[Snyk] Upgrade @octokit/request from 8.4.0 to 9.1.3

[gitworkflows]

Snyk has created this PR to upgrade @octokit/request from 8.4.0 to 9.1.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 7 versions ahead of your current version.

• The recommended version was released on 5 months ago.

Release notes

Package name: @octokit/request

• 9.1.3 - 2024-07-14
  

  9.1.3 (2024-07-14)

  Bug Fixes

  • improve toErrorMessage (#714) (fcc5b25)
• 9.1.2 - 2024-07-13
  

  9.1.2 (2024-07-13)

  Bug Fixes

  • refactor: async await instead of Promise chain (#711) (611b275)
• 9.1.1 - 2024-04-15
  

  9.1.1 (2024-04-15)

  Bug Fixes

  • pkg: add default fallback to exports (#688) (9866c41)
• 9.1.0 - 2024-04-09
  

  9.1.0 (2024-04-09)

  Bug Fixes

  • deps: update dependency @ octokit/types to v13 (#684) (4d466a6)

  Features

  • re-add redirect request option (#636) (23200c0), closes #599
  • security: Add provenance (#685) (465bc7c)
• 9.0.1 - 2024-02-27
  

  9.0.1 (2024-02-27)

  Bug Fixes

  • pkg: add main export (#681) (1d834ae)
• 9.0.0 - 2024-02-24
  

  9.0.0 (2024-02-24)

  Features

  • switch to ESM output (#678) (517fd98)

  BREAKING CHANGES

  • Output a single ESM bundle
• 9.0.0-beta.1 - 2024-02-23
  

  9.0.0-beta.1 (2024-02-23)

  Bug Fixes

  • improve spec compliance (ca9eb20)

  Features

  • switch to ESM output (8df344f)

  BREAKING CHANGES

  • Output a single ESM bundle
• 8.4.0 - 2024-04-09
  

  8.4.0 (2024-04-09)

  Features

  • re-add redirect request option (#636) (abc4955), closes #599

from @octokit/request GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Build:

• Upgrade @octokit/request from version 8.1.6 to 9.1.3 in package.json.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR upgrades the @octokit/request package from version 8.4.0 to 9.1.3. This is a major version upgrade that includes breaking changes, primarily due to switching to ESM output. The upgrade spans 7 versions and includes various bug fixes, security improvements, and feature additions.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Major version upgrade with breaking changes in module system	Switched to ESM-only output bundle Added 'default' fallback to exports Added 'main' export configuration	package.json
Feature and security improvements	Re-added 'redirect' request option Added package provenance support Updated dependency @octokit/types to v13	package.json
Code quality and error handling improvements	Improved error message handling Refactored to use async/await instead of Promise chains Improved spec compliance	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gitworkflows]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codiumai-pr-agent-free]

CI Failure Feedback 🧐

(Checks updated until commit 23ad496)

Action: build

Failed stage: NPM Test [❌]

Failed test name: [INFO][REGIONS] Could not load all regions from EC2

Failure summary: The action failed due to a configuration error related to AWS regions: The log contains an error message indicating a "ConfigError" due to a "Missing region in config" when attempting to load regions from EC2. This error suggests that the necessary AWS region configuration is missing or not properly set, which is required for the tests to execute correctly.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 660: (Use `node --trace-warnings ...` to show where the warning was created) 661: engine 662: INFO: Determining API calls to make... 663: INFO: Found 350 API calls to make for aws plugins 664: INFO: Collecting metadata. This may take several minutes... 665: ✔ should run with no arguments (58ms) 666: exports 667: ✔ should use the proper format for each test (223ms) 668: [INFO][REGIONS] Could not load all regions from EC2: {"message":"Missing region in config","code":"ConfigError","time":"2024-12-09T06:12:18.528Z"} ... 677: ✔ should NOT traverse objects without allKeys option 678: ✔ should NOT travers objects in standard keywords which value is not a schema 679: pre and post 680: ✔ should traverse schema in pre-order 681: ✔ should traverse schema in post-order 682: ✔ should traverse schema in pre- and post-order at the same time 683: ackPrivateClusterEnabled 684: run 685: ✔ should FAIL if Cluster does not have Private Cluster enabled 686: ✔ should PASS if Cluster have Private Cluster enabled 687: ✔ should PASS if No ACK clusters found 688: ✔ should UNKNOWN if unable to query ACK clusters 689: ✔ should UNKNOWN if unable no Master_url is found for ACK clusters 690: cloudMonitorEnabled 691: run 692: ✔ should FAIL if Cluster does not have Cloud Monitor Enabled 693: ✔ should PASS if Cluster has Cloud Monitor enabled 694: ✔ should PASS if No ACK clusters found 695: ✔ should UNKNOWN if unable to query ACK clusters 696: logServiceEnabled 697: run 698: ✔ should FAIL if Cluster does not have Log Service enabled 699: ✔ should PASS if Cluster has Log Service enabled 700: ✔ should PASS if No ACK clusters found 701: ✔ should UNKNOWN if unable to query ACK clusters 702: ENImultipleIPmode 703: run 704: ✔ should FAIL if Cluster does not have NetworkPolicy Terway enabled 705: ✔ should PASS if Cluster has NetworkPolicy Terway enabled 706: ✔ should PASS if No ACK clusters found 707: ✔ should UNKNOWN if unable to query ACK clusters 708: networkPolicyEnabled 709: run 710: ✔ should FAIL if Cluster does not have NetworkPolicy enabled 711: ✔ should PASS if Cluster has NetworkPolicy enabled 712: ✔ should PASS if No ACK clusters found 713: ✔ should UNKNOWN if unable to query ACK clusters 714: webDashboardDisabled 715: run 716: ✔ should FAIL if Cluster has web dashboard enabled 717: ✔ should PASS if Cluster does not have web dashboard enabled 718: ✔ should PASS if No ACK clusters found 719: ✔ should UNKNOWN if unable to query ACK clusters 720: actiontrailBucketPrivate 721: run 722: ✔ should FAIL if ActionTrail trail Bucket ACL allows public access 723: ✔ should PASS if ActionTrail trail Bucket ACL allows private access 724: ✔ should PASS if no ActionTrail trail found 725: ✔ should PASS if no ActionTrail trail with OSS bucket destination found 726: ✔ should UNKNOWN if unable to query ActionTrail trails 727: ✔ should UNKNOWN if unable to query OSS bucket info 728: actiontrailGlobalExportLogs 729: run 730: ✔ should FAIL if ActionTrail does not have global trail to log all events 731: ✔ should FAIL if ActionTrail has global trail to log all events but does not export logs to OSS bucket 732: ✔ should PASS if ActionTrail has global trails to log all events 733: ✔ should UNKNOWN if unable to query ActionTrail trails 734: apiGroupTlsVersion 735: run 736: ✔ should PASS if API has latest TLS version 737: ✔ should FAIL if API does not have latest TLS version 738: ✔ should FAIL if API response does not have HttpsPolicy 739: ✔ should PASS if no api groups found 740: ✔ should UNKNOWN if unable to describe API groups 741: ✔ should not return anything if response not received 742: apiProtocol 743: run 744: ✔ should PASS if API has HTTPS protocol configured 745: ✔ should FAIL if API does not HTTPS protocol configured 746: ✔ should FAIL if API response does not have RequestConfig property 747: ✔ should PASS if no APIs are found 748: ✔ should UNKNOWN if unable to describe APIs 749: ✔ should not return anything if response not received 750: dataDisksEncrypted 751: run 752: ✔ should FAIL if disk is not encrypted 753: ✔ should FAIL if Data disk is not encrypted to target encryption level 754: ✔ should PASS if data disks are encrypted 755: ✔ should PASS if no ECS disks found 756: ✔ should UNKNOWN if unable to query ECS disks 757: openAllPortsProtocols 758: run 759: ✔ should PASS if no public open ports found 760: ✔ should FAIL if security group has all ports and protocols open to public 761: ✔ should PASS if no security groups found 762: ✔ should UNKNWON unable to describe security groups 763: openCIFS 764: run 765: ✔ should PASS if no public open ports found 766: ✔ should FAIL if security group has CIFS UDP 445 port open to public 767: ✔ should PASS if no security groups found 768: ✔ should UNKNWON unable to describe security groups 769: openCustomPorts 770: run 771: ✔ should PASS if no public open ports found 772: ✔ should FAIL if security group has custom ports open to public 773: ✔ should PASS if no security groups found 774: ✔ should UNKNWON unable to describe security groups 775: openDNS 776: run 777: ✔ should PASS if no public open ports found 778: ✔ should FAIL if security group has RDP TCP 53 port open to public 779: ✔ should PASS if no security groups found 780: ✔ should UNKNWON unable to describe security groups 781: openDocker 782: run 783: ✔ should PASS if no public open ports found 784: ✔ should FAIL if security group has Docker TCP 2375 port open to public 785: ✔ should PASS if no security groups found 786: ✔ should UNKNWON unable to describe security groups 787: openElasticsearch 788: run 789: ✔ should PASS if no public open ports found 790: ✔ should FAIL if security group has Elasticsearch TCP 9200 port open to public 791: ✔ should PASS if no security groups found 792: ✔ should UNKNWON unable to describe security groups 793: openFTP 794: run 795: ✔ should PASS if no public open ports found 796: ✔ should FAIL if security group has FTP TCP 20 port open to public 797: ✔ should PASS if no security groups found 798: ✔ should UNKNWON unable to describe security groups 799: openHadoopNameNode 800: run 801: ✔ should PASS if no public open ports found 802: ✔ should FAIL if security group has HDFSNameNodeMetadataService TCP 8020 port open to public 803: ✔ should PASS if no security groups found 804: ✔ should UNKNWON unable to describe security groups 805: openHadoopNameNodeWebUI 806: run 807: ✔ should PASS if no public open ports found 808: ✔ should FAIL if security group has NameNodeWebUI TCP 50070 port open to public 809: ✔ should PASS if no security groups found 810: ✔ should UNKNWON unable to describe security groups 811: openKibana 812: run 813: ✔ should PASS if no public open ports found 814: ✔ should FAIL if security group has Kibana TCP 5601 port open to public 815: ✔ should PASS if no security groups found 816: ✔ should UNKNWON unable to describe security groups 817: openMySQL 818: run 819: ✔ should PASS if no public open ports found 820: ✔ should FAIL if security group has MySQL TCP 3306 port open to public 821: ✔ should PASS if no security groups found 822: ✔ should UNKNWON unable to describe security groups 823: openNetBIOS 824: run 825: ✔ should PASS if no public open ports found 826: ✔ should FAIL if security group has NetBIOS UDP 137 port open to public 827: ✔ should PASS if no security groups found 828: ✔ should UNKNWON unable to describe security groups 829: openOracle 830: run 831: ✔ should PASS if no public open ports found 832: ✔ should FAIL if security group has Oracle TCP 1521 port open to public 833: ✔ should PASS if no security groups found 834: ✔ should UNKNWON unable to describe security groups 835: openOracleAutoDataWarehouse 836: run 837: ✔ should PASS if no public open ports found 838: ✔ should FAIL if security group has Oracle Auto Data Warehouse TCP 1522 port open to public 839: ✔ should PASS if no security groups found 840: ✔ should UNKNWON unable to describe security groups 841: openPostgreSQL 842: run 843: ✔ should PASS if no public open ports found 844: ✔ should FAIL if security group has PostgreSQL TCP 5432 port open to public 845: ✔ should PASS if no security groups found 846: ✔ should UNKNWON unable to describe security groups 847: openRDP 848: run 849: ✔ should PASS if no public open ports found 850: ✔ should FAIL if security group has RDP TCP 3389 port open to public 851: ✔ should PASS if no security groups found 852: ✔ should UNKNWON unable to describe security groups 853: openSalt 854: run 855: ✔ should PASS if no public open ports found 856: ✔ should FAIL