[Snyk] Upgrade google-auth-library from 8.9.0 to 9.15.0

[gitworkflows]

Snyk has created this PR to upgrade google-auth-library from 8.9.0 to 9.15.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 23 versions ahead of your current version.

• The recommended version was released on 24 days ago.

Release notes

Package name: google-auth-library

• 9.15.0 - 2024-11-14
  

  9.15.0 (2024-11-01)

  Features

  • Impersonated Universe Domain Support (#1875) (902bf8b)
• 9.14.2 - 2024-10-10
  

  9.14.2 (2024-10-09)

  Bug Fixes

  • Disable Universe Domain Check (#1878) (8adb44c)
• 9.14.1 - 2024-09-03
  

  9.14.1 (2024-08-30)

  Performance Improvements

  • GoogleAuth: Improve Client Creation From Files/Streams Perf (#1856) (85d9d6f)
• 9.14.0 - 2024-08-20
  

  9.14.0 (2024-08-19)

  Features

  • Add AnyAuthClient type (#1843) (3ae120d)
  • Extend API Key Support (#1835) (5fc3bcc)
  • Group Concurrent getClient Requests (#1848) (243ce28)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v21 (#1847) (e9459f3)
• 9.13.0 - 2024-07-31
  

  9.13.0 (2024-07-29)

  Features

  • Group Concurrent Access Token Requests for Base External Clients (#1840) (0e08fc5)
• 9.12.0 - 2024-07-27
  

  9.12.0 (2024-07-26)

  Features

  • Expose More Public API Types (#1838) (5745a49)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v19 (#1823) (b070ffb)
  • deps: Update dependency @ googleapis/iam to v20 (#1832) (e31a831)
• 9.11.0 - 2024-06-12
  

  9.11.0 (2024-06-01)

  Features

  • Adding support of client authentication method. (#1814) (4a14e8c)
• 9.10.0 - 2024-05-13
  

  9.10.0 (2024-05-10)

  Features

  • Implement UserRefreshClient#fetchIdToken (#1811) (ae8bc54)

  Bug Fixes

  • deps: Update dependency @ googleapis/iam to v16 (#1803) (40406a0)
  • deps: Update dependency @ googleapis/iam to v17 (#1808) (4d67f07)
  • deps: Update dependency @ googleapis/iam to v18 (#1809) (b2b9676)
• 9.9.0 - 2024-04-24
  

  9.9.0 (2024-04-18)

  Features

  • Adds suppliers for custom subject token and AWS credentials (#1795) (c680b5d)
• 9.8.0 - 2024-04-15
  

  9.8.0 (2024-04-12)

  Features

  • Enable Retries For Auth Requests (#1791) (9b69a31)
  • Improve gaxios exposure (#1794) (5058726)

  Bug Fixes

  • deps: Update dependency open to v10 (#1782) (16e5cae)
  • deps: Update dependency opn to v6 (#1775) (fc8dfe9)
• 9.7.0 - 2024-03-13
• 9.6.3 - 2024-02-06
• 9.6.2 - 2024-02-02
• 9.6.1 - 2024-02-01
• 9.6.0 - 2024-01-29
• 9.5.0 - 2024-01-25
• 9.4.2 - 2024-01-10
• 9.4.1 - 2023-12-01
• 9.4.0 - 2023-11-30
• 9.3.0 - 2023-11-29
• 9.2.0 - 2023-10-26
• 9.1.0 - 2023-10-02
• 9.0.0 - 2023-07-20
• 8.9.0 - 2023-06-29

from google-auth-library GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Build:

• Upgrade google-auth-library dependency from version 8.9.0 to 9.15.0 in package.json.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR upgrades the google-auth-library dependency from version 8.9.0 to 9.15.0. This is a major version upgrade that introduces several new features, performance improvements, and bug fixes. The upgrade spans 23 versions and includes breaking changes due to the major version bump from 8.x to 9.x.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Dependency version upgrade in package.json	Updated google-auth-library from ^8.1.1 to ^9.15.0	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[gitworkflows]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[codiumai-pr-agent-free]

CI Failure Feedback 🧐

(Checks updated until commit d353326)

Action: build

Failed stage: NPM Test [❌]

Failed test name: ""

