7 +39,7 @@ CxPolicy[result] {
 		"searchKey": sprintf("name={{%s}}.{{%s}}.retention_policy.days", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)",
-		"keyActualValue": "azure_rm_monitorlogprofile.retention_policy.days is lesser than 365 days or different than 0 (indefinitely)",
+		"keyActualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)",
 	}
 }
 

@@ -2,8 +2,8 @@
   "id": "3f23c96c-f9f5-488d-9b17-605b8da5842f",
   "queryName": "Unrestricted SQL Server Access",
   "severity": "MEDIUM",
-  "category": "Best Practices",
-  "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'",
+  "category": "Networking and Firewall",
+  "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html",
   "platform": "Ansible",
   "descriptionID": "03235d5d",

@@ -21,7 +21,7 @@ CxPolicy[result] {
 		"resourceName": task.name,
 		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be lesser than 256",
+		"keyExpectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256",
 		"keyActualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256",
 	}
 }
@@ -1,8 +1,8 @@
 {
   "id": "be41f891-96b1-4b9d-b74f-b922a918c778",
   "queryName": "COS Node Image Not Used",
-  "severity": "HIGH",
-  "category": "Insecure Configurations",
+  "severity": "MEDIUM",
+  "category": "Resource Management",
   "descriptionText": "The node image should be Container-Optimized OS(COS)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type",
   "platform": "Ansible",

@@ -1,7 +1,7 @@
 [
 	{
 		"queryName": "COS Node Image Not Used",
-		"severity": "HIGH",
+		"severity": "MEDIUM",
 		"line": 13
 	}
 ]
@@ -3,7 +3,7 @@
   "queryName": "Google Compute Subnetwork with Private Google Access Disabled",
   "severity": "LOW",
   "category": "Networking and Firewall",
-  "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to yes",
+  "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access",
   "platform": "Ansible",
   "descriptionID": "f5dece39",

@@ -3,7 +3,7 @@
   "queryName": "High KMS Rotation Period",
   "severity": "MEDIUM",
   "category": "Secret Management",
-  "descriptionText": "KMS rotation period should not surpass 365 days.",
+  "descriptionText": "KMS rotation period should not surpass 365 days",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html",
   "platform": "Ansible",
   "descriptionID": "46702906",

@@ -3,7 +3,7 @@
   "queryName": "Serial Ports Are Enabled For VM Instances",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
-  "descriptionText": "Google Compute Engine VM instances should not enable serial ports",
+  "descriptionText": "Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "7f8ab7a4",

@@ -3,7 +3,7 @@
   "queryName": "SSH Access Is Not Restricted",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
-  "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).",
+  "descriptionText": "Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html",
   "platform": "Ansible",
   "descriptionID": "1b0564ad",