if security group has Salt TCP 4505 port open to public 857: ✔ should PASS if no security groups found 858: ✔ should UNKNWON unable to describe security groups 859: openSMBoTCP 860: run 861: ✔ should PASS if no public open ports found 862: ✔ should FAIL if security group has SMBoTCP TCP 445 port open to public 863: ✔ should PASS if no security groups found 864: ✔ should UNKNWON unable to describe security groups 865: openSMTP 866: run 867: ✔ should PASS if no public open ports found 868: ✔ should FAIL if security group has SMTP TCP 25 port open to public 869: ✔ should PASS if no security groups found 870: ✔ should UNKNWON unable to describe security groups 871: openSQLServer 872: run 873: ✔ should PASS if no public open ports found 874: ✔ should FAIL if security group has SQL Server TCP 1433 port open to public 875: ✔ should PASS if no security groups found 876: ✔ should UNKNWON unable to describe security groups 877: openSSH 878: run 879: ✔ should PASS if no public open ports found 880: ✔ should FAIL if security group has SSH TCP 22 port open to public 881: ✔ should PASS if no security groups found 882: ✔ should UNKNWON unable to describe security groups 883: openTelnet 884: run 885: ✔ should PASS if no public open ports found 886: ✔ should FAIL if security group has Telnet TCP 23 port open to public 887: ✔ should PASS if no security groups found 888: ✔ should UNKNWON unable to describe security groups 889: openVNCClient 890: run 891: ✔ should PASS if no public open ports found 892: ✔ should FAIL if security group has VNC Client TCP 5500 port open to public 893: ✔ should PASS if no security groups found 894: ✔ should UNKNWON unable to describe security groups 895: openVNCServer 896: run 897: ✔ should PASS if no public open ports found 898: ✔ should FAIL if security group has VNC Server TCP 5900 port open to public 899: ✔ should PASS if no security groups found 900: ✔ should UNKNWON unable to describe security groups 901: systemDisksEncrypted 902: run 903: ✔ should PASS if System disks are encrypted 904: ✔ should PASS if System disks are encrypted to target encryption level 905: ✔ should FAIL if disk is not encrypted 906: ✔ should FAIL if System disk is not encrypted to target encryption level 907: ✔ should PASS if no ECS disks found 908: ✔ should UNKNOWN if unable to query ECS disks 909: bucketCmkEncrypted 910: run 911: ✔ should FAIL if OSS bucket is not encrypted to required encryption level 912: ✔ should FAIL if OSS bucket is not encrypted 913: ✔ should PASS if OSS bucket is encrypted to required encryption level 914: ✔ should PASS if no OSS buckets found 915: ✔ should UNKNOWN if unable to query for OSS buckets 916: ✔ should UNKNOWN if unable to query OSS bucket info 917: bucketCrossRegionReplication 918: run 919: ✔ should FAIL if bucket does not have cross region replication enabled 920: ✔ should FAIL if bucket info does not have cross region replication property 921: ✔ should PASS if bucket has cross region replication enabled 922: ✔ should PASS if no OSS buckets found 923: ✔ should UNKNOWN if unable to query for OSS buckets 924: ✔ should UNKNOWN if unable to query OSS bucket info 925: bucketLoggingEnabled 926: run 927: ✔ should FAIL if bucket does not have logging enabled 928: ✔ should PASS if bucket has logging enabled 929: ✔ should PASS if no OSS buckets found 930: ✔ should UNKNOWN if unable to query for OSS buckets 931: ✔ should UNKNOWN if unable to query OSS bucket info 932: bucketRequestPayment 933: run 934: ✔ should FAIL if bucket does not have pay per requester enabled 935: ✔ should FAIL if payer property is not returned 936: ✔ should PASS if bucket has pay per requester enabled 937: ✔ should PASS if no OSS buckets found 938: ✔ should UNKNOWN if unable to query for OSS buckets 939: ✔ should UNKNOWN if unable to query OSS bucket info 940: ossBucketIpRestriction 941: run 942: ✔ should PASS if OSS bucket has IP restrictions configured 943: ✔ should FAIL if OSS bucket does not have IP restrictions configured 944: ✔ should FAIL if no OSS bucket policy found 945: ✔ should PASS if no OSS buckets found 946: ✔ should UNKNOWN if unable to query for OSS buckets 947: ✔ should UNKNOWN if unable to query OSS bucket policy 948: bucketLifecycle 949: run 950: ✔ should FAIL if bucket does not have lifecycle policies 951: ✔ should PASS if bucket has lifecycle policies enabled 952: ✔ should PASS if bucket has lifecycle policies disabled 953: ✔ should PASS if no OSS buckets found 954: ✔ should UNKNOWN if unable to query for OSS buckets 955: ✔ should UNKNOWN if Unable to query OSS bucket lifecycle policy info 956: ossBucketPrivate 957: run 958: ✔ should FAIL if bucket ACL allows public-read-write access 959: ✔ should PASS if bucket ACL allows private access 960: ✔ should PASS if no OSS buckets found 961: ✔ should UNKNOWN if unable to query for OSS buckets 962: ✔ should UNKNOWN if unable to query OSS bucket info 963: ossBucketSecureTransport 964: run 965: ✔ should PASS if OSS bucket has secure transport enabled 966: ✔ should FAIL if OSS bucket does not have secure transport enabled 967: ✔ should FAIL if no OSS bucket policy found 968: ✔ should PASS if no OSS buckets found 969: ✔ should UNKNOWN if unable to query for OSS buckets 970: ✔ should UNKNOWN if unable to query OSS bucket policy 971: bucketTransferAcceleration 972: run 973: ✔ should FAIL if bucket does not have transfer acceleration enabled 974: ✔ should FAIL if bucket info does not have transfer acceleration property 975: ✔ should PASS if bucket has transfer acceleration enabled 976: ✔ should PASS if no OSS buckets found 977: ✔ should UNKNOWN if unable to query for OSS buckets 978: ✔ should UNKNOWN if unable to query OSS bucket info 979: ossBucketVersioning 980: run 981: ✔ should FAIL if bucket versioning is not enabled 982: ✔ should PASS if bucket versioning is enabled 983: ✔ should PASS if no OSS buckets found 984: ✔ should UNKNOWN if unable to query for OSS buckets 985: ✔ should UNKNOWN if unable to query OSS bucket info 986: accessKeysRotation 987: run 988: ✔ should FAIL if RAM user access keys are not rotated every 90 days or less 989: ✔ should PASS if RAM user access keys are not rotated every 90 days or less 990: ✔ should PASS if RAM user does not have any access keys 991: ✔ should PASS if No RAM users found 992: ✔ should UNKNOWN if unable to query user access keys 993: ✔ should UNKNOWN if unable to query RAM users 994: inactiveUserDisabled 995: run 996: ✔ should FAIL if RAM user is enabled on being inactive for 90 or more days 997: ✔ should PASS if RAM user is disabled on being inactive for 90 or more days 998: ✔ should PASS if RAM user last activity was before 90 days 999: ✔ should PASS if No RAM users found 1000: ✔ should UNKNOWN if Unable to query login profile 1001: ✔ should UNKNOWN if Unable to query RAM users 1002: passwordBlockLogon 1003: run 1004: ✔ should FAIL if RAM password security policy does not require logon to be blocked after 5 attempts 1005: ✔ should PASS if RAM password security policy requires logon to be blocked after 5 attempts 1006: ✔ should UNKNOWN if unable to query RAM password policy 1007: passwordExpiry 1008: run 1009: ✔ should FAIL if RAM password security policy does not require password to be expired after 90 days 1010: ✔ should PASS if RAM password security policy requires password to be expired after set days 1011: ✔ should UNKNOWN if unable to query RAM password policy 1012: passwordMinLength 1013: run 1014: ✔ should FAIL if RAM password security policy does not require minimum length of 14 or greater 1015: ✔ should PASS if RAM password security policy require minimum length of 14 or greater 1016: ✔ should UNKNOWN if unable to query RAM password policy 1017: passwordNoReuse 1018: run 1019: ✔ should FAIL if RAM password security policy does not requires to prevent reusing 5 previous passwords 1020: ✔ should PASS if RAM password security policy requires to prevent reusing 5 previous passwords 1021: ✔ should UNKNOWN if unable to query RAM password policy 1022: passwordRequiresLowercase 1023: run 1024: ✔ should FAIL if RAM password security policy does not require lowercase characters 1025: ✔ should PASS if RAM password security policy requires lowercase characters 1026: ✔ should UNKNOWN if unable to query RAM password policy 1027: passwordRequiresNumbers 1028: run 1029: ✔ should FAIL if RAM password security policy does not require numbers 1030: ✔ should PASS if RAM password security policy requires numbers 1031: ✔ should UNKNOWN if unable to query RAM password policy 1032: passwordRequiresSymbols 1033: run 1034: ✔ should FAIL if RAM password security policy does not require symbols 1035: ✔ should PASS if RAM password security policy requires symbols 1036: ✔ should UNKNOWN if unable to query RAM password policy 1037: passwordRequiresUppercase 1038: run 1039: ✔ should FAIL if RAM password security policy does not require uppercase characters 1040: ✔ should PASS if RAM password security policy requires uppercase characters 1041: ✔ should UNKNOWN if unable