Failure summary: The action failed due to a configuration error in the AWS environment: The log indicates a "ConfigError" with the message "Missing region in config" when attempting to load regions from EC2. This suggests that the AWS configuration is missing a specified region, which is necessary for the API calls to function correctly. Without the correct region configuration, the system cannot properly execute the required API calls for the tests.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 661: (Use `node --trace-warnings ...` to show where the warning was created) 662: engine 663: INFO: Determining API calls to make... 664: INFO: Found 350 API calls to make for aws plugins 665: INFO: Collecting metadata. This may take several minutes... 666: ✔ should run with no arguments (63ms) 667: exports 668: ✔ should use the proper format for each test (225ms) 669: [INFO][REGIONS] Could not load all regions from EC2: {"message":"Missing region in config","code":"ConfigError","time":"2024-12-09T06:11:24.979Z"} ... 678: ✔ should NOT traverse objects without allKeys option 679: ✔ should NOT travers objects in standard keywords which value is not a schema 680: pre and post 681: ✔ should traverse schema in pre-order 682: ✔ should traverse schema in post-order 683: ✔ should traverse schema in pre- and post-order at the same time 684: ackPrivateClusterEnabled 685: run 686: ✔ should FAIL if Cluster does not have Private Cluster enabled 687: ✔ should PASS if Cluster have Private Cluster enabled 688: ✔ should PASS if No ACK clusters found 689: ✔ should UNKNOWN if unable to query ACK clusters 690: ✔ should UNKNOWN if unable no Master_url is found for ACK clusters 691: cloudMonitorEnabled 692: run 693: ✔ should FAIL if Cluster does not have Cloud Monitor Enabled 694: ✔ should PASS if Cluster has Cloud Monitor enabled 695: ✔ should PASS if No ACK clusters found 696: ✔ should UNKNOWN if unable to query ACK clusters 697: logServiceEnabled 698: run 699: ✔ should FAIL if Cluster does not have Log Service enabled 700: ✔ should PASS if Cluster has Log Service enabled 701: ✔ should PASS if No ACK clusters found 702: ✔ should UNKNOWN if unable to query ACK clusters 703: ENImultipleIPmode 704: run 705: ✔ should FAIL if Cluster does not have NetworkPolicy Terway enabled 706: ✔ should PASS if Cluster has NetworkPolicy Terway enabled 707: ✔ should PASS if No ACK clusters found 708: ✔ should UNKNOWN if unable to query ACK clusters 709: networkPolicyEnabled 710: run 711: ✔ should FAIL if Cluster does not have NetworkPolicy enabled 712: ✔ should PASS if Cluster has NetworkPolicy enabled 713: ✔ should PASS if No ACK clusters found 714: ✔ should UNKNOWN if unable to query ACK clusters 715: webDashboardDisabled 716: run 717: ✔ should FAIL if Cluster has web dashboard enabled 718: ✔ should PASS if Cluster does not have web dashboard enabled 719: ✔ should PASS if No ACK clusters found 720: ✔ should UNKNOWN if unable to query ACK clusters 721: actiontrailBucketPrivate 722: run 723: ✔ should FAIL if ActionTrail trail Bucket ACL allows public access 724: ✔ should PASS if ActionTrail trail Bucket ACL allows private access 725: ✔ should PASS if no ActionTrail trail found 726: ✔ should PASS if no ActionTrail trail with OSS bucket destination found 727: ✔ should UNKNOWN if unable to query ActionTrail trails 728: ✔ should UNKNOWN if unable to query OSS bucket info 729: actiontrailGlobalExportLogs 730: run 731: ✔ should FAIL if ActionTrail does not have global trail to log all events 732: ✔ should FAIL if ActionTrail has global trail to log all events but does not export logs to OSS bucket 733: ✔ should PASS if ActionTrail has global trails to log all events 734: ✔ should UNKNOWN if unable to query ActionTrail trails 735: apiGroupTlsVersion 736: run 737: ✔ should PASS if API has latest TLS version 738: ✔ should FAIL if API does not have latest TLS version 739: ✔ should FAIL if API response does not have HttpsPolicy 740: ✔ should PASS if no api groups found 741: ✔ should UNKNOWN if unable to describe API groups 742: ✔ should not return anything if response not received 743: apiProtocol 744: run 745: ✔ should PASS if API has HTTPS protocol configured 746: ✔ should FAIL if API does not HTTPS protocol configured 747: ✔ should FAIL if API response does not have RequestConfig property 748: ✔ should PASS if no APIs are found 749: ✔ should UNKNOWN if unable to describe APIs 750: ✔ should not return anything if response not received 751: dataDisksEncrypted 752: run 753: ✔ should FAIL if disk is not encrypted 754: ✔ should FAIL if Data disk is not encrypted to target encryption level 755: ✔ should PASS if data disks are encrypted 756: ✔ should PASS if no ECS disks found 757: ✔ should UNKNOWN if unable to query ECS disks 758: openAllPortsProtocols 759: run 760: ✔ should PASS if no public open ports found 761: ✔ should FAIL if security group has all ports and protocols open to public 762: ✔ should PASS if no security groups found 763: ✔ should UNKNWON unable to describe security groups 764: openCIFS 765: run 766: ✔ should PASS if no public open ports found 767: ✔ should FAIL if security group has CIFS UDP 445 port open to public 768: ✔ should PASS if no security groups found 769: ✔ should UNKNWON unable to describe security groups 770: openCustomPorts 771: run 772: ✔ should PASS if no public open ports found 773: ✔ should FAIL if security group has custom ports open to public 774: ✔ should PASS if no security groups found 775: ✔ should UNKNWON unable to describe security groups 776: openDNS 777: run 778: ✔ should PASS if no public open ports found 779: ✔ should FAIL if security group has RDP TCP 53 port open to public 780: ✔ should PASS if no security groups found 781: ✔ should UNKNWON unable to describe security groups 782: openDocker 783: run 784: ✔ should PASS if no public open ports found 785: ✔ should FAIL if security group has Docker TCP 2375 port open to public 786: ✔ should PASS if no security groups found 787: ✔ should UNKNWON unable to describe security groups 788: openElasticsearch 789: run 790: ✔ should PASS if no public open ports found 791: ✔ should FAIL if security group has Elasticsearch TCP 9200 port open to public 792: ✔ should PASS if no security groups found 793: ✔ should UNKNWON unable to describe security groups 794: openFTP 795: run 796: ✔ should PASS if no public open ports found 797: ✔ should FAIL if security group has FTP TCP 20 port open to public 798: ✔ should PASS if no security groups found 799: ✔ should UNKNWON unable to describe security groups 800: openHadoopNameNode 801: run 802: ✔ should PASS if no public open ports found 803: ✔ should FAIL if security group has HDFSNameNodeMetadataService TCP 8020 port open to public 804: ✔ should PASS if no security groups found 805: ✔ should UNKNWON unable to describe security groups 806: openHadoopNameNodeWebUI 807: run 808: ✔ should PASS if no public open ports found 809: ✔ should FAIL if security group has NameNodeWebUI TCP 50070 port open to public 810: ✔ should PASS if no security groups found 811: ✔ should UNKNWON unable to describe security groups 812: openKibana 813: run 814: ✔ should PASS if no public open ports found 815: ✔ should FAIL if security group has Kibana TCP 5601 port open to public 816: ✔ should PASS if no security groups found 817: ✔ should UNKNWON unable to describe security groups 818: openMySQL 819: run 820: ✔ should PASS if no public open ports found 821: ✔ should FAIL if security group has MySQL TCP 3306 port open to public 822: ✔ should PASS if no security groups found 823: ✔ should UNKNWON unable to describe security groups 824: openNetBIOS 825: run 826: ✔ should PASS if no public open ports found 827: ✔ should FAIL if security group has NetBIOS UDP 137 port open to public 828: ✔ should PASS if no security groups found 829: ✔ should UNKNWON unable to describe security groups 830: openOracle 831: run 832: ✔ should PASS if no public open ports found 833: ✔ should FAIL if security group has Oracle TCP 1521 port open to public 834: ✔ should PASS if no security groups found 835: ✔ should UNKNWON unable to describe security groups 836: openOracleAutoDataWarehouse 837: run 838: ✔ should PASS if no public open ports found 839: ✔ should FAIL if security group has Oracle Auto Data Warehouse TCP 1522 port open to public 840: ✔ should PASS if no security groups found 841: ✔ should UNKNWON unable to describe security groups 842: openPostgreSQL 843: run 844: ✔ should PASS if no public open ports found 845: ✔ should FAIL if security group has PostgreSQL TCP 5432 port open to public 846: ✔ should PASS if no security groups found 847: ✔ should UNKNWON unable to describe security groups 848: openRDP 849: run 850: ✔ should PASS if no public open ports found 851: ✔ should FAIL if security group has RDP TCP 3389 port open to public 852: ✔ should PASS if no security groups found 853: ✔ should UNKNWON unable to describe security groups 854: openSalt 855: run 856: ✔ should PASS if no public open ports found 857: ✔ should FAIL if security group has Salt TCP 4505 port open to public 858: ✔ should PASS if no security groups found 859: ✔ should UNKNWON unable to describe security groups 860: openSMBoTCP 861: run 862: ✔ should PASS if no public open ports found 863: ✔ should FAIL if security group has SMBoTCP TCP 445 port open to public 864: ✔ should PASS if no security groups found 865: ✔ should UNKNWON unable to describe security groups 866: openSMTP 867: run 868: ✔ should PASS if no public open ports found 869: ✔ should FAIL if security group has SMTP TCP 25 port open to public 870: ✔ should PASS if no security groups found 871: ✔ should UNKNWON unable to describe security groups 872: openSQLServer 873: run 874: ✔ should PASS if no public open ports found 875: ✔ should FAIL if security group has SQL Server TCP 1433 port open to public 876: ✔ should PASS if no security groups found 877: ✔ should UNKNWON unable to describe security groups 878: openSSH 879: run 880: ✔ should PASS if no public open ports found 881: ✔ should FAIL if security group has SSH TCP 22 port open to public 882: ✔ should PASS if no security groups found 883: ✔ should UNKNWON unable to describe security groups 884: openTelnet 885: run 886: ✔ should PASS if no public open ports found 887: ✔ should FAIL if security group has Telnet TCP 23 port open to public 888: ✔ should PASS if no security groups found 889: ✔ should UNKNWON unable to describe security groups 890: openVNCClient 891: run 892: ✔ should PASS if no public open ports found 893: ✔ should FAIL if security group has VNC Client TCP 5500 port open to public 894: ✔ should PASS if no security groups found 895: ✔ should UNKNWON unable to describe security groups 896: openVNCServer 897: run 898: ✔ should PASS if no public open ports found 899: ✔ should FAIL if security group has VNC Server TCP 5900 port open to public 900: ✔ should PASS if no security groups found 901: ✔ should UNKNWON unable to describe security groups 902: systemDisksEncrypted 903: run 904: ✔ should PASS if System disks are encrypted 905: ✔ should PASS if System disks are encrypted to target encryption level 906: ✔ should FAIL if disk is not encrypted 907: ✔ should FAIL if System disk is not encrypted to target encryption level 908: ✔ should PASS if no ECS disks found 909: ✔ should UNKNOWN if unable to query ECS disks 910: bucketCmkEncrypted 911: run 912: ✔ should FAIL if OSS bucket is not encrypted to required encryption level 913: ✔ should FAIL if OSS bucket is not encrypted 914: ✔ should PASS if OSS bucket is encrypted to required encryption level 915: ✔ should PASS if no OSS buckets found 916: ✔ should UNKNOWN if unable to query for OSS buckets 917: ✔ should UNKNOWN if unable to query OSS bucket info 918: bucketCrossRegionReplication 919: run 920: ✔ should FAIL if bucket does not have cross region replication enabled 921: ✔ should FAIL if bucket info does not have cross region replication property 922: ✔ should PASS if bucket has cross region replication enabled 923: ✔ should PASS if no OSS buckets found 924: ✔ should UNKNOWN if unable to query for OSS buckets 925: ✔ should UNKNOWN if unable to query OSS bucket info 926: bucketLoggingEnabled 927: run 928: ✔ should FAIL if bucket does not have logging enabled 929: ✔ should PASS if bucket has logging enabled 930: ✔ should PASS if no OSS buckets found 931: ✔ should UNKNOWN if unable to query for OSS buckets 932: ✔ should UNKNOWN if unable to query OSS bucket info 933: bucketRequestPayment 934: run 935: ✔ should FAIL if bucket does not have pay per requester enabled 936: ✔ should FAIL if payer property is not returned 937: ✔ should PASS if bucket has pay per requester enabled 938: ✔ should PASS if no OSS buckets found 939: ✔ should UNKNOWN if unable to query for OSS buckets 940: ✔ should UNKNOWN if unable to query OSS bucket info 941: ossBucketIpRestriction 942: run 943: ✔ should PASS if OSS bucket has IP restrictions configured 944: ✔ should FAIL if OSS bucket does not have IP restrictions configured 945: ✔ should FAIL if no OSS bucket policy found 946: ✔ should PASS if no OSS buckets found 947: ✔ should UNKNOWN if unable to query for OSS buckets 948: ✔ should UNKNOWN if unable to query OSS bucket policy 949: bucketLifecycle 950: run 951: ✔ should FAIL if bucket does not have lifecycle policies 952: ✔ should PASS if bucket has lifecycle policies enabled 953: ✔ should PASS if bucket has lifecycle policies disabled 954: ✔ should PASS if no OSS buckets found 955: ✔ should UNKNOWN if unable to query for OSS buckets 956: ✔ should UNKNOWN if Unable to query OSS bucket lifecycle policy info 957: ossBucketPrivate 958: run 959: ✔ should FAIL if bucket ACL allows public-read-write access 960: ✔ should PASS if bucket ACL allows private access 961: ✔ should PASS if no OSS buckets found 962: ✔ should UNKNOWN if unable to query for OSS buckets 963: ✔ should UNKNOWN if unable to query OSS bucket info 964: ossBucketSecureTransport 965: run 966: ✔ should PASS if OSS bucket has secure transport enabled 967: ✔ should FAIL if OSS bucket does not have secure transport enabled 968: ✔ should FAIL if no OSS bucket policy found 969: ✔ should PASS if no OSS buckets found 970: ✔ should UNKNOWN if unable to query for OSS buckets 971: ✔ should UNKNOWN if unable to query OSS bucket policy 972: bucketTransferAcceleration 973: run 974: ✔ should FAIL if bucket does not have transfer acceleration enabled 975: ✔ should FAIL if bucket info does not have transfer acceleration property 976: ✔ should PASS if bucket has transfer acceleration enabled 977: ✔ should PASS if no OSS buckets found 978: ✔ should UNKNOWN if unable to query for OSS buckets 979: ✔ should UNKNOWN if unable to query OSS bucket info 980: ossBucketVersioning 981: run 982: ✔ should FAIL if bucket versioning is not enabled 983: ✔ should PASS if bucket versioning is enabled 984: ✔ should PASS if no OSS buckets found 985: ✔ should UNKNOWN if unable to query for OSS buckets 986: ✔ should UNKNOWN if unable to query OSS bucket info 987: accessKeysRotation 988: run 989: ✔ should FAIL if RAM user access keys are not rotated every 90 days or less 990: ✔ should PASS if RAM user access keys are not rotated every 90 days or less 991: ✔ should PASS if RAM user does not have any access keys 992: ✔ should PASS if No RAM users found 993: ✔ should UNKNOWN if unable to query user access keys 994: ✔ should UNKNOWN if unable to query RAM users 995: inactiveUserDisabled 996: run 997: ✔ should FAIL if RAM user is enabled on being inactive for 90 or more days 998: ✔ should PASS if RAM user is disabled on being inactive for 90 or more days 999: ✔ should PASS if RAM user last activity was before 90 days 1000: ✔ should PASS if No RAM users found 1001: ✔ should UNKNOWN if Unable to query login profile 1002: ✔ should UNKNOWN if Unable to query RAM users 1003: passwordBlockLogon 1004: run 1005: ✔ should FAIL if RAM password security policy does not require logon to be blocked after 5 attempts 1006: ✔ should PASS if RAM password security policy requires logon to be blocked after 5 attempts 1007: ✔ should UNKNOWN if unable to query RAM password policy 1008: passwordExpiry 1009: run 1010: ✔ should FAIL if RAM password security policy does not require password to be expired after 90 days 1011: ✔ should PASS if RAM password security policy requires password to be expired after set days 1012: ✔ should UNKNOWN if unable to query RAM password policy 1013: passwordMinLength 1014: run 1015: ✔ should FAIL if RAM password security policy does not require minimum length of 14 or greater 1016: ✔ should PASS if RAM password security policy require minimum length of 14 or greater 1017: ✔ should UNKNOWN if unable to query RAM password policy 1018: passwordNoReuse 1019: run 1020: ✔ should FAIL if RAM password security policy does not requires to prevent reusing 5 previous passwords 1021: ✔ should PASS if RAM password security policy requires to prevent reusing 5 previous passwords 1022: ✔ should UNKNOWN if unable to query RAM password policy 1023: passwordRequiresLowercase 1024: run 1025: ✔ should FAIL if RAM password security policy does not require lowercase characters 1026: ✔ should PASS if RAM password security policy requires lowercase characters 1027: ✔ should UNKNOWN if unable to query RAM password policy 1028: passwordRequiresNumbers 1029: run 1030: ✔ should FAIL if RAM password security policy does not require numbers 1031: ✔ should PASS if RAM password security policy requires numbers 1032: ✔ should UNKNOWN if unable to query RAM password policy 1033: passwordRequiresSymbols 1034: run 1035: ✔ should FAIL if RAM password security policy does not require symbols 1036: ✔ should PASS if RAM password security policy requires symbols 1037: ✔ should UNKNOWN if unable to query RAM password policy 1038: passwordRequiresUppercase 1039: run 1040: ✔ should FAIL if RAM password security policy does not require uppercase characters 1041: ✔ should PASS if RAM password security policy requires uppercase characters 1042: ✔ should