Critical severity CSPM issues (64)
| Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action | |
|---|---|---|---|---|---|---|---|---|
| EC2 | Critical | — | us-east-1 | i-00dac9a2d32a3cd01 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-east-1 | i-0ece894d6d29136f5 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-east-2 | EC2 | The number of allocated Elastic IP addresses for use with instances in a VPC has reached its limit: 5 out of 5 addresses are in use. | If you think your architecture warrants additional VPC Elastic IP addresses, you can request a quota increase directly from the Service Quotas console. | More info | |
| EC2 | Critical | — | us-east-2 | sg-005d502860fac8127 | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| EC2 | Critical | — | us-east-2 | sg-00d08eb45cd7010d7 | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| EC2 | Critical | — | us-west-2 | i-0548a56d248a067d8 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-west-2 | i-0362782bc36ed6a41 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-west-2 | i-0f55b11c76adbbe3d | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-west-2 | i-087073f185b54ed12 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-west-2 | i-0c1b1df0b7efb0b57 | Insecure Instance Meta Data Service (IMDSv1) was found. | IMDSv1 can be exploited by SSRF or XML XXE attacks, as it happened in Capital One data breach, impacting 106M people. Transition to IMDSv2. | More info | |
| EC2 | Critical | — | us-west-2 | sg-008b20c9103b66b66 | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| EC2 | Critical | — | us-west-2 | sg-00aefbbc4e8c94127 | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| EC2 | Critical | — | us-west-2 | sg-0a5c0766337509406 | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| EC2 | Critical | — | us-west-2 | sg-0a7a7778280d5d4fd | The security group allows all IP addresses to access your instance using SSH service over TCP port 22. | Authorize only a specific IP address or range of addresses to access your instance. | More info | |
| IAM | Critical | — | us-east-1 | Rony | IAM user "Rony" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. | Delete or deactivate the first access key for the user "Rony". | More info | |
| IAM | Critical | — | us-east-1 | Sergei | IAM user "Sergei" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. | Delete or deactivate the first access key for the user "Sergei". | More info | |
| RDS | Critical | PCI DSS 3.5 HIPAA (Encryption) | us-east-1 | database-1-final-snapshot | RDS DB snapshot has no encryption. | To ensure the data is encrypted at rest, copy the non-encrypted snapshot into a new one. Select Enable Encryption option to make sure the copy is encrypted. | More info | |
| RDS | Critical | PCI DSS 3.5 HIPAA (Encryption) | us-east-1 | test | RDS DB snapshot has no encryption. | To ensure the data is encrypted at rest, copy the non-encrypted snapshot into a new one. Select Enable Encryption option to make sure the copy is encrypted. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-east-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-east-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-east-2 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-east-2 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-west-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-west-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-west-2 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | — | us-west-2 | my-trail | There are no recommended CloudWatch metric filters found in the log group "my-trail": "CIS 1.1: Avoid the use of "root" account", "CIS 3.2: AWS Console sign-in without MFA", "CIS 3.3: The usage of "root" account"... | Create all metric filters recommended by the CIS AWS Foundations standard. Follow the link to open the web page, and copy all provided patterns into the Filter Pattern field of each metric filter. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | us-west-2 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | CIS 3.4 | us-west-2 | test-trail | CloudTrail trail is not using CloudWatch Logs to monitor your trail logs and notify you when suspicious activity occurs. | Configure your CloudTrail trail to send events to CloudWatch Logs: specify an existing CloudWatch Logs log group, or create a new one to which to send your events. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-south-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-south-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-northeast-2 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-northeast-2 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-southeast-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-southeast-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-southeast-2 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-southeast-2 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-northeast-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ap-northeast-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ca-central-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | ca-central-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-central-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-central-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-2 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-2 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-3 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-west-3 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-north-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | eu-north-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | sa-east-1 | my-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| CloudTrail | Critical | PCI DSS 10.2 HIPAA (Audit) | sa-east-1 | test-trail | CloudTrail logs are not being delivered. The latest delivery attempt produced an error "NoSuchBucket". | Check out your CloudTrail configuration to make sure the logs are being delivered. | More info | |