to query RAM password policy 1042: ramAdminPolicy 1043: run 1044: ✔ should FAIL if Policy provides admin (*:*) access and attachment count is greater than 0 1045: ✔ should PASS if Policy provides admin (*:*) access but attachment count is 0 1046: ✔ should PASS if Policy does not provide admin (*:*) access 1047: ✔ should PASS if No RAM policies found 1048: ✔ should UNKNOWN if Unable to query RAM policies 1049: ✔ should UNKNOWN if Unable to get RAM policy 1050: ramPolicyAttachments 1051: run 1052: ✔ should FAIL if User has policies attached 1053: ✔ should PASS if no policies are attached to user 1054: ✔ should PASS if No RAM users found 1055: ✔ should UNKNOWN if Unable to query RAM users 1056: usersMfaEnabled 1057: run 1058: ✔ should FAIL if RAM user does not have MFA device configured 1059: ✔ should PASS if RAM user has MFA device configured 1060: ✔ should PASS if No RAM users found 1061: ✔ should UNKNOWN if Unable to query RAM users 1062: rdsAuditingEnabled 1063: run 1064: ✔ should FAIL if RDS DB instance does not have sql auditing enabled 1065: ✔ should PASS if RDS DB instance have sql auditing enabled 1066: ✔ should PASS if no RDS DB instances found 1067: ✔ should UNKNOWN if unable to query RDS DB instances 1068: ✔ should UNKNOWN if unable to query DB sql auditing policy 1069: rdsLogConnectionEnabled 1070: run 1071: ✔ should FAIL if RDS DB instance does not have log_connections parameter enabled 1072: ✔ should PASS if RDS DB instance has log_connections parameter enabled 1073: ✔ should PASS if no RDS DB instances found 1074: ✔ should UNKNOWN if unable to query RDS DB instances 1075: ✔ should UNKNOWN if unable to query DB parameters 1076: rdsLogDisconnectionsEnabled 1077: run 1078: ✔ should FAIL if RDS DB instance does not have log_disconnections parameter enabled 1079: ✔ should PASS if RDS DB instance has log_disconnections parameter enabled 1080: ✔ should PASS if no RDS DB instances found 1081: ✔ should UNKNOWN if unable to query RDS DB instances 1082: ✔ should UNKNOWN if unable to query DB parameters 1083: rdsLogDuration 1084: run 1085: ✔ should FAIL if RDS DB instance does not have log_duration parameter enabled 1086: ✔ should PASS if RDS DB instance has log_duration parameter enabled 1087: ✔ should PASS if no RDS DB instances found 1088: ✔ should UNKNOWN if unable to query RDS DB instances 1089: ✔ should UNKNOWN if unable to query DB parameters 1090: rdsPublicAccess 1091: run 1092: ✔ should FAIL if RDS DB instance is publicly accessible 1093: ✔ should PASS if RDS DB instance is not publicly accessible 1094: ✔ should PASS if no RDS DB instances found 1095: ✔ should UNKNOWN if unable to query RDS DB instances 1096: ✔ should UNKNOWN if Unable to query DB IP Array List 1097: rdsSqlAuditRetentionPeriod 1098: run 1099: ✔ should FAIL if RDS DB instance does not have sql audit log retention greater than 180 days 1100: ✔ should FAIL if RDS DB instance does not have sql audit log retention greater than set days limit 1101: ✔ should PASS if RDS DB instance have sql audit log retention greater than 180 days 1102: ✔ should PASS if RDS DB instance have sql audit log retention greater than set days limit 1103: ✔ should PASS if no RDS DB instances found 1104: ✔ should UNKNOWN if unable to query RDS DB instances 1105: ✔ should UNKNOWN if unable to query DB sql audit log retention 1106: rdsSslEncryptionEnabled 1107: run 1108: ✔ should FAIL if RDS instance does not have SSL encryption enabled 1109: ✔ should PASS if RDS instance has SSL encryption enabled 1110: ✔ should PASS if no RDS DB instances found 1111: ✔ should UNKNOWN if unable to query RDS DB instances 1112: ✔ should UNKNOWN if unable to query RDS instance SSL info 1113: rdsTdeEnabled 1114: run 1115: ✔ should FAIL if RDS DB instance does not have TDE enabled 1116: ✔ should PASS if RDS DB instance have TDE enabled 1117: ✔ should PASS if RDS DB instance have engine type other MySQL 5.6 and SQL Server Enterprise Edition 1118: ✔ should PASS if no RDS DB instances found 1119: ✔ should UNKNOWN if unable to query RDS DB instances 1120: ✔ should UNKNOWN if unable to query RDS DB instance TDE 1121: securityAgentInstalled 1122: run 1123: ✔ should FAIL if there are unprotected assets 1124: ✔ should PASS if there are no unprotected assets 1125: ✔ should UNKNOWN if Unable to query TDS field statistics 1126: securityCenterEdition 1127: run 1128: ✔ should FAIL if Security Center edition is Basic or Anti-virus 1129: ✔ should PASS if Security Center edition is Advanced or plus 1130: ✔ should UNKNOWN if Unable to query Security Center version config 1131: securityNotificationsEnabled 1132: run 1133: ✔ should FAIL if security notifications are not enabled 1134: ✔ should PASS if security notifications are enabled for all alerts 1135: ✔ should PASS if no TDS notice config found 1136: ✔ should UNKNOWN if Unable to query TDS notice config 1137: vulnerabilityScanEnabled 1138: run 1139: ✔ should FAIL if Vulnerability scan is not enabled on all servers 1140: ✔ should PASS if Vulnerability scan is enabled on all servers 1141: ✔ should PASS if no vulnerabity config found 1142: ✔ should UNKNOWN if Unable to query 1143: accessAnalyzerActiveFindings 1144: run 1145: ✔ should FAIL if Amazon IAM access analyzer has active findings. 1146: ✔ should PASS if Amazon IAM access analyzer have no active findings. 1147: ✔ should PASS if no analyzers found 1148: ✔ should UNKNOWN if Unable to query for IAM access analyzers 1149: accessAnalyzerEnabled 1150: run 1151: ✔ should PASS if Access Analyzer is enabled 1152: ✔ should FAIL if Access Analyzer is not enabled 1153: ✔ should FAIL if Access Analyzer not configured 1154: ✔ should UNKNOWN if unable to list Access analyzer 1155: ✔ should not return anything if list Access Analyzers response is not found 1156: acmCertificateExpiry 1157: run 1158: ✔ should PASS if certificate expiration date exceeds set PASS number of days in the future 1159: ✔ should FAIL if certificate expiration date does not exceed set WARN number of days in the future 1160: ✔ should FAIL if certificate has already expired ... 1164: ✔ should UNKNOWN if unable to list ACM certificates 1165: ✔ should UNKNOWN if unable to describe ACM certificate 1166: acmCertificateHasTags 1167: run 1168: ✔ should give unknown result if unable to list acm certificates 1169: ✔ should give passing result if acm certificates not found. 1170: ✔ should give unknown result if unable to query resource group tagging api 1171: ✔ should give passing result if acm certificates have tags 1172: ✔ should give failing result if eks cluster does not have tags 1173: acmSingleDomainNameCertificate 1174: run 1175: ✔ should PASS if ACM certificate is a single domain name certificate 1176: ✔ should FAIL if ACM certificate is a wildcard certificate 1177: ✔ should PASS if No ACM certificates found 1178: ✔ should UNKNOWN if unable to list ACM certificates 1179: ✔ should UNKNOWN if unable to describe ACM certificate 1180: acmValidation 1181: run 1182: ✔ should PASS if ACM certificate is using DNS validations 1183: ✔ should FAIL if ACM certificate has failed validations 1184: ✔ should WARN if ACM certificate is using EMAIL validation 1185: ✔ should PASS if No ACM certificates found 1186: ✔ should UNKNOWN if unable to list ACM certificates 1187: ✔ should UNKNOWN if unable to describe ACM certificate 1188: apigatewayAuthorization 1189: run 1190: ✔ should return UNKNOWN if unable to query for API Gateway Rest APIs 1191: ✔ should return PASS if no API Gateway Rest APIs found 1192: ✔ should return FAIL if no authorizers exist for API Gateway Rest API 1193: ✔ should return PASS if authorizers exist for API Gateway Rest API 1194: ✔ should not return anything if get Rest APIs response is not found 1195: apigatewayCertificateRotation 1196: run 1197: ✔ should PASS if API Gateway API stages do not need client certificate rotation 1198: ✔ should FAIL if API Gateway API stage needs client certificate rotation 1199: ✔ should FAIL if API Gateway API stage client certificate has already expired ... 