UNKNOWN if unable to query RAM password policy 1043: ramAdminPolicy 1044: run 1045: ✔ should FAIL if Policy provides admin (*:*) access and attachment count is greater than 0 1046: ✔ should PASS if Policy provides admin (*:*) access but attachment count is 0 1047: ✔ should PASS if Policy does not provide admin (*:*) access 1048: ✔ should PASS if No RAM policies found 1049: ✔ should UNKNOWN if Unable to query RAM policies 1050: ✔ should UNKNOWN if Unable to get RAM policy 1051: ramPolicyAttachments 1052: run 1053: ✔ should FAIL if User has policies attached 1054: ✔ should PASS if no policies are attached to user 1055: ✔ should PASS if No RAM users found 1056: ✔ should UNKNOWN if Unable to query RAM users 1057: usersMfaEnabled 1058: run 1059: ✔ should FAIL if RAM user does not have MFA device configured 1060: ✔ should PASS if RAM user has MFA device configured 1061: ✔ should PASS if No RAM users found 1062: ✔ should UNKNOWN if Unable to query RAM users 1063: rdsAuditingEnabled 1064: run 1065: ✔ should FAIL if RDS DB instance does not have sql auditing enabled 1066: ✔ should PASS if RDS DB instance have sql auditing enabled 1067: ✔ should PASS if no RDS DB instances found 1068: ✔ should UNKNOWN if unable to query RDS DB instances 1069: ✔ should UNKNOWN if unable to query DB sql auditing policy 1070: rdsLogConnectionEnabled 1071: run 1072: ✔ should FAIL if RDS DB instance does not have log_connections parameter enabled 1073: ✔ should PASS if RDS DB instance has log_connections parameter enabled 1074: ✔ should PASS if no RDS DB instances found 1075: ✔ should UNKNOWN if unable to query RDS DB instances 1076: ✔ should UNKNOWN if unable to query DB parameters 1077: rdsLogDisconnectionsEnabled 1078: run 1079: ✔ should FAIL if RDS DB instance does not have log_disconnections parameter enabled 1080: ✔ should PASS if RDS DB instance has log_disconnections parameter enabled 1081: ✔ should PASS if no RDS DB instances found 1082: ✔ should UNKNOWN if unable to query RDS DB instances 1083: ✔ should UNKNOWN if unable to query DB parameters 1084: rdsLogDuration 1085: run 1086: ✔ should FAIL if RDS DB instance does not have log_duration parameter enabled 1087: ✔ should PASS if RDS DB instance has log_duration parameter enabled 1088: ✔ should PASS if no RDS DB instances found 1089: ✔ should UNKNOWN if unable to query RDS DB instances 1090: ✔ should UNKNOWN if unable to query DB parameters 1091: rdsPublicAccess 1092: run 1093: ✔ should FAIL if RDS DB instance is publicly accessible 1094: ✔ should PASS if RDS DB instance is not publicly accessible 1095: ✔ should PASS if no RDS DB instances found 1096: ✔ should UNKNOWN if unable to query RDS DB instances 1097: ✔ should UNKNOWN if Unable to query DB IP Array List 1098: rdsSqlAuditRetentionPeriod 1099: run 1100: ✔ should FAIL if RDS DB instance does not have sql audit log retention greater than 180 days 1101: ✔ should FAIL if RDS DB instance does not have sql audit log retention greater than set days limit 1102: ✔ should PASS if RDS DB instance have sql audit log retention greater than 180 days 1103: ✔ should PASS if RDS DB instance have sql audit log retention greater than set days limit 1104: ✔ should PASS if no RDS DB instances found 1105: ✔ should UNKNOWN if unable to query RDS DB instances 1106: ✔ should UNKNOWN if unable to query DB sql audit log retention 1107: rdsSslEncryptionEnabled 1108: run 1109: ✔ should FAIL if RDS instance does not have SSL encryption enabled 1110: ✔ should PASS if RDS instance has SSL encryption enabled 1111: ✔ should PASS if no RDS DB instances found 1112: ✔ should UNKNOWN if unable to query RDS DB instances 1113: ✔ should UNKNOWN if unable to query RDS instance SSL info 1114: rdsTdeEnabled 1115: run 1116: ✔ should FAIL if RDS DB instance does not have TDE enabled 1117: ✔ should PASS if RDS DB instance have TDE enabled 1118: ✔ should PASS if RDS DB instance have engine type other MySQL 5.6 and SQL Server Enterprise Edition 1119: ✔ should PASS if no RDS DB instances found 1120: ✔ should UNKNOWN if unable to query RDS DB instances 1121: ✔ should UNKNOWN if unable to query RDS DB instance TDE 1122: securityAgentInstalled 1123: run 1124: ✔ should FAIL if there are unprotected assets 1125: ✔ should PASS if there are no unprotected assets 1126: ✔ should UNKNOWN if Unable to query TDS field statistics 1127: securityCenterEdition 1128: run 1129: ✔ should FAIL if Security Center edition is Basic or Anti-virus 1130: ✔ should PASS if Security Center edition is Advanced or plus 1131: ✔ should UNKNOWN if Unable to query Security Center version config 1132: securityNotificationsEnabled 1133: run 1134: ✔ should FAIL if security notifications are not enabled 1135: ✔ should PASS if security notifications are enabled for all alerts 1136: ✔ should PASS if no TDS notice config found 1137: ✔ should UNKNOWN if Unable to query TDS notice config 1138: vulnerabilityScanEnabled 1139: run 1140: ✔ should FAIL if Vulnerability scan is not enabled on all servers 1141: ✔ should PASS if Vulnerability scan is enabled on all servers 1142: ✔ should PASS if no vulnerabity config found 1143: ✔ should UNKNOWN if Unable to query 1144: accessAnalyzerActiveFindings 1145: run 1146: ✔ should FAIL if Amazon IAM access analyzer has active findings. 1147: ✔ should PASS if Amazon IAM access analyzer have no active findings. 1148: ✔ should PASS if no analyzers found 1149: ✔ should UNKNOWN if Unable to query for IAM access analyzers 1150: accessAnalyzerEnabled 1151: run 1152: ✔ should PASS if Access Analyzer is enabled 1153: ✔ should FAIL if Access Analyzer is not enabled 1154: ✔ should FAIL if Access Analyzer not configured 1155: ✔ should UNKNOWN if unable to list Access analyzer 1156: ✔ should not return anything if list Access Analyzers response is not found 1157: acmCertificateExpiry 1158: run 1159: ✔ should PASS if certificate expiration date exceeds set PASS number of days in the future 1160: ✔ should FAIL if certificate expiration date does not exceed set WARN number of days in the future 1161: ✔ should FAIL if certificate has already expired ... 1165: ✔ should UNKNOWN if unable to list ACM certificates 1166: ✔ should UNKNOWN if unable to describe ACM certificate 1167: acmCertificateHasTags 1168: run 1169: ✔ should give unknown result if unable to list acm certificates 1170: ✔ should give passing result if acm certificates not found. 1171: ✔ should give unknown result if unable to query resource group tagging api 1172: ✔ should give passing result if acm certificates have tags 1173: ✔ should give failing result if eks cluster does not have tags 1174: acmSingleDomainNameCertificate 1175: run 1176: ✔ should PASS if ACM certificate is a single domain name certificate 1177: ✔ should FAIL if ACM certificate is a wildcard certificate 1178: ✔ should PASS if No ACM certificates found 1179: ✔ should UNKNOWN if unable to list ACM certificates 1180: ✔ should UNKNOWN if unable to describe ACM certificate 1181: acmValidation 1182: run 1183: ✔ should PASS if ACM certificate is using DNS validations 1184: ✔ should FAIL if ACM certificate has failed validations 1185: ✔ should WARN if ACM certificate is using EMAIL validation 1186: ✔ should PASS if No ACM certificates found 1187: ✔ should UNKNOWN if unable to list ACM certificates 1188: ✔ should UNKNOWN if unable to describe ACM certificate 1189: apigatewayAuthorization 1190: run 1191: ✔ should return UNKNOWN if unable to query for API Gateway Rest APIs 1192: ✔ should return PASS if no API Gateway Rest APIs found 1193: ✔ should return FAIL if no authorizers exist for API Gateway Rest API 1194: ✔ should return PASS if authorizers exist for API Gateway Rest API 1195: ✔ should not return anything if get Rest APIs response is not found 1196: apigatewayCertificateRotation 1197: run 1198: ✔ should PASS if API Gateway API stages do not need client certificate rotation 1199: ✔ should FAIL if API Gateway API stage needs client certificate rotation 1200: ✔ should FAIL if API Gateway API stage client certificate has already expired ... 