nar.sonar-cloudformation-plugin.2.1.2.source-code.cloudformation-rules.xml Maven / Gradle / Ivy
<cloudformation-rules>
<rule>
<key>F1</key>
<name>EBS volumes should be encrypted</name>
<internalKey>F1</internalKey>
<description>EBS volume should have server-side encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F2</key>
<name>IAM role should not allow * action on its trust policy</name>
<internalKey>F2</internalKey>
<description>IAM role should not allow * action on its trust policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F3</key>
<name>IAM role should not allow * action on its permissions policy</name>
<internalKey>F3</internalKey>
<description>IAM role should not allow * action on its permissions policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F4</key>
<name>IAM policy should not allow * action</name>
<internalKey>F4</internalKey>
<description>IAM policy should not allow * action</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F5</key>
<name>IAM managed policy should not allow * action</name>
<internalKey>F5</internalKey>
<description>IAM managed policy should not allow * action</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F6</key>
<name>IAM role should not allow Allow+NotPrincipal in its trust policy</name>
<internalKey>F6</internalKey>
<description>IAM role should not allow Allow+NotPrincipal in its trust policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F7</key>
<name>SQS Queue policy should not allow Allow+NotPrincipal</name>
<internalKey>F7</internalKey>
<description>SQS Queue policy should not allow Allow+NotPrincipal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F8</key>
<name>SNS Topic policy should not allow Allow+NotPrincipal</name>
<internalKey>F8</internalKey>
<description>SNS Topic policy should not allow Allow+NotPrincipal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F9</key>
<name>S3 Bucket policy should not allow Allow+NotPrincipal</name>
<internalKey>F9</internalKey>
<description>S3 Bucket policy should not allow Allow+NotPrincipal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F10</key>
<name>IAM user should not have any inline policies.</name>
<internalKey>F10</internalKey>
<description>IAM user should not have any inline policies. Should be centralized Policy object on group</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-286</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F11</key>
<name>IAM policy should not apply directly to users.</name>
<internalKey>F11</internalKey>
<description>IAM policy should not apply directly to users. Should be on group</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-286</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F12</key>
<name>IAM managed policy should not apply directly to users.</name>
<internalKey>F12</internalKey>
<description>IAM managed policy should not apply directly to users. Should be on group</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-286</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F13</key>
<name>Lambda permission principal should not be wildcard</name>
<internalKey>F13</internalKey>
<description>Lambda permission principal should not be wildcard</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F14</key>
<name>S3 Bucket should not have a public read-write acl</name>
<internalKey>F14</internalKey>
<description>S3 Bucket should not have a public read-write acl</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F15</key>
<name>S3 Bucket policy should not allow * action</name>
<internalKey>F15</internalKey>
<description>S3 Bucket policy should not allow * action</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F16</key>
<name>S3 Bucket policy should not allow * principal</name>
<internalKey>F16</internalKey>
<description>S3 Bucket policy should not allow * principal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F18</key>
<name>SNS topic policy should not allow * principal</name>
<internalKey>F18</internalKey>
<description>SNS topic policy should not allow * principal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F19</key>
<name>EnableKeyRotation should not be false or absent on KMS::Key resource</name>
<internalKey>F19</internalKey>
<description>EnableKeyRotation should not be false or absent on KMS::Key resource</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-320</tag>
<tag>800-53-sc-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F20</key>
<name>SQS Queue policy should not allow * action</name>
<internalKey>F2+</internalKey>
<description>SQS Queue policy should not allow * action</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F21</key>
<name>SQS Queue policy should not allow * principal</name>
<internalKey>F21</internalKey>
<description>SQS Queue policy should not allow * principal</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F22</key>
<name>RDS instance should not be publicly accessible</name>
<internalKey>F22</internalKey>
<description>RDS instance should not be publicly accessible</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F23</key>
<name>DS instance master user password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F23</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F24</key>
<name>RDS instance master username must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F24</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F25</key>
<name>ElastiCache ReplicationGroup should have encryption enabled for at rest</name>
<internalKey>F25</internalKey>
<description>ElastiCache ReplicationGroup should have encryption enabled for at rest</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F26</key>
<name>RDS DBCluster should have StorageEncrypted enabled</name>
<internalKey>F26</internalKey>
<description>RDS DBCluster should have StorageEncrypted enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F27</key>
<name>RDS DBInstance should have StorageEncrypted enabled</name>
<internalKey>F27</internalKey>
<description>RDS DBInstance should have StorageEncrypted enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F28</key>
<name>Redshift Cluster should have encryption enabled</name>
<internalKey>F28</internalKey>
<description>Redshift Cluster should have encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F29</key>
<name>Workspace should have encryption enabled</name>
<internalKey>F29</internalKey>
