ROAR — Findings by Domain
AiVRIC Organization
Consolidated Findings Table
All failed security checks across AWS, Azure, Kubernetes, and GitHub (showing 30 of 894 total findings)
| # | Severity | Check ID | Description | Provider | Service | Resources | Status |
|---|---|---|---|---|---|---|---|
| 1 | Critical | iam_root_hardware_mfa_enabled | Root account does not have hardware MFA enabled | AWS | IAM | 1 | FAIL |
| 2 | Critical | iam_root_credentials_usage | Root account access key is active and should be removed | AWS | IAM | 1 | FAIL |
| 3 | Critical | ec2_instance_secrets_userdata | EC2 instance i-0a1b2c3d has JWT token in user data | AWS | EC2 | 1 | FAIL |
| 4 | Critical | github_org_mfa_required | Organization does not require MFA for all members | GitHub | Organization | 1 | FAIL |
| 5 | Critical | github_branch_protection | Repository aivric-defense has no branch protection rules | GitHub | Repository | 12 | FAIL |
| 6 | High | s3_bucket_public_access_block | S3 bucket lacks public access block configuration | AWS | S3 | 3 | FAIL |
| 7 | High | iam_role_cross_account_trust | IAM role allows confused deputy cross-account access | AWS | IAM | 9 | FAIL |
| 8 | High | iam_root_credentials_management | Root account credentials are not properly managed | AWS | IAM | 1 | FAIL |
| 9 | High | vm_disk_cmk_encryption | VM OS disk is not encrypted with customer-managed key | Azure | Compute | 6 | FAIL |
| 10 | High | storage_cmk_encryption | Storage account not encrypted with customer-managed key | Azure | Storage | 3 | FAIL |
| 11 | High | storage_shared_key_disabled | Storage account allows shared key access | Azure | Storage | 3 | FAIL |
| 12 | High | nsg_http_inbound_access | NSG allows unrestricted HTTP inbound access | Azure | Network | 2 | FAIL |
| 13 | High | network_flow_logs_enabled | Network flow logs are not enabled for VNet | Azure | Network | 2 | FAIL |
| 14 | High | rbac_cluster_admin_wildcard | ClusterRole cluster-admin uses RBAC wildcard permissions | K8s | RBAC | 1 | FAIL |
| 15 | High | rbac_cluster_admin_wildcard | ClusterRole argocd-server uses RBAC wildcard permissions | K8s | RBAC | 1 | FAIL |
| 16 | High | rbac_cluster_admin_wildcard | ClusterRole gatekeeper-manager uses wildcard permissions | K8s | RBAC | 1 | FAIL |
| 17 | High | rbac_cluster_admin_wildcard | ClusterRole istio-pilot uses RBAC wildcard permissions | K8s | RBAC | 1 | FAIL |
| 18 | High | rbac_cluster_admin_wildcard | ClusterRole prowler-scanner uses wildcard permissions | K8s | RBAC | 1 | FAIL |
| 19 | High | rbac_cluster_admin_wildcard | ClusterRole prometheus-operator uses wildcard permissions | K8s | RBAC | 1 | FAIL |
| 20 | High | github_repo_secret_scanning | Repository aivric-defense has no secret scanning enabled | GitHub | Repository | 12 | FAIL |
| 21 | Medium | vpc_flow_logs_enabled | VPC flow logs are disabled for vpc-0a1b2c3d | AWS | VPC | 3 | FAIL |
| 22 | Medium | ec2_subnet_public_ip_auto | Subnet auto-assigns public IP addresses | AWS | EC2 | 4 | FAIL |
| 23 | Medium | securityhub_enabled | AWS Security Hub is not enabled in the account | AWS | SecurityHub | 1 | FAIL |
| 24 | Medium | cloudtrail_log_validation | CloudTrail trail does not have log validation enabled | AWS | CloudTrail | 1 | FAIL |
| 25 | Medium | rds_instance_encryption | RDS instance is not encrypted at rest | AWS | RDS | 2 | FAIL |
| 26 | Medium | kms_key_rotation_enabled | KMS key does not have automatic rotation enabled | AWS | KMS | 3 | FAIL |
| 27 | Medium | storage_soft_delete_enabled | Blob soft delete is not enabled on storage account | Azure | Storage | 3 | FAIL |
| 28 | Low | iam_password_policy_length | Password policy minimum length is below 14 characters | AWS | IAM | 1 | FAIL |
| 29 | Low | cloudwatch_log_group_retention | CloudWatch log group has no retention policy set | AWS | CloudWatch | 5 | FAIL |
| 30 | Low | s3_bucket_versioning_enabled | S3 bucket versioning is not enabled | AWS | S3 | 2 | FAIL |
| Total Failed Findings (showing 30 of 894): | 16 Critical · 604 High · 217 Medium · 57 Low | ||||||