1202: ✔ should PASS if No API Gateway Rest API stages found 1203: ✔ should PASS if No API Gateway Rest API stage client certificate found 1204: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1205: ✔ should UNKNOWN if unable to get API Gateway Rest API stages 1206: ✔ should not return anything if get Rest APIs response is not found 1207: apigatewayClientCertificate 1208: run 1209: ✔ should PASS if API Gateway API use client certificate for all stages 1210: ✔ should FAIL if API Gateway API does not use client certificate for all stages 1211: ✔ should PASS if No API Gateway Rest APIs found 1212: ✔ should PASS if No API Gateway Rest API Stages found 1213: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1214: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1215: ✔ should not return anything if get Rest APIs response is not found 1216: apigatewayCloudwatchLogs 1217: run 1218: ✔ should PASS if API Gateway API has CloudWatch Logs enabled for all stages 1219: ✔ should FAIL if API Gateway API does not have CloudWatch Logs enabled for stages 1220: ✔ should PASS if No API Gateway Rest APIs found 1221: ✔ should PASS if No API Gateway Rest API Stages found 1222: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1223: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1224: ✔ should not return anything if get Rest APIs response is not found 1225: apigatewayContentEncoding 1226: run 1227: ✔ should PASS if API Gateway API stage has content encoding enabled 1228: ✔ should FAIL if API Gateway API stage does not have content encoding enabled 1229: ✔ should PASS if No API Gateway Rest APIs found 1230: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1231: ✔ should not return anything if get Rest APIs response is not found 1232: apigatewayTlsDefaultEndpoint 1233: run 1234: ✔ should PASS if No API Gateway rest APIs found 1235: ✔ should PASS if API Gateway is not accessible through default endpoint 1236: ✔ should FAIL if API Gateway is accessible through default endpoint 1237: ✔ should UNKNOWN if unable to query for API Gateways 1238: apigatewayPrivateEndpoints 1239: run 1240: ✔ should PASS if API Gateway API is only accessible through private endpoints 1241: ✔ should FAIL if API Gateway API is accessible through public endpoints 1242: ✔ should PASS if No API Gateway Rest APIs found 1243: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1244: ✔ should not return anything if get Rest APIs response is not found 1245: apigatewayResponseCaching 1246: run 1247: ✔ should PASS if Response caching is enabled for API Gateway API stage 1248: ✔ should FAIL if Response caching is not enabled for API Gateway API stage 1249: ✔ should PASS if No API Gateway Rest APIs found 1250: ✔ should PASS if No API Gateway Rest API Stages found 1251: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1252: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1253: ✔ should not return anything if get Rest APIs response is not found 1254: apigatewayTracingEnabled 1255: run 1256: ✔ should PASS if API Gateway API has tracing enabled for all stages 1257: ✔ should FAIL if API Gateway API does not have tracing enabled for stages 1258: ✔ should PASS if No API Gateway Rest APIs found 1259: ✔ should PASS if No API Gateway Rest API Stages found 1260: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1261: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1262: ✔ should not return anything if get Rest APIs response is not found 1263: apigatewayWafEnabled 1264: run 1265: ✔ should PASS if API Gateway API has WAF enabled for all stages 1266: ✔ should FAIL if API Gateway API does not have WAF enabled for stages 1267: ✔ should PASS if No API Gateway Rest APIs found 1268: ✔ should PASS if No API Gateway Rest API Stages found 1269: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1270: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1271: ✔ should not return anything if get Rest APIs response is not found 1272: apiStageLevelCacheEncryption 1273: run 1274: ✔ should PASS if API Gateway stage encrypts cache data 1275: ✔ should FAIL if API Gateway stage does not encrypt cache data ... 1277: ✔ should PASS if No API Gateway Rest APIs found 1278: ✔ should PASS if No API Gateway Rest API Stages found 1279: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1280: ✔ should UNKNOWN if unable to get API Gateway Stages 1281: apigatewayCustomDomainDeprecatedProtocol 1282: run 1283: ✔ should PASS if No API Gateway Custom Domains found 1284: ✔ should PASS if API Gateway Custom Domain is using current minimum TLS version 1285: ✔ should FAIL if API Gateway Custom Domain is using deprecated TLS version 1286: ✔ should UNKNOWN if unable to query for API Gateways 1287: detailedCloudWatchMetrics 1288: run 1289: ✔ should PASS if API Gateway API has detailed CloudWatch metrics enabled for all stages 1290: ✔ should FAIL if API Gateway API does not have detailed CloudWatch metrics enabled for stages 1291: ✔ should PASS if No API Gateway Rest APIs found 1292: ✔ should PASS if No API Gateway Rest API Stages found 1293: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1294: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1295: ✔ should not return anything if get Rest APIs response is not found 1296: flowEncrypted 1297: run 1298: ✔ should PASS if AppFlow flow is encrypted with desired encryption level 1299: ✔ should FAIL if AppFlow flow is not encrypted with desired encryption level 1300: ✔ should PASS if no AppFlow flows found 1301: ✔ should UNKNOWN if unable to list AppFlow flows 1302: ✔ should UNKNOWN if unable to list KMS keys 1303: appmeshTLSRequired 1304: run 1305: ✔ should PASS if App Mesh virtual gateway listeners restrict TLS enabled connections 1306: ✔ should FAIL if App Mesh vitual gateway listeners does not restrict TLS enabled connections 1307: ✔ should PASS if no App Mesh meshes found 1308: ✔ should UNKNOWN if Unable to list App Mesh meshes 1309: ✔ should UNKNOWN if unable to list App Mesh virtual gateways 1310: ✔ should not return anything if list App Mesh meshes response not found 1311: appmeshVGAccessLogging 1312: run 1313: ✔ should PASS if access logging is enabled and configured for Amazon App Mesh virtual gateways 1314: ✔ should FAIL if access logging is not enabled for Amazon App Mesh virtual gateways 1315: ✔ should PASS if No App Meshes found 1316: ✔ should UNKNOWN if unable to query for App Mesh meshes 1317: ✔ should UNKNOWN if unable to query for App Mesh virtual gateways 1318: ✔ should not return anything if list App Meshes response not found 1319: appmeshVGHealthChecks 1320: run 1321: ✔ should PASS if health check policies are configured for Amazon App Mesh virtual gateways 1322: ✔ should FAIL if health check policies are not configured for Amazon App Mesh virtual gateways 1323: ✔ should PASS if No App Meshes found 1324: ✔ should UNKNOWN if unable to query for App Mesh meshes 1325: ✔ should UNKNOWN if unable to query for App Mesh virtual gateways 1326: ✔ should not return anything if list App Meshes response not found 1327: restrictExternalTraffic 1328: run 1329: ✔ should PASS if App Mesh mesh does not allow access to external services 1330: ✔ should FAIL if App Mesh mesh allows access to external services 1331: ✔ should PASS if no App Meshes found 1332: ✔ should UNKNOWN if Unable to query for App Mesh meshes 1333: ✔ should UNKNOWN if Unable to describe App Mesh mesh 1334: serviceEncrypted 1335: run 1336: ✔ should PASS if App Runner service is encrypted with desired encryption level 1337: ✔ should FAIL if App Runner service not encrypted with desired encryption level 1338: ✔ should PASS if no App Runner service found 1339: ✔ should UNKNOWN if unable to list Services 1340: ✔ should UNKNOWN if unable to list KMS keys 1341: workgroupEncrypted 1342: run 1343: ✔ should PASS if Athena workgroup is using encryption 1344: ✔ should PASS if Athena primary workgroup does not have encryption enabled but is not in use. 1345: ✔ should FAIL if Athena workgroup is not using encryption 1346: ✔ should PASS if no Athena workgroups found 1347: ✔ should UNKNOWN if unable to list Athena workgroups 1348: ✔ should UNKNOWN if unable to describe Athena workgroup 1349: ✔ should not return any results if list workgroups response not found 1350: workgroupEnforceConfiguration 1351: run 1352: ✔ should PASS if Athena workgroup is enforcing configuration options 1353: ✔ should PASS if Athena primary workgroup is not enforcing configuration options but is not in use 1354: ✔ should FAIL if Athena workgroup is not enforcing configuration options 1355: ✔ should PASS if no Athena workgroups found 1356: ✔ should UNKNOWN if unable to list Athena workgroups 1357: ✔ should UNKNOWN if unable to describe Athena workgroup 1358: ✔ should not return any results if list workgroups response not found 1359: auditmanagerDataEncrypted 1360: run 1361: ✔ should PASS if Audit Manager data is encrypted with desired encryption level 1362: ✔ should FAIL if Audit Manager data is not encrypted with desired encryption level 1363: ✔ should PASS if Audit Manager is not setup for the region 1364: ✔ should UNKNOWN if unable to get Audit Manager settings 1365: ✔ should UNKNOWN if unable to list KMS keys 1366: appTierAsgApprovedAmi 1367: run 1368: ✔ should PASS if Launch Configuration for App-Tier Auto Scaling group is using approved AMIs 1369: ✔ should FAIL if Launch Configuration for App-Tier Auto Scaling group is not using active AMIs 1370: ✔ should FAIL if Launch Configuration for App-Tier Auto Scaling group is not using any AMI ... 