<description>Workspace should have encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F30</key>
<name>Neptune database cluster storage should have encryption enabled</name>
<internalKey>F30</internalKey>
<description>Neptune database cluster storage should have encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F31</key>
<name>DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value</name>
<internalKey>F31</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F32</key>
<name>EFS FileSystem should have encryption enabled</name>
<internalKey>F32</internalKey>
<description>EFS FileSystem should have encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F33</key>
<name>ElastiCache ReplicationGroup should have encryption enabled for in transit</name>
<internalKey>F33</internalKey>
<description>ElastiCache ReplicationGroup should have encryption enabled for in transit</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F34</key>
<name>RDS DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value</name>
<internalKey>F34</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F35</key>
<name>Redshift Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value</name>
<internalKey>F35</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F36</key>
<name>Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value</name>
<internalKey>F36</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F37</key>
<name>DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value</name>
<internalKey>F37</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F38</key>
<name>IAM role should not allow * resource with PassRole action on its permissions policy.</name>
<internalKey>F38</internalKey>
<description>IAM role should not allow * resource with PassRole action on its permissions policy.</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F39</key>
<name>IAM policy should not allow * resource with PassRole action.</name>
<internalKey>F39</internalKey>
<description>IAM policy should not allow * resource with PassRole action.</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F40</key>
<name>IAM managed policy should not allow a * resource with PassRole action.</name>
<internalKey>F40</internalKey>
<description>IAM managed policy should not allow a * resource with PassRole action.</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F41</key>
<name>Amplify App AccessToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F41</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F42</key>
<name>Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F42</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F43</key>
<name>Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F43</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F44</key>
<name>ElastiCache ReplicationGroup AuthToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F44</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F45</key>
<name>Lambda Permission EventSourceToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F45</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F46</key>
<name>Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F46</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F47</key>
<name>Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F47</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F48</key>
<name>Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F48</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F49</key>
<name>Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F49</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F50</key>
<name>Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F50</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F51</key>
<name>IAM User LoginProfile Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F51</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F52</key>
<name>AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F52</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F53</key>
<name>AppStream DirectoryConfig ServiceAccountCredentials AccountPassword must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F53</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F54</key>
<name>OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F54</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F55</key>
<name>DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F55</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F56</key>
<name>Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F56</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F57</key>
<name>Pinpoint APNSChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F57</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F58</key>
<name>Amplify App OauthToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F58</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F60</key>
<name>Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F60</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F61</key>
<name>OpsWorks App SslConfiguration PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F61</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F62</key>
<name>OpsWorks Stack CustomCookbooksSource Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F62</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F63</key>
<name>EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F63</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F64</key>
<name>EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F64</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F65</key>
<name>EMR Cluster KerberosAttributes KdcAdmin Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F65</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F66</key>
<name>Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F66</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F67</key>
<name>OpsWorks App AppSource Password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F67</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F68</key>
<name>Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F68</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F69</key>
<name>CodePipeline Webhook AuthenticationConfiguration SecretToken must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F69</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F70</key>
<name>DocDB DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value.</name>
<internalKey>F70</internalKey>
