Detections
Analytics

Tenable Cloud Security Policies

Search

IDNameCSPDomainSeverity
AC_K8S_0101Minimize access to secretsKubernetesIdentity and Access Management
HIGH
AC_K8S_0102Ensure impersonate access to Kubernetes resources is minimized in Kubernetes RoleKubernetesIdentity and Access Management
HIGH
AC_K8S_0103Minimize access to create podsKubernetesIdentity and Access Management
HIGH
AC_K8S_0104Minimize wildcard use in Roles and ClusterRolesKubernetesIdentity and Access Management
HIGH
AC_K8S_0105Ensure use of creating Kubernetes rolebindings and attaching Kubernetes roles is minimized in Kubernetes RoleKubernetesIdentity and Access Management
HIGH
AC_K8S_0106Ensure that the cluster-admin role is only used where requiredKubernetesIdentity and Access Management
HIGH
AC_K8S_0107Ensure pod/attach create roles are minimized in Kubernetes cluster in Kubernetes RoleKubernetesIdentity and Access Management
HIGH
AC_K8S_0108Ensure Kubernetes rolebindings with get and patch Kubernetes roles are minimized in Kubernetes RoleKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0109Ensure that the --secure-port argument is not set to 0KubernetesInfrastructure Security
HIGH
AC_K8S_0110Ensure that the Tiller Service (Helm v2) is not deployed for Kubernetes serviceKubernetesInfrastructure Security
MEDIUM
AC_K8S_0111Ensure for exposing Kubernetes workload to the internet, NodePort service is not usedKubernetesInfrastructure Security
LOW
AC_K8S_0112Ensure the use of externalIPs is restricted for Kubernetes serviceKubernetesInfrastructure Security
MEDIUM
AC_K8S_0113Ensure that default service accounts are not actively used.KubernetesIdentity and Access Management
MEDIUM
AC_K8S_0114Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer serviceKubernetesInfrastructure Security
LOW
AC_K8S_0115Ensure security context is applied to pods and containers with SELinux configuredKubernetesSecurity Best Practices
MEDIUM
AC_K8S_0116Ensure Kubernetes Network policy attached to a pod have Ingress/Egress blocks specifiedKubernetesInfrastructure Security
MEDIUM
AC_K8S_0117Ensure Kubernetes NetworkPolicy object is defined for every Kubernetes NamespaceKubernetesInfrastructure Security
MEDIUM
AC_K8S_0118Ensure overly broad host configuration is not allowed for Istio GatewayKubernetesInfrastructure Security
HIGH
AC_K8S_0119Ensure protocols are explicitly declared where possible for Istio ServicesKubernetesSecurity Best Practices
MEDIUM
AC_K8S_0120Ensure large virtual services are split into multiple resources for Istio Virtual ServicesKubernetesSecurity Best Practices
LOW
AC_K8S_0121Ensure default-deny patterns are defined for Istio Authorization PolicyKubernetesInfrastructure Security
HIGH
AC_K8S_0122Ensure DENY-with-negative-matching exist for Istio Authorization ObjectKubernetesInfrastructure Security
MEDIUM
AC_K8S_0123Ensure TLS verification is enabled in Istio Destination RulesKubernetesInfrastructure Security
MEDIUM
AC_K8S_0124Ensure envoy proxies are not configured in permissive mode in Istio Peer AuthenticationKubernetesInfrastructure Security
MEDIUM
AC_K8S_0125Ensure kernel level call configurations are not vulnerable to CVE-2022-0811 in all Kubernetes workloadsKubernetesIdentity and Access Management
HIGH
AC_K8S_0126Ensure Kubernetes hot-patch daemonset for Log4j2 is appliedKubernetesConfiguration and Vulnerability Analysis
HIGH
AC_K8S_0127Ensure metadata annotations are restricted in an Ingress objectKubernetesInfrastructure Security
HIGH
AC_K8S_0128Minimize the admission of containers with added capabilitiesKubernetesCompliance Validation
MEDIUM
AC_K8S_0129Ensure that the admission control plugin PodSecurityPolicy is setKubernetesCompliance Validation
MEDIUM
AC_K8S_0130Ensure that the --profiling argument is set to falseKubernetesCompliance Validation
MEDIUM
AC_K8S_0131Ensure that the --bind-address argument is set to 127.0.0.1KubernetesCompliance Validation
MEDIUM