| Key Management Service | Critical | CIS 3.8 PCI DSS 3.7.4 | us-east-1 | e92b32e6-a563-42c7-b0cc-c9a09cc3fec8 | Customer managed key (CMK) "my-key" has key rotation disabled. | PCI DSS Requirement 3.6 states that you must rotate the keys at the end of their defined cryptoperiod. CIS Control 2.8: Ensure rotation for customer-created CMKs is enabled | More info | |
| Key Management Service | Critical | CIS 3.8 PCI DSS 3.7.4 | us-east-2 | 2a30648d-7f18-46ab-b97d-f9f0d562446e | Customer managed key (CMK) "test-key2" has key rotation disabled. | PCI DSS Requirement 3.6 states that you must rotate the keys at the end of their defined cryptoperiod. CIS Control 2.8: Ensure rotation for customer-created CMKs is enabled | More info | |
| Key Management Service | Critical | CIS 3.8 PCI DSS 3.7.4 | us-west-2 | ef4a6c7d-4091-4456-927d-e3a62e245f59 | Customer managed key (CMK) "my-test-key" has key rotation disabled. | PCI DSS Requirement 3.6 states that you must rotate the keys at the end of their defined cryptoperiod. CIS Control 2.8: Ensure rotation for customer-created CMKs is enabled | More info | |
| CloudFront | Critical | PCI DSS 4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | us-east-1 | EABCW25ZCESFI | CloudFront distribution uses insecure default CloudFront protocol TLSv1. | To comply with PSI DSS (requires not to use SSLv2, SSLv3, TLS 1.0), create and import a custom SSL Certificate. Next, select the recommended security policy for CloudFront to use for HTTPS connections. | More info | |
| Kinesis | Critical | PCI DSS 3.5 HIPAA (Encryption) | us-east-1 | stream3 | S3 server-side encryption for the Firehose delivery stream is disabled. | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure the data delivered in S3 bucket is encrypted with a KMS customer-managed key. | More info | |
| SQS | Critical | — | us-east-1 | my-queue | SQS queue allows anonymous access to the action: "SQS:*". | Make sure the access policy of your SQS queue protects it against unauthorized users. | More info | |
| Systems Manager | Critical | — | us-east-2 | SysdigSecureAPIToken | Systems Manager parameter type is not "SecureString". | For all sensitive data that must remain encrypted, use only the "SecureString" parameter type. | More info | |
| Systems Manager | Critical | — | us-east-2 | SysdigSecureEndpoint | Systems Manager parameter type is not "SecureString". | For all sensitive data that must remain encrypted, use only the "SecureString" parameter type. | More info | |
| Certificate Manager | Critical | — | us-east-1 | 24cd6d04-41be-43f4-97a5-dbbe07084195 | ACM certificate validation for "prevasio.com" using email validation method has failed. | Make sure AWS Certificate Manager (ACM) can automatically renew SSL/TLS certificates before they expire by using DNS. | More info | |
| Elastic Beanstalk | Critical | — | us-east-1 | e-wbppgmzevf | Elastic Beanstalk is not configured to apply managed platform updates to the environment "Sampleapplication-env". | Configure your environment to automatically apply managed platform updates. | More info | |
| Elastic File System | Critical | CIS 2.4.1 PCI DSS 3.5 HIPAA (Encryption) | us-east-1 | fs-34d4d281 | EFS file system is not encrypted. | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest and in transit, make sure your file system is encrypted with a KMS customer-managed key (CMK). | More info | |
| Route 53 | Critical | — | us-east-1 | prevasio.io | Registered domain has no transfer lock. | Lock your domain to prevent an unauthorized transfer to another registrar. | More info |
Critical severity private container images (9)
| Repository | Image tag | Region | Image size | Pushed at | Latest | Vulnerabilities | Alerts | Action | |
|---|---|---|---|---|---|---|---|---|---|
| jsindy/bitcoind-regtest | latest | us-east-1 | 50.59 MB | ✓ | 16 High + 191 others (details) | No issues | |||
| cmotta2016/apache | latest | us-east-2 | 107.99 MB | ✓ | 17 High + 1,406 others (details) | Runs HTTP Web server on port 80 (details) | |||
| elenakves/train-schedule | latest | us-west-2 | 257.05 MB | ✓ | 192 Critical + 1,592 others (details) | Runs HTTP Web server on port 8080 (details) | |||
| kitex33237/ubuntu2 | latest | us-east-2 | 29.69 MB | ✓ | 2 High + 103 others (details) | Contains malware Unix.Trojan.Generic-9919438-0 (details) | |||
| pranavbhatia/openvas2 | latest | us-east-1 | 834.94 MB | ✓ | 13 Critical + 740 others (details) | Contains malware Unix.Tool.Pnscan-8031486-0 (details) Runs HTTP Web server on port 80 (details) |
|||
| strixtest/strix | 0.0.2-d | us-east-2 | 159.61 MB | ✓ | 1 Critical + 1,573 others (details) | Contains malware Multios.Coinminer.Miner-6781728-2 (details) Runs HTTP Web server on port 8080 (details) |
|||
| frozenfox/tomcat | wolv | us-east-2 | 218.3 MB | ✓ | 5 Critical + 437 others (details) | Contains malware Win.Adware.LoadMoney-3644756-1 (details) Runs HTTP Web server on port 8080 (details) |
|||
| tecexokel/prefab-parser | latest | us-east-2 | 218.3 MB | ✓ | 1 Critical + 1,538 others (details) | Contains malware Multios.Coinminer.Miner-6781728-2 (details) | |||
| borsear/resultui | latest | us-east-1 | 26.39 MB | ✓ | 12 Critical + 71 others (details) | Contains malware Js.Coinminer.Agent-7049519-0 (details) Runs HTTP Web server on port 80 (details) Runs Node.js application (details) |
Critical severity public container images (0)
| Repository | Image tag | Region | Image size | Pushed at | Latest | Vulnerabilities | Alerts | Action |
|---|