<description>Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F71</key>
<name>ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</name>
<internalKey>F71</internalKey>
<description>ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F74</key>
<name>Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</name>
<internalKey>F74</internalKey>
<description>Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F75</key>
<name>Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</name>
<internalKey>F75</internalKey>
<description>Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F76</key>
<name>KMS key should not allow * principal</name>
<internalKey>F76</internalKey>
<description>KMS key should not allow * principal (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F77</key>
<name>SimpleDB Domain should not be a declared resource</name>
<internalKey>F77</internalKey>
<description>SimpleDB Domain should not be a declared resource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F78</key>
<name>AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'</name>
<internalKey>F78</internalKey>
<description>AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-308</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F79</key>
<name>A NetworkACL's rule numbers cannot be repeated unless one is egress and one is ingress.</name>
<internalKey>F79</internalKey>
<description>A NetworkACL's rule numbers cannot be repeated unless one is egress and one is ingress.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-284</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F80</key>
<name>RDS instance should have deletion protection enabled.</name>
<internalKey>F80</internalKey>
<description>RDS instance should have deletion protection enabled.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-693</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F665</key>
<name>WebAcl DefaultAction should not be ALLOW</name>
<internalKey>F665</internalKey>
<description>WebAcl DefaultAction should not be ALLOW</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F1000</key>
<name>Missing egress rule means all traffic is allowed outbound.</name>
<internalKey>F1000</internalKey>
<description>Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>F2000</key>
<name>User is not assigned to a group</name>
<internalKey>F2000</internalKey>
<description>User is not assigned to a group</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-286</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W1</key>
<name>Specifying credentials in the template itself is probably not the safest thing</name>
<internalKey>W1</internalKey>
<description>Specifying credentials in the template itself is probably not the safest thing</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a3</tag>
<tag>cweid-257</tag>
<tag>800-53-ia-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W2</key>
<name>Security Groups found with cidr open to world on ingress.</name>
<internalKey>W2</internalKey>
<description>Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W5</key>
<name>Security Groups found with cidr open to world on egress</name>
<internalKey>W5</internalKey>
<description>Security Groups found with cidr open to world on egress</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W9</key>
<name>Security Groups found with ingress cidr that is not /32</name>
<internalKey>W9</internalKey>
<description>Security Groups found with ingress cidr that is not /32</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W10</key>
<name>CloudFront Distribution should enable access logging</name>
<internalKey>W10</internalKey>
<description>CloudFront Distribution should enable access logging</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W11</key>
<name>IAM role should not allow * resource on its permissions policy</name>
<internalKey>W11</internalKey>
<description>IAM role should not allow * resource on its permissions policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W12</key>
<name>IAM policy should not allow * resource</name>
<internalKey>W12</internalKey>
<description>IAM policy should not allow * resource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W13</key>
<name>IAM managed policy should not allow * resource</name>
<internalKey>W13</internalKey>
<description>IAM managed policy should not allow * resource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W14</key>
<name>IAM role should not allow Allow+NotAction on trust permissions</name>
<internalKey>W14</internalKey>
<description>IAM role should not allow Allow+NotAction on trust permissions</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W15</key>
<name>IAM role should not allow Allow+NotAction</name>
<internalKey>W15</internalKey>
<description>IAM role should not allow Allow+NotAction</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W16</key>
<name>IAM policy should not allow Allow+NotAction</name>
<internalKey>W16</internalKey>
<description>IAM policy should not allow Allow+NotAction</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W17</key>
<name>IAM managed policy should not allow Allow+NotAction</name>
<internalKey>W17</internalKey>
<description>IAM managed policy should not allow Allow+NotAction</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W18</key>
<name>SQS Queue policy should not allow Allow+NotAction</name>
<internalKey>W18</internalKey>
<description>SQS Queue policy should not allow Allow+NotAction</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W19</key>
<name>SNS Topic policy should not allow Allow+NotAction</name>
<internalKey>W19</internalKey>
<description>SNS Topic policy should not allow Allow+NotAction</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W20</key>
<name>S3 Bucket policy should not allow Allow+NotAction</name>
<internalKey>W20</internalKey>
<description>S3 Bucket policy should not allow Allow+NotAction</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W21</key>
<name>IAM role should not allow Allow+NotResource</name>
<internalKey>W21</internalKey>
<description>IAM role should not allow Allow+NotResource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W22</key>
<name>IAM policy should not allow Allow+NotResource</name>
<internalKey>W22</internalKey>
<description>IAM policy should not allow Allow+NotResource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W23</key>