1201: ✔ should PASS if No API Gateway Rest API stages found 1202: ✔ should PASS if No API Gateway Rest API stage client certificate found 1203: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1204: ✔ should UNKNOWN if unable to get API Gateway Rest API stages 1205: ✔ should not return anything if get Rest APIs response is not found 1206: apigatewayClientCertificate 1207: run 1208: ✔ should PASS if API Gateway API use client certificate for all stages 1209: ✔ should FAIL if API Gateway API does not use client certificate for all stages 1210: ✔ should PASS if No API Gateway Rest APIs found 1211: ✔ should PASS if No API Gateway Rest API Stages found 1212: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1213: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1214: ✔ should not return anything if get Rest APIs response is not found 1215: apigatewayCloudwatchLogs 1216: run 1217: ✔ should PASS if API Gateway API has CloudWatch Logs enabled for all stages 1218: ✔ should FAIL if API Gateway API does not have CloudWatch Logs enabled for stages 1219: ✔ should PASS if No API Gateway Rest APIs found 1220: ✔ should PASS if No API Gateway Rest API Stages found 1221: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1222: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1223: ✔ should not return anything if get Rest APIs response is not found 1224: apigatewayContentEncoding 1225: run 1226: ✔ should PASS if API Gateway API stage has content encoding enabled 1227: ✔ should FAIL if API Gateway API stage does not have content encoding enabled 1228: ✔ should PASS if No API Gateway Rest APIs found 1229: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1230: ✔ should not return anything if get Rest APIs response is not found 1231: apigatewayTlsDefaultEndpoint 1232: run 1233: ✔ should PASS if No API Gateway rest APIs found 1234: ✔ should PASS if API Gateway is not accessible through default endpoint 1235: ✔ should FAIL if API Gateway is accessible through default endpoint 1236: ✔ should UNKNOWN if unable to query for API Gateways 1237: apigatewayPrivateEndpoints 1238: run 1239: ✔ should PASS if API Gateway API is only accessible through private endpoints 1240: ✔ should FAIL if API Gateway API is accessible through public endpoints 1241: ✔ should PASS if No API Gateway Rest APIs found 1242: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1243: ✔ should not return anything if get Rest APIs response is not found 1244: apigatewayResponseCaching 1245: run 1246: ✔ should PASS if Response caching is enabled for API Gateway API stage 1247: ✔ should FAIL if Response caching is not enabled for API Gateway API stage 1248: ✔ should PASS if No API Gateway Rest APIs found 1249: ✔ should PASS if No API Gateway Rest API Stages found 1250: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1251: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1252: ✔ should not return anything if get Rest APIs response is not found 1253: apigatewayTracingEnabled 1254: run 1255: ✔ should PASS if API Gateway API has tracing enabled for all stages 1256: ✔ should FAIL if API Gateway API does not have tracing enabled for stages 1257: ✔ should PASS if No API Gateway Rest APIs found 1258: ✔ should PASS if No API Gateway Rest API Stages found 1259: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1260: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1261: ✔ should not return anything if get Rest APIs response is not found 1262: apigatewayWafEnabled 1263: run 1264: ✔ should PASS if API Gateway API has WAF enabled for all stages 1265: ✔ should FAIL if API Gateway API does not have WAF enabled for stages 1266: ✔ should PASS if No API Gateway Rest APIs found 1267: ✔ should PASS if No API Gateway Rest API Stages found 1268: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1269: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1270: ✔ should not return anything if get Rest APIs response is not found 1271: apiStageLevelCacheEncryption 1272: run 1273: ✔ should PASS if API Gateway stage encrypts cache data 1274: ✔ should FAIL if API Gateway stage does not encrypt cache data ... 1276: ✔ should PASS if No API Gateway Rest APIs found 1277: ✔ should PASS if No API Gateway Rest API Stages found 1278: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1279: ✔ should UNKNOWN if unable to get API Gateway Stages 1280: apigatewayCustomDomainDeprecatedProtocol 1281: run 1282: ✔ should PASS if No API Gateway Custom Domains found 1283: ✔ should PASS if API Gateway Custom Domain is using current minimum TLS version 1284: ✔ should FAIL if API Gateway Custom Domain is using deprecated TLS version 1285: ✔ should UNKNOWN if unable to query for API Gateways 1286: detailedCloudWatchMetrics 1287: run 1288: ✔ should PASS if API Gateway API has detailed CloudWatch metrics enabled for all stages 1289: ✔ should FAIL if API Gateway API does not have detailed CloudWatch metrics enabled for stages 1290: ✔ should PASS if No API Gateway Rest APIs found 1291: ✔ should PASS if No API Gateway Rest API Stages found 1292: ✔ should UNKNOWN if unable to get API Gateway Rest APIs 1293: ✔ should UNKNOWN if unable to get API Gateway Rest API Stages 1294: ✔ should not return anything if get Rest APIs response is not found 1295: flowEncrypted 1296: run 1297: ✔ should PASS if AppFlow flow is encrypted with desired encryption level 1298: ✔ should FAIL if AppFlow flow is not encrypted with desired encryption level 1299: ✔ should PASS if no AppFlow flows found 1300: ✔ should UNKNOWN if unable to list AppFlow flows 1301: ✔ should UNKNOWN if unable to list KMS keys 1302: appmeshTLSRequired 1303: run 1304: ✔ should PASS if App Mesh virtual gateway listeners restrict TLS enabled connections 1305: ✔ should FAIL if App Mesh vitual gateway listeners does not restrict TLS enabled connections 1306: ✔ should PASS if no App Mesh meshes found 1307: ✔ should UNKNOWN if Unable to list App Mesh meshes 1308: ✔ should UNKNOWN if unable to list App Mesh virtual gateways 1309: ✔ should not return anything if list App Mesh meshes response not found 1310: appmeshVGAccessLogging 1311: run 1312: ✔ should PASS if access logging is enabled and configured for Amazon App Mesh virtual gateways 1313: ✔ should FAIL if access logging is not enabled for Amazon App Mesh virtual gateways 1314: ✔ should PASS if No App Meshes found 1315: ✔ should UNKNOWN if unable to query for App Mesh meshes 1316: ✔ should UNKNOWN if unable to query for App Mesh virtual gateways 1317: ✔ should not return anything if list App Meshes response not found 1318: appmeshVGHealthChecks 1319: run 1320: ✔ should PASS if health check policies are configured for Amazon App Mesh virtual gateways 1321: ✔ should FAIL if health check policies are not configured for Amazon App Mesh virtual gateways 1322: ✔ should PASS if No App Meshes found 1323: ✔ should UNKNOWN if unable to query for App Mesh meshes 1324: ✔ should UNKNOWN if unable to query for App Mesh virtual gateways 1325: ✔ should not return anything if list App Meshes response not found 1326: restrictExternalTraffic 1327: run 1328: ✔ should PASS if App Mesh mesh does not allow access to external services 1329: ✔ should FAIL if App Mesh mesh allows access to external services 1330: ✔ should PASS if no App Meshes found 1331: ✔ should UNKNOWN if Unable to query for App Mesh meshes 1332: ✔ should UNKNOWN if Unable to describe App Mesh mesh 1333: serviceEncrypted 1334: run 1335: ✔ should PASS if App Runner service is encrypted with desired encryption level 1336: ✔ should FAIL if App Runner service not encrypted with desired encryption level 1337: ✔ should PASS if no App Runner service found 1338: ✔ should UNKNOWN if unable to list Services 1339: ✔ should UNKNOWN if unable to list KMS keys 1340: workgroupEncrypted 1341: run 1342: ✔ should PASS if Athena workgroup is using encryption 1343: ✔ should PASS if Athena primary workgroup does not have encryption enabled but is not in use. 1344: ✔ should FAIL if Athena workgroup is not using encryption 1345: ✔ should PASS if no Athena workgroups found 1346: ✔ should UNKNOWN if unable to list Athena workgroups 1347: ✔ should UNKNOWN if unable to describe Athena workgroup 1348: ✔ should not return any results if list workgroups response not found 1349: workgroupEnforceConfiguration 1350: run 1351: ✔ should PASS if Athena workgroup is enforcing configuration options 1352: ✔ should PASS if Athena primary workgroup is not enforcing configuration options but is not in use 1353: ✔ should FAIL if Athena workgroup is not enforcing configuration options 1354: ✔ should PASS if no Athena workgroups found 1355: ✔ should UNKNOWN if unable to list Athena workgroups 1356: ✔ should UNKNOWN if unable to describe Athena workgroup 1357: ✔ should not return any results if list workgroups response not found 1358: auditmanagerDataEncrypted 1359: run 1360: ✔ should PASS if Audit Manager data is encrypted with desired encryption level 1361: ✔ should FAIL if Audit Manager data is not encrypted with desired encryption level 1362: ✔ should PASS if Audit Manager is not setup for the region 1363: ✔ should UNKNOWN if unable to get Audit Manager settings 1364: ✔ should UNKNOWN if unable to list KMS keys 1365: appTierAsgApprovedAmi 1366: run 1367: ✔ should PASS if Launch Configuration for App-Tier Auto Scaling group is using approved AMIs 1368: ✔ should FAIL if Launch Configuration for App-Tier Auto Scaling group is not using active AMIs 1369: ✔ should FAIL if Launch Configuration for App-Tier Auto Scaling group is not using any AMI ... 