Cloud Security Rules

RULE	SERVICE GROUP
C S3 bucket ACL allows public access to S3 bucket storing CloudTrail log files	S3
H API Gateway allows anonymous access	API Gateway (REST APIs)
H Batch job runs with privileged flag set to true	Batch
H Broad IAM permissions in IAM policy	IAM
H CloudTrail trail has logging disabled	CloudTrail
H EC2 metadata has hardcoded secrets	EC2
H ECR policy allows public access	ECR
H IAM access key generated for `root` user	IAM
H IAM policy has a statement block with a wildcard action	IAM
H IAM role can be assumed by anyone in the account or anyone in any account	IAM
H KMS master key is publicly accessible	KMS
H Obsolete EC2-classic resource in use	VPC
H Potentially sensitive variable in Lambda environment	Lambda
H RDS database instance is publicly accessible	RDS
H Redshift cluster is publicly accessible	Redshift
H S3 bucket does not have `ignore_public_acls` enabled	S3
H S3 bucket does not have all block public access options enabled	S3
H S3 bucket has `block_public_acls` disabled	S3
H S3 bucket has `block_public_policy` disabled	S3
H S3 bucket has `restrict_public_buckets` disabled	S3
H S3 bucket is publicly readable	S3
H S3 Bucket should not be publicly readable and writable	S3
H S3 policy grants all permissions to any principal	S3
H SQS queue policy allows all actions on the resource	SQS
H The IAM role can be assumed by any service or principal	IAM
H WAFv2 web ACL does not include the 'AWSManagedRulesKnownBadInputsRuleSet' managed rule group	WAF
M AMI snapshot copy is not encrypted	EC2
M API Gateway cached responses are not encrypted	API Gateway (REST APIs)
M Athena workgroup result encryption is not enforced	Athena
M Athena workgroup settings can be overridden by client	Athena

AWS

Azure

Google

Kubernetes