<name>IAM managed policy should not allow Allow+NotResource</name>
<internalKey>W23</internalKey>
<description>IAM managed policy should not allow Allow+NotResource</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W24</key>
<name>Lambda permission beside InvokeFunction might not be what you want?</name>
<internalKey>W24</internalKey>
<description>Lambda permission beside InvokeFunction might not be what you want? Not sure!?</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W26</key>
<name>Elastic Load Balancer should have access logging enabled</name>
<internalKey>W26</internalKey>
<description>Elastic Load Balancer should have access logging enabled</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W27</key>
<name>Security Groups found ingress with port range instead of just a single port</name>
<internalKey>W27</internalKey>
<description>Security Groups found ingress with port range instead of just a single port</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W28</key>
<name>Resource found with an explicit name, this disallows updates that require replacement of this resource</name>
<internalKey>W28</internalKey>
<description>Resource found with an explicit name, this disallows updates that require replacement of this resource</description>
<severity>INFO</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W29</key>
<name>Security Groups found egress with port range instead of just a single port</name>
<internalKey>W29</internalKey>
<description>Security Groups found egress with port range instead of just a single port</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W31</key>
<name>S3 Bucket likely should not have a public read acl</name>
<internalKey>W31</internalKey>
<description>S3 Bucket likely should not have a public read acl</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W32</key>
<name>CodeBuild project should specify an EncryptionKey value</name>
<internalKey>W32</internalKey>
<description>CodeBuild project should specify an EncryptionKey value</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W33</key>
<name>EC2 Subnet should not have MapPublicIpOnLaunch set to true</name>
<internalKey>W33</internalKey>
<description>EC2 Subnet should not have MapPublicIpOnLaunch set to true</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W34</key>
<name>Batch Job Definition Container Properties should not have Privileged set to true</name>
<internalKey>W34</internalKey>
<description>Batch Job Definition Container Properties should not have Privileged set to true</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W35</key>
<name>S3 Bucket should have access logging configured</name>
<internalKey>W35</internalKey>
<description>S3 Bucket should have access logging configured</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W36</key>
<name>Security group rules without a description</name>
<internalKey>W36</internalKey>
<description>Security group rules without a description obscure their purpose and may lead to bad practices in ensuring they only allow traffic from the ports and sources/destinations required.</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W37</key>
<name>EBS Volume should specify a KmsKeyId value</name>
<internalKey>W37</internalKey>
<description>EBS Volume should specify a KmsKeyId value</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W38</key>
<name>IOT policy should not allow * action</name>
<internalKey>W38</internalKey>
<description>IOT policy should not allow * action</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W39</key>
<name>IoT policy should not allow * resource</name>
<internalKey>W39</internalKey>
<description>IoT policy should not allow * resource</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W40</key>
<name>Security Groups egress with an IpProtocol of -1 found</name>
<internalKey>W40</internalKey>
<description>Security Groups egress with an IpProtocol of -1 found</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W41</key>
<name>S3 Bucket should have encryption option set</name>
<internalKey>W41</internalKey>
<description>S3 Bucket should have encryption option set</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W42</key>
<name>Security Groups ingress with an ipProtocol of -1 found</name>
<internalKey>W42</internalKey>
<description>Security Groups ingress with an ipProtocol of -1 found</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W43</key>
<name>IAM role should not have AdministratorAccess policy</name>
<internalKey>W43</internalKey>
<description>IAM role should not have AdministratorAccess policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W44</key>
<name>IAM role should not have Elevated Managed policy</name>
<internalKey>W44</internalKey>
<description>IAM role should not have Elevated Managed policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W45</key>
<name>Api gateway should have access logging configured</name>
<internalKey>W45</internalKey>
<description>Api gateway should have access logging configured</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W46</key>
<name>ApiGateway V2 should have access logging configured</name>
<internalKey>W46</internalKey>
<description>ApiGateway V2 should have access logging configured</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W47</key>
<name>SNS Topic should specify KmsMasterKeyId property</name>
<internalKey>W47</internalKey>
<description>SNS Topic should specify KmsMasterKeyId property</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W48</key>
<name>SQS Queue should specify KmsMasterKeyId property</name>
<internalKey>W48</internalKey>
<description>SQS Queue should specify KmsMasterKeyId property</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W49</key>
<name>Kinesis Stream should specify StreamEncryption.</name>
<internalKey>W49</internalKey>
<description>Kinesis Stream should specify StreamEncryption, EncryptionType should be KMS and specify KMS Key Id</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W50</key>
<name>IAM User Login Profile should exist and have PasswordResetRequired property set to true</name>
<internalKey>W50</internalKey>
<description>IAM User Login Profile should exist and have PasswordResetRequired property set to true</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W51</key>
<name>S3 bucket should likely have a bucket policy</name>
<internalKey>W51</internalKey>