1371: ✔ should PASS if no App-Tier Auto Scaling groups found 1372: ✔ should PASS if no Auto Scaling groups found 1373: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1374: ✔ should not return anything if describe Auto Scaling groups response not found 1375: ✔ should not return anything if App-Tier tag key is not provided in settings 1376: appTierAsgCloudWatchLogs 1377: run 1378: ✔ should PASS if App-Tier Auto Scaling launch configuration is using CloudWatch Logs agent 1379: ✔ should FAIL if App-Tier Auto Scaling launch configuration is not using CloudWatch Logs agent 1380: ✔ should UNKNOWN if unable to describe launch configuration for App-Tier Auto Scaling group 1381: ✔ should PASS if no App-Tier Auto Scaling groups found 1382: ✔ should PASS if no Auto Scaling groups found 1383: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1384: ✔ should not return anything if no Auto Scaling groups found 1385: appTierIamRole 1386: run 1387: ✔ should PASS if launch configuration for App-Tier group has customer IAM role configured 1388: ✔ should FAIL if launch configuration for App-Tier group does not have customer IAM role configured ... 1391: ✔ should PASS if no App-Tier Auto Scaling groups found 1392: ✔ should PASS if no Auto Scaling launch configurations found 1393: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1394: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1395: ✔ should not return anything if no response for describe Auto Scaling groups 1396: asgActiveNotifications 1397: run 1398: ✔ should PASS if notification are active for auto scaling group 1399: ✔ should FAIL if notification are not active for auto scaling group 1400: ✔ should UNKNOWN if unable to describe auto scaling group found 1401: ✔ should not return anything if no auto scaling group found 1402: ✔ should FAIL if No auto scaling group notification configurations found 1403: asgCooldownPeriod 1404: run 1405: ✔ should PASS if Amazon Auto Scaling Groups are utilizing cool down period 1406: ✔ should FAIL if the cool down period setting is not properly configured for the selected Amazon ASG 1407: ✔ should PASS if no AutoScaling groups found 1408: ✔ should UNKNOWN if an error occurs while describing AutoScaling groups 1409: ✔ should not return anything if unable to query for AutoScaling groups 1410: asgMissingELB 1411: run 1412: ✔ should PASS if AutoScaling group utilizes active load balancer 1413: ✔ should FAIL if AutoScaling group utilizes inactive load balancer 1414: ✔ should FAIL if AutoScaling group does not have any ELB associated 1415: ✔ should PASS if AutoScaling group does not utilize a load balancer 1416: ✔ should UNKNOWN if unable to describe AutoScaling group found 1417: ✔ should not return anything if no AutoScaling group found 1418: asgMissingSecurityGroups 1419: run 1420: ✔ should PASS if Auto Scaling launch configuration does not reference any missing EC2 security group 1421: ✔ should FAIL if Auto Scaling launch configuration references missing EC2 security group(s) 1422: ✔ should PASS if no Auto Scaling launch configurations found 1423: ✔ should PASS if Auto Scaling launch configuration does not have any security groups associated 1424: ✔ should FAIL if no EC2 security groups found 1425: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1426: ✔ should not return anything if describe Auto Scaling launch configurations response not found 1427: asgMultiAz 1428: run 1429: ✔ should PASS if Auto Scaling group utilizes multiple availability zones 1430: ✔ should FAIL if Auto Scaling group utilizes one availability zone 1431: ✔ should PASS if no Auto Scaling groups found 1432: ✔ should UNKNOWN if error describing Auto Scaling groups 1433: ✔ should not return anything if unable to describe Auto Scaling groups 1434: asgSuspendedProcesses 1435: run 1436: ✔ should PASS if AutoScaling group does not have any suspended process 1437: ✔ should FAIL if AutoScaling group has suspended processes 1438: ✔ should PASS if no AutoScaling groups found 1439: ✔ should UNKNOWN if an error occurs while describing AutoScaling groups 1440: ✔ should not return anything if unable to query for AutoScaling groups 1441: asgUnusedLaunchConfiguration 1442: run 1443: ✔ should PASS if Auto Scaling launch configuration is being used 1444: ✔ should FAIL if Auto Scaling launch configuration is not being used 1445: ✔ should PASS if no Auto Scaling launch configurations found 1446: ✔ should UNKNOWN if Unable to query for Auto Scaling launch configurations 1447: elbHealthCheckActive 1448: run 1449: ✔ should PASS if Auto Scaling group does not use ELBs 1450: ✔ should PASS if Auto Scaling group has ELB health check active 1451: ✔ should PASS if Auto Scaling group does not use ELBs 1452: ✔ should FAIL if Auto Scaling group does not have ELB health check active 1453: ✔ should PASS if no Auto Scaling groups found 1454: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1455: ✔ should not return anything if no response found for describe Auto Scaling groups 1456: emptyASG 1457: run 1458: ✔ should PASS if autoscaling group contains instance(s) 1459: ✔ should FAIL if autoscaling group does not contain instance(s) 1460: ✔ should PASS if no autoscaling group data found 1461: ✔ should UNKNOWN if unable to describe autoscaling group found 1462: ✔ should not return anything if no autoscaling group found 1463: sameAzElb 1464: run 1465: ✔ should PASS if load balancer is in the same Availability Zone as of AutoScaling group 1466: ✔ should PASS if AutoScaling does not utilizes load balancer as HealthCheckType 1467: ✔ should FAIL if load balancer is not in the same Availability Zone as of AutoScaling group 1468: ✔ should FAIL if autoscaling group utilizes an inactive load balancer 1469: ✔ should UNKOWN if unable to query for load balancers 1470: ✔ should UNKNOWN if unable to describe autoscaling groups 1471: ✔ should not return anything if no autoscaling group found 1472: webTierAsgApprovedAmi 1473: run 1474: ✔ should PASS if Launch Configuration for Web-Tier Auto Scaling group is using approved AMIs 1475: ✔ should FAIL if Launch Configuration for Web-Tier Auto Scaling group is not using active AMIs 1476: ✔ should FAIL if Launch Configuration for Web-Tier Auto Scaling group is not using any AMI ... 1478: ✔ should PASS if no Web-Tier Auto Scaling groups found 1479: ✔ should PASS if no Auto Scaling groups found 1480: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1481: ✔ should not return anything if describe Auto Scaling groups response not found 1482: ✔ should not return anything if Web-Tier tag key is provided in settings 1483: webTierAssociatedElb 1484: run 1485: ✔ should PASS if Web-Tier Auto Scaling group has ELB associated 1486: ✔ should FAIL if Web-Tier Auto Scaling group does not have ELB associated 1487: ✔ should PASS if no Auto Scaling groups found 1488: ✔ should PASS if no Web-Tier Auto Scaling groups found 1489: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1490: ✔ should not return anything if describe Auto Scaling groups response not found 1491: webTierAsgCloudWatchLogs 1492: run 1493: ✔ should PASS if Web-Tier Auto Scaling launch configuration has CloudWatch logs enabled 1494: ✔ should FAIL if Web-Tier Auto Scaling launch configuration does not have CloudWatch logs enabled 1495: ✔ should UNKNOWN if unable to describe launch configuration for Web-Tier Auto Scaling group 1496: ✔ should PASS if no Web-Tier Auto Scaling groups found 1497: ✔ should PASS if no Auto Scaling groups found 1498: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1499: ✔ should not return anything if no Auto Scaling groups found 1500: webTierIamRole 1501: run 1502: ✔ should PASS if launch configuration for Web-Tier group has customer IAM role configured 1503: ✔ should FAIL if launch configuration for Web-Tier group does not have customer IAM role configured ... 1506: ✔ should PASS if no Web-Tier Auto Scaling groups found 1507: ✔ should PASS if no Auto Scaling launch configurations found 1508: ✔ should UNKNOWN if unable to describe Auto Scaling groups 1509: ✔ should UNKNOWN if unable to describe Auto Scaling launch configurations 1510: ✔ should not return anything if no response for describe Auto Scaling groups 1511: backupDeletionProtection 1512: run 1513: ✔ should PASS if Backup vault has deletion protection enabled 1514: ✔ should FAIL if Backup vault does not have deletion protection enabled 1515: ✔ should FAIL if no access policy found for Backup vault 1516: ✔ should PASS if no Backup vault list found 1517: ✔ should UNKNOWN if Unable to query for Backup vault list 1518: ✔ should UNKNOWN if Unable to get Backup vault policy 1519: backupInUseForRDSSnapshots 1520: run 1521: ✔ should PASS if Backup service is in use for RDS snapshots 1522: ✔ should FAIL if Backup service is not in use for RDS snapshots 1523: ✔ should PASS if no RDS snapshots found 1524: ✔ should UNKNOWN if Unable to query for RDS snapshots 1525: backupNotificationEnabled 1526: run 1527: ✔ should PASS if Backup vault is configured to send alert notifications for failed Backup job events 1528: ✔ should FAIL if Backup vault is not configured to send alert notifications for failed Backup job events 1529: ✔ should FAIL if Backup vault does not have any notifications configured 1530: ✔ should PASS if no Backup vault list found 1531: ✔ should UNKNOWN if Unable to query for Backup vault list 1532: ✔ should UNKNOWN if Unable to get event notifications for selected Amazon Backup vault 1533: backupResourceProtection 1534: run 1535: ✔ should