1372: ✔ should PASS if no App-Tier Auto Scaling groups found 1373: ✔ should PASS if no Auto Scaling groups found 1374: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1375: ✔ should not return anything if describe Auto Scaling groups response not found 1376: ✔ should not return anything if App-Tier tag key is not provided in settings 1377: appTierAsgCloudWatchLogs 1378: run 1379: ✔ should PASS if App-Tier Auto Scaling launch configuration is using CloudWatch Logs agent 1380: ✔ should FAIL if App-Tier Auto Scaling launch configuration is not using CloudWatch Logs agent 1381: ✔ should UNKNOWN if unable to describe launch configuration for App-Tier Auto Scaling group 1382: ✔ should PASS if no App-Tier Auto Scaling groups found 1383: ✔ should PASS if no Auto Scaling groups found 1384: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1385: ✔ should not return anything if no Auto Scaling groups found 1386: appTierIamRole 1387: run 1388: ✔ should PASS if launch configuration for App-Tier group has customer IAM role configured 1389: ✔ should FAIL if launch configuration for App-Tier group does not have customer IAM role configured ... 1392: ✔ should PASS if no App-Tier Auto Scaling groups found 1393: ✔ should PASS if no Auto Scaling launch configurations found 1394: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1395: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1396: ✔ should not return anything if no response for describe Auto Scaling groups 1397: asgActiveNotifications 1398: run 1399: ✔ should PASS if notification are active for auto scaling group 1400: ✔ should FAIL if notification are not active for auto scaling group 1401: ✔ should UNKNOWN if unable to describe auto scaling group found 1402: ✔ should not return anything if no auto scaling group found 1403: ✔ should FAIL if No auto scaling group notification configurations found 1404: asgCooldownPeriod 1405: run 1406: ✔ should PASS if Amazon Auto Scaling Groups are utilizing cool down period 1407: ✔ should FAIL if the cool down period setting is not properly configured for the selected Amazon ASG 1408: ✔ should PASS if no AutoScaling groups found 1409: ✔ should UNKNOWN if an error occurs while describing AutoScaling groups 1410: ✔ should not return anything if unable to query for AutoScaling groups 1411: asgMissingELB 1412: run 1413: ✔ should PASS if AutoScaling group utilizes active load balancer 1414: ✔ should FAIL if AutoScaling group utilizes inactive load balancer 1415: ✔ should FAIL if AutoScaling group does not have any ELB associated 1416: ✔ should PASS if AutoScaling group does not utilize a load balancer 1417: ✔ should UNKNOWN if unable to describe AutoScaling group found 1418: ✔ should not return anything if no AutoScaling group found 1419: asgMissingSecurityGroups 1420: run 1421: ✔ should PASS if Auto Scaling launch configuration does not reference any missing EC2 security group 1422: ✔ should FAIL if Auto Scaling launch configuration references missing EC2 security group(s) 1423: ✔ should PASS if no Auto Scaling launch configurations found 1424: ✔ should PASS if Auto Scaling launch configuration does not have any security groups associated 1425: ✔ should FAIL if no EC2 security groups found 1426: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1427: ✔ should not return anything if describe Auto Scaling launch configurations response not found 1428: asgMultiAz 1429: run 1430: ✔ should PASS if Auto Scaling group utilizes multiple availability zones 1431: ✔ should FAIL if Auto Scaling group utilizes one availability zone 1432: ✔ should PASS if no Auto Scaling groups found 1433: ✔ should UNKNOWN if error describing Auto Scaling groups 1434: ✔ should not return anything if unable to describe Auto Scaling groups 1435: asgSuspendedProcesses 1436: run 1437: ✔ should PASS if AutoScaling group does not have any suspended process 1438: ✔ should FAIL if AutoScaling group has suspended processes 1439: ✔ should PASS if no AutoScaling groups found 1440: ✔ should UNKNOWN if an error occurs while describing AutoScaling groups 1441: ✔ should not return anything if unable to query for AutoScaling groups 1442: asgUnusedLaunchConfiguration 1443: run 1444: ✔ should PASS if Auto Scaling launch configuration is being used 1445: ✔ should FAIL if Auto Scaling launch configuration is not being used 1446: ✔ should PASS if no Auto Scaling launch configurations found 1447: ✔ should UNKNOWN if Unable to query for Auto Scaling launch configurations 1448: elbHealthCheckActive 1449: run 1450: ✔ should PASS if Auto Scaling group does not use ELBs 1451: ✔ should PASS if Auto Scaling group has ELB health check active 1452: ✔ should PASS if Auto Scaling group does not use ELBs 1453: ✔ should FAIL if Auto Scaling group does not have ELB health check active 1454: ✔ should PASS if no Auto Scaling groups found 1455: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1456: ✔ should not return anything if no response found for describe Auto Scaling groups 1457: emptyASG 1458: run 1459: ✔ should PASS if autoscaling group contains instance(s) 1460: ✔ should FAIL if autoscaling group does not contain instance(s) 1461: ✔ should PASS if no autoscaling group data found 1462: ✔ should UNKNOWN if unable to describe autoscaling group found 1463: ✔ should not return anything if no autoscaling group found 1464: sameAzElb 1465: run 1466: ✔ should PASS if load balancer is in the same Availability Zone as of AutoScaling group 1467: ✔ should PASS if AutoScaling does not utilizes load balancer as HealthCheckType 1468: ✔ should FAIL if load balancer is not in the same Availability Zone as of AutoScaling group 1469: ✔ should FAIL if autoscaling group utilizes an inactive load balancer 1470: ✔ should UNKOWN if unable to query for load balancers 1471: ✔ should UNKNOWN if unable to describe autoscaling groups 1472: ✔ should not return anything if no autoscaling group found 1473: webTierAsgApprovedAmi 1474: run 1475: ✔ should PASS if Launch Configuration for Web-Tier Auto Scaling group is using approved AMIs 1476: ✔ should FAIL if Launch Configuration for Web-Tier Auto Scaling group is not using active AMIs 1477: ✔ should FAIL if Launch Configuration for Web-Tier Auto Scaling group is not using any AMI ... 1479: ✔ should PASS if no Web-Tier Auto Scaling groups found 1480: ✔ should PASS if no Auto Scaling groups found 1481: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1482: ✔ should not return anything if describe Auto Scaling groups response not found 1483: ✔ should not return anything if Web-Tier tag key is provided in settings 1484: webTierAssociatedElb 1485: run 1486: ✔ should PASS if Web-Tier Auto Scaling group has ELB associated 1487: ✔ should FAIL if Web-Tier Auto Scaling group does not have ELB associated 1488: ✔ should PASS if no Auto Scaling groups found 1489: ✔ should PASS if no Web-Tier Auto Scaling groups found 1490: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1491: ✔ should not return anything if describe Auto Scaling groups response not found 1492: webTierAsgCloudWatchLogs 1493: run 1494: ✔ should PASS if Web-Tier Auto Scaling launch configuration has CloudWatch logs enabled 1495: ✔ should FAIL if Web-Tier Auto Scaling launch configuration does not have CloudWatch logs enabled 1496: ✔ should UNKNOWN if unable to describe launch configuration for Web-Tier Auto Scaling group 1497: ✔ should PASS if no Web-Tier Auto Scaling groups found 1498: ✔ should PASS if no Auto Scaling groups found 1499: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1500: ✔ should not return anything if no Auto Scaling groups found 1501: webTierIamRole 1502: run 1503: ✔ should PASS if launch configuration for Web-Tier group has customer IAM role configured 1504: ✔ should FAIL if launch configuration for Web-Tier group does not have customer IAM role configured ... 1507: ✔ should PASS if no Web-Tier Auto Scaling groups found 1508: ✔ should PASS if no Auto Scaling launch configurations found 1509: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1510: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1511: ✔ should not return anything if no response for describe Auto Scaling groups 1512: backupDeletionProtection 1513: run 1514: ✔ should PASS if Backup vault has deletion protection enabled 1515: ✔ should FAIL if Backup vault does not have deletion protection enabled 1516: ✔ should FAIL if no access policy found for Backup vault 1517: ✔ should PASS if no Backup vault list found 1518: ✔ should UNKNOWN if Unable to query for Backup vault list 1519: ✔ should UNKNOWN if Unable to get Backup vault policy 1520: backupInUseForRDSSnapshots 1521: run 1522: ✔ should PASS if Backup service is in use for RDS snapshots 1523: ✔ should FAIL if Backup service is not in use for RDS snapshots 1524: ✔ should PASS if no RDS snapshots found 1525: ✔ should UNKNOWN if Unable to query for RDS snapshots 1526: backupNotificationEnabled 1527: run 1528: ✔ should PASS if Backup vault is configured to send alert notifications for failed Backup job events 1529: ✔ should FAIL if Backup vault is not configured to send alert notifications for failed Backup job events 1530: ✔ should FAIL if Backup vault does not have any notifications configured 1531: ✔ should PASS if no Backup vault list found 1532: ✔ should UNKNOWN if Unable to query for Backup vault list 1533: ✔ should UNKNOWN if Unable to get event notifications for selected Amazon Backup vault 1534: backupResourceProtection 1535: run 1536: ✔ should PASS