<description>S3 bucket should likely have a bucket policy</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W52</key>
<name>Elastic Load Balancer V2 should have access logging enabled</name>
<internalKey>W52</internalKey>
<description>Elastic Load Balancer V2 should have access logging enabled</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W53</key>
<name>AmazonMQ Broker should specify EncryptionOptions.</name>
<internalKey>W53</internalKey>
<description>AmazonMQ Broker should specify EncryptionOptions.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W54</key>
<name>ElasticsearchcDomain should specify EncryptionAtRestOptions.</name>
<internalKey>W54</internalKey>
<description>ElasticsearchcDomain should specify EncryptionAtRestOptions.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W55</key>
<name>Elastic Load Balancer V2 Listener SslPolicy should use TLS 1.2.</name>
<internalKey>W55</internalKey>
<description>Elastic Load Balancer V2 Listener SslPolicy should use TLS 1.2.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-326</tag>
<tag>800-53-sc-8</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W56</key>
<name>Elastic Load Balancer V2 Listener Protocol should use HTTPS for ALBs.</name>
<internalKey>W56</internalKey>
<description>Elastic Load Balancer V2 Listener Protocol should use HTTPS for ALBs.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-8</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W57</key>
<name>AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.</name>
<internalKey>W57</internalKey>
<description>AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-306</tag>
<tag>owasp-a10</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W58</key>
<name>Lambda functions require permission to write CloudWatch Logs.</name>
<internalKey>W58</internalKey>
<description>Lambda functions require permission to write CloudWatch Logs.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-778</tag>
<tag>owasp-a10</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W59</key>
<name>AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE'.</name>
<internalKey>W59</internalKey>
<description>AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE'.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-306</tag>
<tag>owasp-a2</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W60</key>
<name>VPC should have a flow log attached</name>
<internalKey>W60</internalKey>
<description>VPC should have a flow log attached</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W62</key>
<name>ApiGateway SecurityPolicy should use TLS 1.2</name>
<internalKey>W62</internalKey>
<description>ApiGateway SecurityPolicy should use TLS 1.2.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-326</tag>
<tag>800-53-sc-8</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W61</key>
<name>EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.</name>
<internalKey>W61</internalKey>
<description>EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-8</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W63</key>
<name>EMR Cluster should specify SecurityConfiguration.</name>
<internalKey>W63</internalKey>
<description>EMR Cluster should specify SecurityConfiguration.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W64</key>
<name>AWS::ApiGateway::Stage resources should be associated with an AWS::ApiGateway::UsagePlan.</name>
<internalKey>W64</internalKey>
<description>AWS::ApiGateway::Stage resources should be associated with an AWS::ApiGateway::UsagePlan.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-770</tag>
<tag>800-53-sc-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W65</key>
<name>GameLift fleet EC2InboundPermissions found with port range instead of just a single port</name>
<internalKey>W65</internalKey>
<description>GameLift fleet EC2InboundPermissions found with port range instead of just a single port</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W66</key>
<name>To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be specified</name>
<internalKey>W66</internalKey>
<description>To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W67</key>
<name>TCP/UDP protocol NetworkACL entries possibly should not allow all ports.</name>
<internalKey>W67</internalKey>
<description>TCP/UDP protocol NetworkACL entries possibly should not allow all ports.</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-732</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W68</key>
<name>AWS::ApiGateway::Deployment resources should be associated with an AWS::ApiGateway::UsagePlan.</name>
<internalKey>W68</internalKey>
<description>AWS::ApiGateway::Deployment resources should be associated with an AWS::ApiGateway::UsagePlan.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-770</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W69</key>
<name>AWS::ApiGateway::Stage should have the AccessLogSetting property defined.</name>
<internalKey>W69</internalKey>
<description>AWS::ApiGateway::Stage should have the AccessLogSetting property defined.</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a10</tag>
<tag>cweid-778</tag>
<tag>800-53-au-12</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W70</key>
<name>Cloudfront should use minimum protocol version TLS 1.2</name>
<internalKey>W70</internalKey>
<description>Cloudfront should use minimum protocol version TLS 1.2</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-326</tag>
<tag>800-53-sc-8</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W71</key>
<name>NetworkACL Entry Deny rules should affect all CIDR ranges.</name>
<internalKey>W71</internalKey>
<description>NetworkACL Entry Deny rules should affect all CIDR ranges.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-284</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W72</key>
<name>NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.</name>
<internalKey>W72</internalKey>
<description>NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-284</tag>
<tag>800-53-ac-4</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W73</key>
<name>DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED</name>
<internalKey>W73</internalKey>
<description>DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W74</key>
<name>DynamoDB table should have encryption enabled using a CMK stored in KMS</name>
<internalKey>W74</internalKey>
