Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(queries): update queries catalog #6775

Merged
merged 2 commits into from
Nov 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2,782 changes: 1,391 additions & 1,391 deletions docs/queries/all-queries.md

Large diffs are not rendered by default.

318 changes: 159 additions & 159 deletions docs/queries/ansible-queries.md

Large diffs are not rendered by default.

28 changes: 14 additions & 14 deletions docs/queries/azureresourcemanager-queries.md

Large diffs are not rendered by default.

356 changes: 178 additions & 178 deletions docs/queries/cloudformation-queries.md

Large diffs are not rendered by default.

32 changes: 16 additions & 16 deletions docs/queries/crossplane-queries.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
## Crossplane Queries List
This page contains all queries from Crossplane.

### GCP
Bellow are listed queries related with Crossplane GCP:



| Query |Severity|Category|Description|Help|
|------------------------------|--------|--------|-----------|----|
|Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>6c2d627c-de0f-45fb-b33d-dad9bffbb421</sub></sup>|<span style="color:#C00">High</span>|Observability|Cloud storage bucket should have logging enabled (<a href="../crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging">Documentation</a><br/>|
|Google Container Node Pool Auto Repair Disabled<br/><sup><sub>b4f65d13-a609-4dc1-af7c-63d2e08bffe9</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (<a href="../crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair">Documentation</a><br/>|

### AZURE
Bellow are listed queries related with Crossplane AZURE:

Expand All @@ -18,26 +28,16 @@ Bellow are listed queries related with Crossplane AWS:

| Query |Severity|Category|Description|Help|
|------------------------------|--------|--------|-----------|----|
|EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (<a href="../crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID">Documentation</a><br/>|
|DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (<a href="../crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted">Documentation</a><br/>|
|ELB Using Weak Ciphers<br/><sup><sub>a507daa5-0795-4380-960b-dd7bb7c56661</sub></sup>|<span style="color:#C00">High</span>|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (<a href="../crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy">Documentation</a><br/>|
|EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (<a href="../crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID">Documentation</a><br/>|
|EFS Not Encrypted<br/><sup><sub>72840c35-3876-48be-900d-f21b2f0c2ea1</sub></sup>|<span style="color:#C00">High</span>|Encryption|Elastic File System (EFS) must be encrypted (<a href="../crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted">Documentation</a><br/>|
|RDS DB Instance Publicly Accessible<br/><sup><sub>d9dc6429-5140-498a-8f55-a10daac5f000</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (<a href="../crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0">Documentation</a><br/>|
|DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface (<a href="../crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>|
|DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (<a href="../crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted">Documentation</a><br/>|
|CloudFront Without Minimum Protocol TLS 1.2<br/><sup><sub>255b0fcc-9f82-41fe-9229-01b163e3376b</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (<a href="../crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion">Documentation</a><br/>|
|SQS With SSE Disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (<a href="../crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>|
|DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface (<a href="../crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>|
|RDS DB Instance Publicly Accessible<br/><sup><sub>d9dc6429-5140-498a-8f55-a10daac5f000</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (<a href="../crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0">Documentation</a><br/>|
|Neptune Database Cluster Encryption Disabled<br/><sup><sub>83bf5aca-138a-498e-b9cd-ad5bc5e117b4</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Neptune database cluster storage should have encryption enabled (<a href="../crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted">Documentation</a><br/>|
|CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (<a href="../crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging">Documentation</a><br/>|
|SQS With SSE Disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (<a href="../crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>|
|CloudWatch Without Retention Period Specified<br/><sup><sub>934613fe-b12c-4e5a-95f5-c1dcdffac1ff</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (<a href="../crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays">Documentation</a><br/>|
|CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (<a href="../crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging">Documentation</a><br/>|
|CloudFront Without WAF<br/><sup><sub>6d19ce0f-b3d8-4128-ac3d-1064e0f00494</sub></sup>|<span style="color:#CC0">Low</span>|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (<a href="../crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID">Documentation</a><br/>|
|DocDB Logging Is Disabled<br/><sup><sub>e6cd49ba-77ed-417f-9bca-4f5303554308</sub></sup>|<span style="color:#CC0">Low</span>|Observability|DocDB logging should be enabled (<a href="../crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports">Documentation</a><br/>|

### GCP
Bellow are listed queries related with Crossplane GCP:



| Query |Severity|Category|Description|Help|
|------------------------------|--------|--------|-----------|----|
|Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>6c2d627c-de0f-45fb-b33d-dad9bffbb421</sub></sup>|<span style="color:#C00">High</span>|Observability|Cloud storage bucket should have logging enabled (<a href="../crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging">Documentation</a><br/>|
|Google Container Node Pool Auto Repair Disabled<br/><sup><sub>b4f65d13-a609-4dc1-af7c-63d2e08bffe9</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (<a href="../crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair">Documentation</a><br/>|
Loading