PASS if All desired resource types are protected by Backup service 1536: ✔ should FAIL if These desired resource types are not protected by Backup service 1537: ✔ should UNKNOWN Unable to query for Backup resource type opt in preference 1538: backupVaultEncrypted 1539: run 1540: ✔ should PASS if Backup Vault is encrypted with desired encryption level 1541: ✔ should FAIL if Backup Vault is not encrypted with desired encyption level 1542: ✔ should PASS if no Backup vault found 1543: ✔ should UNKNOWN if unable to list Backup vault 1544: ✔ should UNKNOWN if unable to list KMS keys 1545: backupVaultHasTags 1546: run 1547: ✔ should PASS if Backup vault have tags 1548: ✔ should FAIL if Backup vault does not have tags 1549: ✔ should PASS if no Backup vault list found 1550: ✔ should UNKNOWN if Unable to query for Backup vault list 1551: ✔ should give unknown result if unable to query resource group tagging api 1552: backupVaultPolicies 1553: run 1554: ✔ should PASS if Backup vault does not allow global access to the action 1555: ✔ should FAIL if Backup vault allow global access to the action 1556: ✔ should PASS if no Backup vault list found 1557: ✔ should UNKNOWN if Unable to query for Backup vault list 1558: ✔ should UNKNOWN if Unable to get Backup vault policy 1559: compliantLifecycleConfigured 1560: run 1561: ✔ should PASS if Backup plan has lifecycle configuration enabled 1562: ✔ should FAIL if Backup plan does not have lifecycle configuration enabled 1563: ✔ should PASS if no Backup plans found 1564: ✔ should UNKNOWN if Unable to list Backup plans 1565: customModelEncryptionEnabled 1566: run 1567: ✔ should PASS if Bedrock Custom Model is Encrypted using CMK 1568: ✔ should FAIL if Bedrock Custom Model is encrypted with AWS owned key 1569: ✔ should PASS if the desired encryption level for bedrock custom model is awskms 1570: ✔ should PASS if no Bedrock custom model found 1571: ✔ should UNKNOWN if unable to list Bedrock custom model 1572: customModelHasTags 1573: run 1574: ✔ should PASS if Bedrock custom model has tags 1575: ✔ should FAIL if Bedrock custom model doesnot have tags 1576: ✔ should PASS if no Bedrock custom model found 1577: ✔ should UNKNOWN if unable to query Bedrock custom model 1578: ✔ should give unknown result if unable to query resource group tagging api 1579: customModelInVpc 1580: run 1581: ✔ should PASS if Bedrock Custom Model has Vpc configured 1582: ✔ should FAIL if Bedrock Custom Model have not Vpc configured 1583: ✔ should PASS if no Bedrock custom model found 1584: ✔ should UNKNOWN if unable to list Bedrock custom model 1585: modelInvocationLoggingEnabled 1586: run 1587: ✔ should PASS if model invocation logging is enabled for bedrock models 1588: ✔ should FAIL if model invocation logging is disabled for bedrock models 1589: ✔ should UNKNOWN if unable to query for model invocation logging 1590: privateCustomModel 1591: run 1592: ✔ should PASS if Bedrock Custom Model is a private model 1593: ✔ should FAIL if Bedrock Custom Model have not Vpc configured 1594: ✔ should FAIL if Bedrock Custom Model is not a private model 1595: ✔ should PASS if no Bedrock custom model found 1596: ✔ should UNKNOWN if unable to list Bedrock custom model 1597: cloudformationAdminPriviliges 1598: run 1599: ✔ should PASS if CloudFormation stack does not have admin privileges 1600: ✔ should FAIL if CloudFormation stack has admin privileges ... 1604: ✔ should UNKNOWN if unable to list role policies 1605: ✔ should not return anything if list CloudFormation stacks response not found 1606: CloudFormation Deletion Policy in Use 1607: run 1608: ✔ should return unknown result if unable to list the CloudFormation stacks 1609: ✔ should return passing result if unable to list CloudFormation stacks information 1610: ✔ should return unknown result if no CloudFormation stacks found in region 1611: ✔ should return passing result if deletion policy is used for CloudFormation stack 1612: ✔ should return failing result if deletion policy is not used for CloudFormation stack 1613: cloudformationInUse 1614: run 1615: ✔ should PASS if Amazon CloudFormation service is currently in use 1616: ✔ should FAIL if Amazon CloudFormation service is not currently in use 1617: ✔ should UNKNOWN if Unable to query CloudFormation stacks 1618: driftDetection 1619: run 1620: ✔ should PASS if CloudFormation stack is not in drifted state 1621: ✔ should FAIL if CloudFormation stack is in drifted state 1622: ✔ should PASS if no CloudFormation stacks found 1623: ✔ should UNKNOWN if unable to list stacks 1624: ✔ should not return any results if list stacks response not found 1625: plaintextParameters 1626: run 1627: ✔ should PASS if template does not contain any potentially-sensitive parameters 1628: ✔ should PASS if template contains any potentially-sensitive parameters but with NoEcho enabled 1629: ✔ should FAIL if template contains any potentially-sensitive parameters 1630: ✔ should PASS if no CloudFormation stacks found 1631: ✔ should UNKNOWN if unable to list stacks 1632: ✔ should UNKNOWN if unable to describe stacks 1633: ✔ should UNKNOWN if no CloudFormation stack details found 1634: ✔ should not return any results if list stacks response is not found 1635: stackFailedStatus 1636: run 1637: ✔ should PASS if CloudFormation stack is not in failed state 1638: ✔ should PASS if CloudFormation stack is in failed state for less than the failed hours limit 1639: ✔ should FAIL if CloudFormation stack is in failed state for more than the failed hours limit 1640: ✔ should PASS if no CloudFormation stacks found 1641: ✔ should UNKNOWN if unable to describe stacks 1642: ✔ should not return any results if describe stacks response is not found 1643: stackNotifications 1644: run 1645: ✔ should PASS if CloudFormation stack has SNS topic associated 1646: ✔ should FAIL if CloudFormation stack does not have SNS topic associated 1647: ✔ should PASS if no CloudFormation stacks found 1648: ✔ should UNKNOWN if No stack details found 1649: ✔ should UNKNOWN if unable to list stacks 1650: ✔ should UNKNOWN if unable to describe stacks 1651: ✔ should not return any results if list stacks response is not found 1652: stackTerminationProtection 1653: run 1654: ✔ should PASS if CloudFormation stack has SNS topic associated 1655: ✔ should FAIL if CloudFormation stack does not have SNS topic associated ... 1657: ✔ should UNKNOWN if No stack details found 1658: ✔ should UNKNOWN if unable to list stacks 1659: ✔ should UNKNOWN if unable to describe stacks 1660: ✔ should not return any results if list stacks response is not found 1661: cloudfrontCustomOriginHttpsOnly 1662: run 1663: ✔ should PASS if CloudFront distributions is using https only 1664: ✔ should PASS if CloudFront distributions has no origins 1665: ✔ should FAIL if CloudFront Distribution is not https only 1666: ✔ should PASS if no CloudFront distributions found 1667: ✔ should UNKNOWN if unable to list distributions 1668: cloudfrontFieldLevelEncryption 1669: run 1670: ✔ should PASS if distribution has field level encryption enabled 1671: ✔ should FAIL if distribution does not have field level encryption enabled 1672: ✔ should PASS if no CloudFront distributions found 1673: ✔ should UNKNOWN if unable to list distributions 1674: ✔ should not return any results if list distributions response not found 1675: cloudfrontGeoRestriction 1676: run 1677: ✔ should PASS if CloudFront distribution is whitelisting required geographic locations 1678: ✔ should PASS if Geo restriction feature is enabled within CloudFront distribution 1679: ✔ should FAIL if geo restriction is not enabled within CloudFront distribution 1680: ✔ should FAIL if CloudFront distribution does not have required locations whitelisted 1681: ✔ should PASS if no CloudFront distributions found 1682: ✔ should UNKNOWN if unable to query for CloudFront distributions 1683: ✔ should not return any results if list distributions response not found 1684: cloudfrontHttpsOnly 1685: run 1686: ✔ should PASS if CloudFront distribution is set to use HTTPS only 1687: ✔ should PASS if CloudFront distribution is configured to redirect non-HTTPS traffic to HTTPS 1688: ✔ should FAIL if CloudFront distribution is not configured to use HTTPS 1689: ✔ should PASS if no CloudFront distributions found 1690: ✔ should UNKNOWN if unable to list distributions 1691: ✔ should not return any results if list distributions response not found 1692: cloudfrontInUse 1693: run 1694: ✔ should PASS if AWS CloudFront service is in use 1695: ✔ should FAIL if CloudFront service is not in use 1696: ✔ should UNKNOWN if unable to list distributions 1697: ✔ should not return any results if list distributions response not found 1698: cloudfrontLoggingEnabled 1699: run 1700: ✔ should PASS if Request logging is enabled 1701: ✔ should FAIL if Request logging is not enabled 1702: ✔ should PASS if no CloudFront distributions found 1703: ✔ should UNKNOWN if unable to list distributions 1704: ✔ should UNKNOWN if unable to get distributions 1705: ✔ should not