<description>DynamoDB table should have encryption enabled using a CMK stored in KMS</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W75</key>
<name>RDS instance should have backup retention period greater than 0.</name>
<internalKey>W75</internalKey>
<description>RDS instance should have backup retention period greater than 0.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-693</tag>
<tag>800-53-cp-9</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W76</key>
<name>SPCM for IAM policy document is higher than 25</name>
<internalKey>W76</internalKey>
<description>Stelligent Policy Complexity Metric (SPCM) for IAM policy document is higher than 25</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-272</tag>
<tag>800-53-ac-6</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W77</key>
<name>Secrets Manager Secret should explicitly specify KmsKeyId.</name>
<internalKey>W77</internalKey>
<description>Besides control of the key this will allow the secret to be shared cross-account.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W78</key>
<name>DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled.</name>
<internalKey>W77</internalKey>
<description>DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-693</tag>
<tag>800-53-cp-9</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W79</key>
<name>ECR Repository should have scanOnPush enabled.</name>
<internalKey>W79</internalKey>
<description>ECR Repository should have scanOnPush enabled.</description>
<severity>MAJOR</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a9</tag>
<tag>800-53-ra-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W80</key>
<name>Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.</name>
<internalKey>W80</internalKey>
<description>Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W81</key>
<name>DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption.</name>
<internalKey>W81</internalKey>
<description>DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W82</key>
<name>EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.</name>
<internalKey>W82</internalKey>
<description>EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W83</key>
<name>DynamoDB Accelerator (DAX) Cluster should have encryption enabled</name>
<internalKey>W83</internalKey>
<description>DynamoDB Accelerator (DAX) Cluster should have encryption enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W84</key>
<name>CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data</name>
<internalKey>W84</internalKey>
<description>CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W85</key>
<name>ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled</name>
<internalKey>W85</internalKey>
<description>ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W86</key>
<name>CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data</name>
<internalKey>W86</internalKey>
<description>CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-779</tag>
<tag>800-53-au-11</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W87</key>
<name>ApiGateway Deployment should have cache data encryption enabled when caching is enabled</name>
<internalKey>W87</internalKey>
<description>ApiGateway Deployment should have cache data encryption enabled when caching is enabled</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W88</key>
<name>Kinesis Firehose DeliveryStream of type DirectPut should specify SSE</name>
<internalKey>W88</internalKey>
<description>Kinesis Firehose DeliveryStream of type DirectPut should specify SSE</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W89</key>
<name>Lambda functions should be deployed inside a VPC, miss VpcConfig property</name>
<internalKey>W89</internalKey>
<description>Lambda functions should be deployed inside a VPC, miss VpcConfig property</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-200</tag>
<tag>800-53-sc-7</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W90</key>
<name>ElasticsearchcDomain should be inside vpc, should specify VPCOptions</name>
<internalKey>W90</internalKey>
<description>ElasticsearchcDomain should be inside vpc, should specify VPCOptions</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-200</tag>
<tag>800-53-sc-7</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W91</key>
<name>Database Migration Service replication instances are public, property PubliclyAccessible should be set to false</name>
<internalKey>W91</internalKey>
<description>Database Migration Service replication instances are public, property PubliclyAccessible should be set to false</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-200</tag>
<tag>800-53-sc-7</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W92</key>
<name>Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions</name>
<internalKey>W92</internalKey>
<description>Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>cweid-770</tag>
<tag>800-53-sc-5</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W1200</key>
<name>SageMaker EndpointConfig should have a KmsKeyId property set.</name>
<internalKey>W1200</internalKey>
<description>SageMaker EndpointConfig should have a KmsKeyId property set.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>W1201</key>
<name>SageMaker NotebookInstance should have a KmsKeyId property set.</name>
<internalKey>W1201</internalKey>
<description>SageMaker NotebookInstance should have a KmsKeyId property set.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<tag>owasp-a6</tag>
<tag>cweid-311</tag>
<tag>800-53-sc-13</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>WUNDEFINED</key>
<name>Custom cfn-nag warning rule or rule missing integration in this plugin.</name>
<internalKey>WUNDEFINED</internalKey>
<description>Custom cfn-nag warning or rule missing integration in this plugin.</description>
<severity>CRITICAL</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
<rule>
<key>FUNDEFINED</key>
<name>Custom cfn-nag failure rule or rule missing integration in this plugin.</name>
<internalKey>FUNDEFINED</internalKey>
<description>Custom cfn-nag failure or rule missing integration in this plugin.</description>
<severity>BLOCKER</severity>
<cardinality>SINGLE</cardinality>
<status>READY</status>
<type>VULNERABILITY</type>
<tag>security</tag>
<tag>cfn-nag</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
</rule>
</cloudformation-rules> © 2015 - 2024 Weber Informatics LLC | Privacy Policy