if All desired resource types are protected by Backup service 1537: ✔ should FAIL if These desired resource types are not protected by Backup service 1538: ✔ should UNKNOWN Unable to query for Backup resource type opt in preference 1539: backupVaultEncrypted 1540: run 1541: ✔ should PASS if Backup Vault is encrypted with desired encryption level 1542: ✔ should FAIL if Backup Vault is not encrypted with desired encyption level 1543: ✔ should PASS if no Backup vault found 1544: ✔ should UNKNOWN if unable to list Backup vault 1545: ✔ should UNKNOWN if unable to list KMS keys 1546: backupVaultHasTags 1547: run 1548: ✔ should PASS if Backup vault have tags 1549: ✔ should FAIL if Backup vault does not have tags 1550: ✔ should PASS if no Backup vault list found 1551: ✔ should UNKNOWN if Unable to query for Backup vault list 1552: ✔ should give unknown result if unable to query resource group tagging api 1553: backupVaultPolicies 1554: run 1555: ✔ should PASS if Backup vault does not allow global access to the action 1556: ✔ should FAIL if Backup vault allow global access to the action 1557: ✔ should PASS if no Backup vault list found 1558: ✔ should UNKNOWN if Unable to query for Backup vault list 1559: ✔ should UNKNOWN if Unable to get Backup vault policy 1560: compliantLifecycleConfigured 1561: run 1562: ✔ should PASS if Backup plan has lifecycle configuration enabled 1563: ✔ should FAIL if Backup plan does not have lifecycle configuration enabled 1564: ✔ should PASS if no Backup plans found 1565: ✔ should UNKNOWN if Unable to list Backup plans 1566: customModelEncryptionEnabled 1567: run 1568: ✔ should PASS if Bedrock Custom Model is Encrypted using CMK 1569: ✔ should FAIL if Bedrock Custom Model is encrypted with AWS owned key 1570: ✔ should PASS if the desired encryption level for bedrock custom model is awskms 1571: ✔ should PASS if no Bedrock custom model found 1572: ✔ should UNKNOWN if unable to list Bedrock custom model 1573: customModelHasTags 1574: run 1575: ✔ should PASS if Bedrock custom model has tags 1576: ✔ should FAIL if Bedrock custom model doesnot have tags 1577: ✔ should PASS if no Bedrock custom model found 1578: ✔ should UNKNOWN if unable to query Bedrock custom model 1579: ✔ should give unknown result if unable to query resource group tagging api 1580: customModelInVpc 1581: run 1582: ✔ should PASS if Bedrock Custom Model has Vpc configured 1583: ✔ should FAIL if Bedrock Custom Model have not Vpc configured 1584: ✔ should PASS if no Bedrock custom model found 1585: ✔ should UNKNOWN if unable to list Bedrock custom model 1586: modelInvocationLoggingEnabled 1587: run 1588: ✔ should PASS if model invocation logging is enabled for bedrock models 1589: ✔ should FAIL if model invocation logging is disabled for bedrock models 1590: ✔ should UNKNOWN if unable to query for model invocation logging 1591: privateCustomModel 1592: run 1593: ✔ should PASS if Bedrock Custom Model is a private model 1594: ✔ should FAIL if Bedrock Custom Model have not Vpc configured 1595: ✔ should FAIL if Bedrock Custom Model is not a private model 1596: ✔ should PASS if no Bedrock custom model found 1597: ✔ should UNKNOWN if unable to list Bedrock custom model 1598: cloudformationAdminPriviliges 1599: run 1600: ✔ should PASS if CloudFormation stack does not have admin privileges 1601: ✔ should FAIL if CloudFormation stack has admin privileges ... 1605: ✔ should UNKNOWN if unable to list role policies 1606: ✔ should not return anything if list CloudFormation stacks response not found 1607: CloudFormation Deletion Policy in Use 1608: run 1609: ✔ should return unknown result if unable to list the CloudFormation stacks 1610: ✔ should return passing result if unable to list CloudFormation stacks information 1611: ✔ should return unknown result if no CloudFormation stacks found in region 1612: ✔ should return passing result if deletion policy is used for CloudFormation stack 1613: ✔ should return failing result if deletion policy is not used for CloudFormation stack 1614: cloudformationInUse 1615: run 1616: ✔ should PASS if Amazon CloudFormation service is currently in use 1617: ✔ should FAIL if Amazon CloudFormation service is not currently in use 1618: ✔ should UNKNOWN if Unable to query CloudFormation stacks 1619: driftDetection 1620: run 1621: ✔ should PASS if CloudFormation stack is not in drifted state 1622: ✔ should FAIL if CloudFormation stack is in drifted state 1623: ✔ should PASS if no CloudFormation stacks found 1624: ✔ should UNKNOWN if unable to list stacks 1625: ✔ should not return any results if list stacks response not found 1626: plaintextParameters 1627: run 1628: ✔ should PASS if template does not contain any potentially-sensitive parameters 1629: ✔ should PASS if template contains any potentially-sensitive parameters but with NoEcho enabled 1630: ✔ should FAIL if template contains any potentially-sensitive parameters 1631: ✔ should PASS if no CloudFormation stacks found 1632: ✔ should UNKNOWN if unable to list stacks 1633: ✔ should UNKNOWN if unable to describe stacks 1634: ✔ should UNKNOWN if no CloudFormation stack details found 1635: ✔ should not return any results if list stacks response is not found 1636: stackFailedStatus 1637: run 1638: ✔ should PASS if CloudFormation stack is not in failed state 1639: ✔ should PASS if CloudFormation stack is in failed state for less than the failed hours limit 1640: ✔ should FAIL if CloudFormation stack is in failed state for more than the failed hours limit 1641: ✔ should PASS if no CloudFormation stacks found 1642: ✔ should UNKNOWN if unable to describe stacks 1643: ✔ should not return any results if describe stacks response is not found 1644: stackNotifications 1645: run 1646: ✔ should PASS if CloudFormation stack has SNS topic associated 1647: ✔ should FAIL if CloudFormation stack does not have SNS topic associated 1648: ✔ should PASS if no CloudFormation stacks found 1649: ✔ should UNKNOWN if No stack details found 1650: ✔ should UNKNOWN if unable to list stacks 1651: ✔ should UNKNOWN if unable to describe stacks 1652: ✔ should not return any results if list stacks response is not found 1653: stackTerminationProtection 1654: run 1655: ✔ should PASS if CloudFormation stack has SNS topic associated 1656: ✔ should FAIL if CloudFormation stack does not have SNS topic associated ... 1658: ✔ should UNKNOWN if No stack details found 1659: ✔ should UNKNOWN if unable to list stacks 1660: ✔ should UNKNOWN if unable to describe stacks 1661: ✔ should not return any results if list stacks response is not found 1662: cloudfrontCustomOriginHttpsOnly 1663: run 1664: ✔ should PASS if CloudFront distributions is using https only 1665: ✔ should PASS if CloudFront distributions has no origins 1666: ✔ should FAIL if CloudFront Distribution is not https only 1667: ✔ should PASS if no CloudFront distributions found 1668: ✔ should UNKNOWN if unable to list distributions 1669: cloudfrontFieldLevelEncryption 1670: run 1671: ✔ should PASS if distribution has field level encryption enabled 1672: ✔ should FAIL if distribution does not have field level encryption enabled 1673: ✔ should PASS if no CloudFront distributions found 1674: ✔ should UNKNOWN if unable to list distributions 1675: ✔ should not return any results if list distributions response not found 1676: cloudfrontGeoRestriction 1677: run 1678: ✔ should PASS if CloudFront distribution is whitelisting required geographic locations 1679: ✔ should PASS if Geo restriction feature is enabled within CloudFront distribution 1680: ✔ should FAIL if geo restriction is not enabled within CloudFront distribution 1681: ✔ should FAIL if CloudFront distribution does not have required locations whitelisted 1682: ✔ should PASS if no CloudFront distributions found 1683: ✔ should UNKNOWN if unable to query for CloudFront distributions 1684: ✔ should not return any results if list distributions response not found 1685: cloudfrontHttpsOnly 1686: run 1687: ✔ should PASS if CloudFront distribution is set to use HTTPS only 1688: ✔ should PASS if CloudFront distribution is configured to redirect non-HTTPS traffic to HTTPS 1689: ✔ should FAIL if CloudFront distribution is not configured to use HTTPS 1690: ✔ should PASS if no CloudFront distributions found 1691: ✔ should UNKNOWN if unable to list distributions 1692: ✔ should not return any results if list distributions response not found 1693: cloudfrontInUse 1694: run 1695: ✔ should PASS if AWS CloudFront service is in use 1696: ✔ should FAIL if CloudFront service is not in use 1697: ✔ should UNKNOWN if unable to list distributions 1698: ✔ should not return any results if list distributions response not found 1699: cloudfrontLoggingEnabled 1700: run 1701: ✔ should PASS if Request logging is enabled 1702: ✔ should FAIL if Request logging is not enabled 1703: ✔ should PASS if no CloudFront distributions found 1704: ✔ should UNKNOWN if unable to list distributions 1705: ✔ should UNKNOWN if unable to get distributions 1706: ✔ should not