return any results if list distributions response not found 1706: cloudfrontOriginTLSVersion 1707: run 1708: ✔ should PASS if CloudFront distributions custom origin TLS version is not deprecated 1709: ✔ should PASS if CloudFront distributions has no origins 1710: ✔ should FAIL if CloudFront Distribution custom origin TLS version is deprecated 1711: ✔ should PASS if no CloudFront distributions found 1712: ✔ should UNKNOWN if unable to list distributions 1713: cloudfrontTLSVersion 1714: run 1715: ✔ should PASS if CloudFront distributions TLS version is not deprecated 1716: ✔ should FAIL if CloudFront DistributionTLS version is deprecated 1717: ✔ should PASS if no CloudFront distributions found 1718: ✔ should UNKNOWN if unable to list distributions 1719: cloudfrontTLSWeakCipher 1720: run 1721: ✔ should PASS if CloudFront distributions TLS version is not weak cipher suite 1722: ✔ should FAIL if CloudFront Distribution TLS version is weak cipher suite 1723: ✔ should PASS if no CloudFront distributions found 1724: ✔ should UNKNOWN if unable to list distributions 1725: cloudfrontWafEnabled 1726: run 1727: ✔ should PASS if CloudFront distributions has WAF enabled 1728: ✔ should FAIL if CloudFront Distribution does not have WAF enabled 1729: ✔ should PASS if no CloudFront distributions found 1730: ✔ should UNKNOWN if unable to list distributions 1731: ✔ should not return any results if list distributions response not found 1732: compressObjectsAutomatically 1733: run 1734: ✔ should PASS if CloudFront web distribution is currently configured to compress files (objects) automatically 1735: ✔ should FAIL if CloudFront web distribution is currently configured to compress files (objects) automatically. 1736: ✔ should PASS if no CloudFront distributions found 1737: ✔ should UNKNOWN if unable to list distributions 1738: ✔ should not return any results if list distributions response not found 1739: enableOriginFailOver 1740: run 1741: ✔ should PASS if CloudFront distribution have origin failover enabled. 1742: ✔ should FAIL if CloudFront distribution does not have origin failover enabled. 1743: ✔ should PASS if no CloudFront distributions found 1744: ✔ should UNKNOWN if query for CloudFront distributions 1745: ✔ should not return any results if list distributions response not found 1746: insecureProtocols 1747: run 1748: ✔ should PASS if Distribution is not configured for SSL delivery 1749: ✔ should PASS if Distribution is using secure default certificate 1750: ✔ should FAIL if Distribution is using the insecure default CloudFront TLS certificate 1751: ✔ should FAIL if Distribution is using insecure SSLv3 1752: ✔ should FAIL if Distribution is using insecure TLSv1.0 1753: ✔ should FAIL if Distribution is using insecure TLSv1_2016 1754: ✔ should PASS if Distribution is using secure TLSv1.1_2016 1755: ✔ should PASS if Distribution is using secure TLSv1.2_2018 1756: ✔ should PASS if no CloudFront distributions found 1757: ✔ should UNKNOWN if unable to list distributions 1758: ✔ should not return any results if list distributions response not found 1759: publicS3Origin 1760: run 1761: ✔ should PASS if CloudFront distribution origin is not setup without an origin access identity 1762: ✔ should FAIL if CloudFront CloudFront distribution is using an S3 origin without an origin access identity 1763: ✔ should PASS if no CloudFront distributions found 1764: ✔ should UNKNOWN if unable to list distributions 1765: ✔ should not return any results if list distributions response not found 1766: secureOrigin 1767: run 1768: ✔ should PASS if CloudFront origin is using https-only 1769: ✔ should WARN if CloudFront origin is using match-viewer 1770: ✔ should FAIL if CloudFront origin is using http-only 1771: ✔ should FAIL if CloudFront origin is using SSLv3 and TLSv1 protocols 1772: ✔ should FAIL if CloudFront origin is using SSLv3 protocols 1773: ✔ should WARN if CloudFront origin is using TLSv1 protocol 1774: ✔ should PASS if no CloudFront distributions found 1775: ✔ should UNKNOWN if unable to list distributions 1776: ✔ should not return any results if list distributions response not found 1777: cloudtrailBucketAccessLogging 1778: run 1779: ✔ should PASS if bucket has S3 access logs enabled 1780: ✔ should WARN if bucket has S3 access logs disabled 1781: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1782: ✔ should PASS if no S3 bucket to check 1783: ✔ should UNKNOWN if unable to query for trails 1784: ✔ should UNKNOWN if unable to query for bucket policy 1785: ✔ should PASS if bucket gets whitelisted 1786: cloudtrailBucketDelete 1787: run 1788: ✔ should PASS if bucket has MFA delete enabled 1789: ✔ should WARN if bucket has MFA delete enabled 1790: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1791: ✔ should PASS if no S3 bucket to check 1792: ✔ should UNKNOWN if unable to query for trails 1793: ✔ should UNKNOWN if unable to query for bucket policy 1794: ✔ should PASS if bucket gets whitelisted 1795: cloudtrailBucketPrivate 1796: run 1797: ✔ should PASS if bucket does not allow global access 1798: ✔ should FAIL if bucket allows global access 1799: ✔ should FAIL if Unable to locate S3 bucket, it may have been deleted 1800: ✔ should PASS if no S3 bucket to check 1801: ✔ should UNKNOWN if unable to query for trails 1802: ✔ should UNKNOWN if unable to query for bucket policy 1803: ✔ should PASS if bucket gets whitelisted 1804: cloudtrailDataEvents 1805: run 1806: ✔ should PASS if CloudTrail trail has data events configured 1807: ✔ should FAIL if CloudTrail trail does not have data events configured 1808: ✔ should PASS if no CloudTrail trails found 1809: ✔ should UNKNOWN if unable to query trails 1810: ✔ should not return any results describe trail response not found 1811: cloudtrailDeliveryFailing 1812: run 1813: ✔ should PASS if logs for CloudTrail trail are being delivered 1814: ✔ should PASS if CloudTrail trail is set to pass without checking logs delivery status 1815: ✔ should FAIL if logs for CloudTrail trail are not being delivered 1816: ✔ should FAIL if CloudTrail is not enabled 1817: ✔ should UNKNOWN if unable to describe CloudTrail trails 1818: ✔ should UNKNOWN if unable to get CloudTrail trail status 1819: ✔ should not return anything if describe CloudTrail trails response not found 1820: cloudtrailEnabled 1821: run 1822: ✔ should PASS if CloudTrail is enabled and monitoring regional and global services 1823: ✔ should PASS if CloudTrail is configured and enabled to monitor global services 1824: ✔ should PASS if CloudTrail is enabled and monitoring regional services 1825: ✔ should FAIL if CloudTrail is configured for regional monitoring but is not logging API calls 1826: ✔ should FAIL if CloudTrail is configured for regional monitoring but is not logging API calls 1827: ✔ should FAIL if CloudTrail is not enabled 1828: ✔ should FAIL if CloudTrail is not configured to monitor global services 1829: ✔ should UNKNOWN if unable to query for trails 1830: cloudtrailEncryption 1831: run 1832: ✔ should PASS if CloudTrail encryption is enabled 1833: ✔ should FAIL if CloudTrail encryption is not enabled 1834: ✔ should FAIL if no CloudTrail is not enabled 1835: ✔ should UNKNOWN if unable to query for trails 1836: ✔ should not return any results if describe CloudTrail response not found 1837: cloudtrailFileValidation 1838: run 1839: ✔ should PASS if CloudTrail log file validation is enabled 1840: ✔ should FAIL if CloudTrail log file validation is not enabled 1841: ✔ should FAIL if no CloudTrail is not enabled 1842: ✔ should UNKNOWN if unable to query for trails 1843: ✔ should not return any results if describe CloudTrail response not found 1844: cloudtrailHasTags 1845: run 1846: ✔ should UNKNOWN if unable to query for trails 1847: ✔ should Passing result if cloud trail is not enabled 1848: ✔ should Unknown result if unable to query listTags 1849: ✔ should Failing result if trails have no tags 1850: ✔ should Passing result if trails have tags 1851: cloudtrailManagementEvents 1852: run 1853: ✔ should PASS if CloudTrail trail is configured to log management events 1854: ✔ should FAIL if CloudTrail trail is not configured to log management events 1855: ✔ should FAIL if CloudTrail is not enabled 1856: ✔ should UNKNOWN if unable to query for trails 1857: ✔ should UNKNOWN if unable to query for event selectors 1858: ✔ should not return any results describe trails response not found 1859: cloudtrailNotificationsEnabled 1860: run 1861: ✔ should PASS if CloudTrail trail is using active SNS topic 1862: ✔ should FAIL if CloudTrail trail has no SNS topic attached 1863: ✔ should PASS if no trail found 1864: ✔ should UNKNOWN if unable to query for CloudTrail trails 1865: ✔ should UNKNOWN if unable to list SNS topics 1866: ✔ should UNKNOWN if unable to query for SNS topic attributes 1867: cloudtrailObjectLock 1868: run 1869: ✔ should PASS if object lock is enabled for s3 bucket 1870: ✔ should FAIL if object lock configuration does not exist for s3 bucket 1871: ✔ should FAIL if CloudTrail...