return any results if list distributions response not found 1707: cloudfrontOriginTLSVersion 1708: run 1709: ✔ should PASS if CloudFront distributions custom origin TLS version is not deprecated 1710: ✔ should PASS if CloudFront distributions has no origins 1711: ✔ should FAIL if CloudFront Distribution custom origin TLS version is deprecated 1712: ✔ should PASS if no CloudFront distributions found 1713: ✔ should UNKNOWN if unable to list distributions 1714: cloudfrontTLSVersion 1715: run 1716: ✔ should PASS if CloudFront distributions TLS version is not deprecated 1717: ✔ should FAIL if CloudFront DistributionTLS version is deprecated 1718: ✔ should PASS if no CloudFront distributions found 1719: ✔ should UNKNOWN if unable to list distributions 1720: cloudfrontTLSWeakCipher 1721: run 1722: ✔ should PASS if CloudFront distributions TLS version is not weak cipher suite 1723: ✔ should FAIL if CloudFront Distribution TLS version is weak cipher suite 1724: ✔ should PASS if no CloudFront distributions found 1725: ✔ should UNKNOWN if unable to list distributions 1726: cloudfrontWafEnabled 1727: run 1728: ✔ should PASS if CloudFront distributions has WAF enabled 1729: ✔ should FAIL if CloudFront Distribution does not have WAF enabled 1730: ✔ should PASS if no CloudFront distributions found 1731: ✔ should UNKNOWN if unable to list distributions 1732: ✔ should not return any results if list distributions response not found 1733: compressObjectsAutomatically 1734: run 1735: ✔ should PASS if CloudFront web distribution is currently configured to compress files (objects) automatically 1736: ✔ should FAIL if CloudFront web distribution is currently configured to compress files (objects) automatically. 1737: ✔ should PASS if no CloudFront distributions found 1738: ✔ should UNKNOWN if unable to list distributions 1739: ✔ should not return any results if list distributions response not found 1740: enableOriginFailOver 1741: run 1742: ✔ should PASS if CloudFront distribution have origin failover enabled. 1743: ✔ should FAIL if CloudFront distribution does not have origin failover enabled. 1744: ✔ should PASS if no CloudFront distributions found 1745: ✔ should UNKNOWN if query for CloudFront distributions 1746: ✔ should not return any results if list distributions response not found 1747: insecureProtocols 1748: run 1749: ✔ should PASS if Distribution is not configured for SSL delivery 1750: ✔ should PASS if Distribution is using secure default certificate 1751: ✔ should FAIL if Distribution is using the insecure default CloudFront TLS certificate 1752: ✔ should FAIL if Distribution is using insecure SSLv3 1753: ✔ should FAIL if Distribution is using insecure TLSv1.0 1754: ✔ should FAIL if Distribution is using insecure TLSv1_2016 1755: ✔ should PASS if Distribution is using secure TLSv1.1_2016 1756: ✔ should PASS if Distribution is using secure TLSv1.2_2018 1757: ✔ should PASS if no CloudFront distributions found 1758: ✔ should UNKNOWN if unable to list distributions 1759: ✔ should not return any results if list distributions response not found 1760: publicS3Origin 1761: run 1762: ✔ should PASS if CloudFront distribution origin is not setup without an origin access identity 1763: ✔ should FAIL if CloudFront CloudFront distribution is using an S3 origin without an origin access identity 1764: ✔ should PASS if no CloudFront distributions found 1765: ✔ should UNKNOWN if unable to list distributions 1766: ✔ should not return any results if list distributions response not found 1767: secureOrigin 1768: run 1769: ✔ should PASS if CloudFront origin is using https-only 1770: ✔ should WARN if CloudFront origin is using match-viewer 1771: ✔ should FAIL if CloudFront origin is using http-only 1772: ✔ should FAIL if CloudFront origin is using SSLv3 and TLSv1 protocols 1773: ✔ should FAIL if CloudFront origin is using SSLv3 protocols 1774: ✔ should WARN if CloudFront origin is using TLSv1 protocol 1775: ✔ should PASS if no CloudFront distributions found 1776: ✔ should UNKNOWN if unable to list distributions 1777: ✔ should not return any results if list distributions response not found 1778: cloudtrailBucketAccessLogging 1779: run 1780: ✔ should PASS if bucket has S3 access logs enabled 1781: ✔ should WARN if bucket has S3 access logs disabled 1782: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1783: ✔ should PASS if no S3 bucket to check 1784: ✔ should UNKNOWN if unable to query for trails 1785: ✔ should UNKNOWN if unable to query for bucket policy 1786: ✔ should PASS if bucket gets whitelisted 1787: cloudtrailBucketDelete 1788: run 1789: ✔ should PASS if bucket has MFA delete enabled 1790: ✔ should WARN if bucket has MFA delete enabled 1791: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1792: ✔ should PASS if no S3 bucket to check 1793: ✔ should UNKNOWN if unable to query for trails 1794: ✔ should UNKNOWN if unable to query for bucket policy 1795: ✔ should PASS if bucket gets whitelisted 1796: cloudtrailBucketPrivate 1797: run 1798: ✔ should PASS if bucket does not allow global access 1799: ✔ should FAIL if bucket allows global access 1800: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1801: ✔ should PASS if no S3 bucket to check 1802: ✔ should UNKNOWN if unable to query for trails 1803: ✔ should UNKNOWN if unable to query for bucket policy 1804: ✔ should PASS if bucket gets whitelisted 1805: cloudtrailDataEvents 1806: run 1807: ✔ should PASS if CloudTrail trail has data events configured 1808: ✔ should FAIL if CloudTrail trail does not have data events configured 1809: ✔ should PASS if no CloudTrail trails found 1810: ✔ should UNKNOWN if unable to query trails 1811: ✔ should not return any results describe trail response not found 1812: cloudtrailDeliveryFailing 1813: run 1814: ✔ should PASS if logs for CloudTrail trail are being delivered 1815: ✔ should PASS if CloudTrail trail is set to pass without checking logs delivery status 1816: ✔ should FAIL if logs for CloudTrail trail are not being delivered 1817: ✔ should FAIL if CloudTrail is not enabled 1818: ✔ should UNKNOWN if unable to describe CloudTrail trails 1819: ✔ should UNKNOWN if unable to get CloudTrail trail status 1820: ✔ should not return anything if describe CloudTrail trails response not found 1821: cloudtrailEnabled 1822: run 1823: ✔ should PASS if CloudTrail is enabled and monitoring regional and global services 1824: ✔ should PASS if CloudTrail is configured and enabled to monitor global services 1825: ✔ should PASS if CloudTrail is enabled and monitoring regional services 1826: ✔ should FAIL if CloudTrail is configured for regional monitoring but is not logging API calls 1827: ✔ should FAIL if CloudTrail is configured for regional monitoring but is not logging API calls 1828: ✔ should FAIL if CloudTrail is not enabled 1829: ✔ should FAIL if CloudTrail is not configured to monitor global services 1830: ✔ should UNKNOWN if unable to query for trails 1831: cloudtrailEncryption 1832: run 1833: ✔ should PASS if CloudTrail encryption is enabled 1834: ✔ should FAIL if CloudTrail encryption is not enabled 1835: ✔ should FAIL if no CloudTrail is not enabled 1836: ✔ should UNKNOWN if unable to query for trails 1837: ✔ should not return any results if describe CloudTrail response not found 1838: cloudtrailFileValidation 1839: run 1840: ✔ should PASS if CloudTrail log file validation is enabled 1841: ✔ should FAIL if CloudTrail log file validation is not enabled 1842: ✔ should FAIL if no CloudTrail is not enabled 1843: ✔ should UNKNOWN if unable to query for trails 1844: ✔ should not return any results if describe CloudTrail response not found 1845: cloudtrailHasTags 1846: run 1847: ✔ should UNKNOWN if unable to query for trails 1848: ✔ should Passing result if cloud trail is not enabled 1849: ✔ should Unknown result if unable to query listTags 1850: ✔ should Failing result if trails have no tags 1851: ✔ should Passing result if trails have tags 1852: cloudtrailManagementEvents 1853: run 1854: ✔ should PASS if CloudTrail trail is configured to log management events 1855: ✔ should FAIL if CloudTrail trail is not configured to log management events 1856: ✔ should FAIL if CloudTrail is not enabled 1857: ✔ should UNKNOWN if unable to query for trails 1858: ✔ should UNKNOWN if unable to query for event selectors 1859: ✔ should not return any results describe trails response not found 1860: cloudtrailNotificationsEnabled 1861: run 1862: ✔ should PASS if CloudTrail trail is using active SNS topic 1863: ✔ should FAIL if CloudTrail trail has no SNS topic attached 1864: ✔ should PASS if no trail found 1865: ✔ should UNKNOWN if unable to query for CloudTrail trails 1866: ✔ should UNKNOWN if unable to list SNS topics 1867: ✔ should UNKNOWN if unable to query for SNS topic attributes 1868: cloudtrailObjectLock 1869: run 1870: ✔ should PASS if object lock is enabled for s3 bucket 1871: ✔ should FAIL if object lock configuration does not exist for s...

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud