This is a custom database of cloud infrastructure security rules that CodeAnt AI scans in any given infrastructure. Every policy in this database explains why it is important, what the impact is if it is violated, and how to implement a fix for it.
Alibaba Cloud OSS bucket accessible to public
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389
Ensure Action Trail Logging for all regions
Ensure Action Trail Logging for all events
Ensure OSS bucket is encrypted with Customer Master Key
Ensure disk is encrypted
Ensure Disk is encrypted with Customer Master Key
Ensure database instance is not public
Ensure OSS bucket has versioning enabled
Ensure OSS bucket has transfer Acceleration enabled
Ensure the OSS bucket has access logging enabled
Ensure RAM password policy requires minimum length of 14 or greater
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy prevents password reuse
Ensure RAM password policy requires at least one uppercase letter
Ensure RDS instance uses SSL
Ensure API Gateway API Protocol HTTPS
Ensure Transparent Data Encryption is Enabled on instance
Ensure Ram Account Password Policy Max Login Attempts not > 5
Ensure RAM enforces MFA
Ensure RDS Instance SQL Collector Retention Period should be greater than 180
Ensure Kubernetes installs plugin Terway or Flannel to support standard policies
Ensure KMS Key Rotation is enabled
Ensure KMS Keys are enabled
Alibaba ALB ACL does not restrict Access
Ensure RDS instance auto upgrades for minor versions
Ensure K8s nodepools are set to auto repair
Ensure launch template data disks are encrypted
Alibaba Cloud Cypher Policy are secure
Ensure RDS instance has log_duration enabled
Ensure RDS instance has log_disconnections enabled
Ensure RDS instance has log_connections enabled
Ensure log audit is enabled for RDS
Ensure MongoDB is deployed inside a VPC
Ensure Mongodb instance uses SSL
Ensure MongoDB instance is not public
Ensure MongoDB has Transparent Data Encryption Enabled
Ensure that certificate validation isn't disabled with uri
Ensure that certificate validation isn't disabled with get_url
Ensure that certificate validation isn't disabled with yum
Ensure that SSL validation isn't disabled with yum
Ensure that packages with untrusted or missing signatures are not used
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state
Ensure that HTTPS url is used with uri
Ensure that HTTPS url is used with get_url
Ensure block is handling task errors properly
Ensure that packages with untrusted or missing GPG signatures are not used by dnf
Ensure that SSL validation isn't disabled with dnf
Ensure that certificate validation isn't disabled with dnf
Ensure Workflow pods are not using the default ServiceAccount
Ensure Workflow pods are running as non-root user
Ensure IAM policies that allow full '*-*' administrative privileges are not created
Ensure ALB protocol is HTTPS
Ensure all data stored in the EBS is securely encrypted
Ensure all data stored in the Elasticsearch is securely encrypted at rest
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure rotation for customer created CMKs is enabled
Ensure all data stored in the Launch configuration EBS is securely encrypted
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy prevents password reuse
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure all data stored in the RDS is securely encrypted at rest
Ensure all data stored in RDS is not publicly accessible
Ensure the S3 bucket has access logging enabled
Ensure the S3 bucket has server-side-encryption enabled
Ensure the S3 bucket does not allow READ permissions to everyone
Ensure the S3 bucket has versioning enabled
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure every security groups rule has a description
Ensure all data stored in the SNS topic is encrypted
Ensure all data stored in the SQS queue is encrypted
Ensure DynamoDB point in time recovery (backup) is enabled
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token
Ensure ECR policy is not set to public
Ensure KMS key policy does not contain wildcard (*) principal
Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure CloudTrail log file validation is enabled
Ensure Amazon EKS control plane logging is enabled for all log types
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0
Ensure Amazon EKS public endpoint disabled
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
Ensure no hard coded AWS access key and secret key exists in provider
Ensure EFS is securely encrypted
Ensure Kinesis Stream is securely encrypted
Ensure Neptune storage is securely encrypted
Ensure no hard-coded secrets exist in Lambda environment
Ensure no hard-coded secrets exist in EC2 user data
Ensure DAX is encrypted at rest (default is unencrypted)
Ensure MQ Broker logging is enabled
Ensure no IAM policies documents allow '*' as a statement's actions
X-Ray tracing is enabled for Lambda
Ensure ECR Image Tags are immutable
Ensure S3 bucket has block public ACLs enabled
Ensure S3 bucket has block public policy enabled
Ensure S3 bucket has ignore public ACLs enabled
Ensure S3 bucket has RestrictPublicBuckets enabled
Ensure the S3 bucket does not allow WRITE permissions to everyone
Ensure EKS Cluster has Secrets Encryption Enabled
Ensure there is no open access to back-end resources through API
Ensure IAM role allows only specific services or principals to assume it
Ensure AWS IAM policy does not allow assume role permission across all services
Ensure no IAM policies that allow full '*-*' administrative privileges are not created
Ensure all data stored in the Redshift cluster is securely encrypted at rest
Ensure container insights are enabled on ECS cluster
Ensure that CloudWatch Log Group specifies retention days
Ensure CloudTrail is enabled in all Regions
CloudFront Distribution should have WAF enabled
Ensure Amazon MQ Broker should not have public access
Ensure S3 bucket does not allow an action with any Principal
Ensure Redshift Cluster logging is enabled
Ensure SQS policy does not allow ALL (*) actions.
Ensure API Gateway has X-Ray Tracing enabled
Ensure DocumentDB is encrypted at rest (default is unencrypted)
Ensure Global Accelerator accelerator has flow logs enabled
Ensure API Gateway has Access Logging enabled
Ensure Athena Database is encrypted at rest (default is unencrypted)
Ensure that CodeBuild Project encryption is not disabled
Ensure Instance Metadata Service Version 1 is not enabled
Ensure MSK Cluster logging is enabled
Ensure MSK Cluster encryption in rest and transit is enabled
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
Ensure Elasticsearch Domain enforces HTTPS
Ensure Elasticsearch Domain Logging is enabled
Ensure DocumentDB Logging is enabled
Ensure CloudFront Distribution has Access Logging enabled
Redshift cluster should not be publicly accessible
EC2 instance should not have public IP.
DMS replication instance should not be publicly accessible
Ensure DocumentDB TLS is not disabled
Ensure the ELBv2 (Application/Network) has access logging enabled
Ensure the ELB has access logging enabled
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)
Ensure Glue Data Catalog Encryption is enabled
Ensure API Gateway V2 has Access Logging enabled
Ensure all data stored in Aurora is securely encrypted at rest
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure Glue Security Configuration Encryption is enabled
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
Ensure Neptune logging is enabled
Ensure Neptune Cluster instance is not publicly available
Ensure that Load Balancer Listener is using at least TLS v1.2
Ensure DocumentDB has audit logs enabled
Ensure Redshift uses SSL
Ensure EBS default encryption is enabled
Ensure IAM policies does not allow credentials exposure
Ensure IAM policies does not allow data exfiltration
Ensure IAM policies does not allow permissions management without constraints
Ensure IAM policies does not allow privilege escalation
Ensure IAM policies does not allow write access without constraints
Ensure Session Manager data is encrypted in transit
Ensure Session Manager logs are enabled and encrypted
Ensure that EMR clusters with Kerberos have Kerberos Realm set
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
Ensure that AWS Lambda function is configured inside a VPC
Ensure that enhanced monitoring is enabled for Amazon RDS instances
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
Ensure API Gateway caching is enabled
Ensure AWS Config is enabled in all regions
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance
Ensure that VPC Endpoint Service is configured for Manual Acceptance
Ensure that CloudFormation stacks are sending event notifications to an SNS topic
Ensure that detailed monitoring is enabled for EC2 instances
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
Ensure VPC subnets do not assign public IP by default
Ensure that ALB drops HTTP headers
Ensure that RDS instances has backup policy
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure that EC2 is EBS optimized
Ensure that ECR repositories are encrypted using KMS
Ensure that Elasticsearch is configured inside a VPC
Ensure that ELB is cross-zone-load-balancing enabled
Ensure that RDS clusters have deletion protection enabled
Ensure that RDS global clusters are encrypted
Ensured that Redshift cluster allowing version upgrade by default
Ensure that Redshift cluster is encrypted by KMS
Ensure that S3 bucket has lock configuration enabled by default
Ensure that S3 bucket has cross-region replication enabled
Ensure that S3 buckets are encrypted with KMS by default
Ensure that RDS database cluster snapshot is encrypted
Ensure that CodeBuild projects are encrypted using CMK
Ensure no default VPC is planned to be provisioned
Ensure that Secrets Manager secret is encrypted using KMS CMK
Ensure that Load Balancer has deletion protection enabled
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Autoscaling groups should supply tags to launch configurations
Ensure Redshift is not deployed outside of a VPC
Ensure that Workspace user volumes are encrypted
Ensure that Workspace root volumes are encrypted
Ensure that RDS instances have Multi-AZ enabled
Ensure that CloudWatch Log Group is encrypted by KMS
Ensure that Athena Workgroup is encrypted
Ensure that Timestream database is encrypted with KMS CMK
Ensure RDS database has IAM authentication enabled
Ensure RDS cluster has IAM authentication enabled
Ensure ECR image scanning on push is enabled
Ensure Transfer Server is not exposed publicly.
Ensure DynamoDB global table point in time recovery (backup) is enabled
Ensure Backup Vault is encrypted at rest using KMS CMK
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Ensure QLDB ledger permissions mode is set to STANDARD
Ensure EMR Cluster security configuration encryption is using SSE-KMS
Ensure QLDB ledger has deletion protection enabled
Check encryption settings for Lambda environment variable
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
Ensure WAF has associated rules
Ensure Logging is enabled for WAF Web Access Control Lists
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)
Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure resource is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)
Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure AppSync has Logging enabled
Ensure AppSync has Field-Level logs enabled
Ensure Glue component has a security configuration associated
Ensure no aws_elasticache_security_group resources exist
Ensure MQ Broker Audit logging is enabled
Ensure no aws_db_security_group resources exist
Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK)
Ensure that Image Recipe EBS Disk are encrypted with CMK
Ensure MemoryDB is encrypted at rest using KMS CMKs
Ensure MemoryDB data is encrypted in transit
Ensure AMIs are encrypted using KMS CMKs
Ensure to Limit AMI launch Permissions
Ensure API Gateway Domain uses a modern security Policy
Ensure MQ Broker minor version updates are enabled
Ensure MQ Broker version is current
Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)
Batch job does not define a privileged container
Ensure RDS uses a modern CaCert
Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)
Ensure ELB Policy uses only secure protocols
Ensure AppSync API Cache is encrypted at rest
Ensure AppSync API Cache is encrypted in transit
Ensure CloudFront distribution is enabled
Ensure Create before destroy for API deployments
Ensure that CloudSearch is using latest TLS
Ensure CodePipeline Artifact store is using a KMS CMK
Ensure that CloudSearch is using https
Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK)
Ensure DMS replication instance gets all minor upgrade automatically
Ensure ECS Cluster enables logging of ECS Exec
Ensure ECS Cluster logging uses CMK
Ensure API Gateway method setting caching is enabled
Ensure DB instance gets all minor upgrades automatically
Ensure KMS key is enabled
Verify Elasticsearch domain is using an up to date TLS policy
Ensure no NACL allow ingress from 0.0.0.0:0 to port 21
Ensure no NACL allow ingress from 0.0.0.0:0 to port 20
Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389
Ensure no NACL allow ingress from 0.0.0.0:0 to port 22
Ensure Create before destroy for ACM certificates
Verify logging preference for ACM certificates
Ensure that copied AMIs are encrypted
Ensure AMI copying uses a CMK
Ensure Create before destroy for API Gateway
Ensure that GuardDuty detector is enabled
Ensure DAX cluster endpoint is using TLS
Ensure Kinesis Firehose delivery stream is encrypted
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure MWAA environment has scheduler logs enabled
Ensure MWAA environment has worker logs enabled
Ensure MWAA environment has webserver logs enabled
Ensure replicated backups are encrypted at rest using KMS CMKs
Ensure RDS Cluster activity streams are encrypted using KMS CMKs
Ensure all data stored in the Elasticsearch is encrypted with a CMK
Ensure that Elasticsearch is not using the default Security Group
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)
Ensure CloudTrail logging is enabled
Ensure CloudTrail defines an SNS Topic
Ensure DLM cross region events are encrypted
Ensure DLM cross region events are encrypted with Customer Managed Key
Ensure DLM cross region schedules are encrypted
Ensure DLM cross region schedules are encrypted using a Customer Managed Key
Ensure CodeCommit branch changes have at least 2 approvals
Ensure that Lambda function URLs AuthType is not None
Ensure CloudFront response header policy enforces Strict Transport Security
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
Ensure HTTP HTTPS Target group defines Healthcheck
Ensure Kendra index Server side encryption uses CMK
Ensure AppFlow flow uses CMK
Ensure AppFlow connector profile uses CMK
Ensure Keyspaces Table uses CMK
Ensure DB Snapshot copy uses CMK
Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK)
Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK)
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
Ensure Connect Instance S3 Storage Config uses CMK
Ensure DynamoDB table replica KMS encryption uses CMK
Ensure AWS Lambda function is configured to validate code-signing
Ensure access is controlled through SSO and not AWS IAM defined users
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
Disallow policies from using the AWS AdministratorAccess policy
Ensure Data Trace is not enabled in API Gateway Method Settings
Ensure no security groups allow ingress from 0.0.0.0:0 to port -1
Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)
Ensure Neptune snapshot is securely encrypted
Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)
Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)
Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)
Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource
Ensure State Machine has X-Ray tracing enabled
Ensure State Machine has execution history logging enabled
Ensure IAM policies does not allow permissions management / resource exposure without constraints
Ensure MSK nodes are private
Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)
Ensure that AWS database instances have deletion protection enabled
Ensure CloudTrail Event Data Store uses CMK
Ensure DataSync Location Object Storage doesn't expose secrets
Ensure DMS endpoint uses Customer Managed Key (CMK)
Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)
Ensure DMS S3 uses Customer Managed Key (CMK)
Ensure S3 lifecycle configuration sets period for aborting failed uploads
Ensure that AWS Lambda function is not publicly accessible
Ensure DB Snapshots are not Public
Ensure SSM documents are not Public
Ensure Secrets Manager secrets should be rotated within 90 days
Ensure CloudFront distribution has a default root object configured
Ensure SageMaker notebook instances should be launched into a custom VPC
Ensure SageMaker Users should not have root access to SageMaker notebook instances
Ensure API Gateway method setting caching is set to encrypted
Ensure API GatewayV2 routes specify an authorization type
Ensure CloudFront distributions should have origin failover configured
Ensure that CodeBuild S3 logs are encrypted
Ensure Elastic Beanstalk environments have enhanced health reporting enabled
Ensure RDS cluster configured to copy tags to snapshots
Ensure CodeBuild project environments have a logging configuration
Ensure EC2 Auto Scaling groups use EC2 launch templates
Ensure CodeBuild project environments do not have privileged mode enabled
Ensure Elasticsearch Domain Audit Logging is enabled
Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA
Ensure that CloudWatch alarm actions are enabled
Ensure Redshift clusters do not use the default database name
Ensure Redshift clusters use enhanced VPC routing
Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled
Ensure ElastiCache clusters do not use the default subnet group
Ensure that RDS Cluster log capture is enabled
Ensure that RDS Cluster audit logging is enabled for MySQL engine
Ensure that RDS Aurora Clusters have backtracking enabled
Ensure RDS Clusters are encrypted using KMS CMKs
Ensure that ALB is configured with defensive or strictest desync mitigation mode
EFS access points should enforce a root directory
EFS access points should enforce a user identity
Ensure Transit Gateways do not automatically accept VPC attachment requests
Ensure ECS Fargate services run on the latest Fargate platform version
Ensure ECS services do not have public IP addresses assigned to them automatically
Ensure ECS containers should run as non-privileged
Ensure ECS task definitions should not share the host's process namespace
Ensure ECS containers are limited to read-only access to root filesystems
Ensure SSM parameters are using KMS CMK
Ensure CloudWatch log groups retains logs for at least 1 year
Ensure EKS clusters run on a supported Kubernetes version
Ensure Elastic Beanstalk managed platform updates are enabled
Ensure Launch template should not have a metadata response hop limit greater than 1
Ensure WAF rule has any actions
Ensure Amazon Redshift clusters should have automatic snapshots enabled
Ensure that Network firewalls have deletion protection enabled
Ensure that Network firewall encryption is via a CMK
Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)
Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)
Ensure IAM root user doesnt have Access keys
Ensure EMR Cluster security configuration encrypts local disks
Ensure EMR Cluster security configuration encrypts EBS disks
Ensure EMR Cluster security configuration encrypts InTransit
Ensure NACL ingress does not allow all Ports
Ensure that RDS instances have performance insights enabled
Ensure RDS Performance Insights are encrypted using KMS CMKs
Ensure no IAM policies documents allow '*' as a statement's resource for restrictable actions
Ensure Transfer Server allows only secure protocols
Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization
Neptune DB clusters should have IAM database authentication enabled
Ensure DocumentDB has an adequate backup retention period
Ensure that Neptune DB cluster has automated backups enabled with adequate retention
Neptune DB clusters should be configured to copy tags to snapshots
Ensure Lambda Runtime is not deprecated
Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount
Ensure SES Configuration Set enforces TLS usage
Ensure that all NACL are attached to subnets
Ensure that only encrypted EBS volumes are attached to EC2 instances
Ensure GuardDuty is enabled to specific org/region
Ensure API Gateway stage have logging level defined as appropriate
Ensure that Security Groups are attached to another resource
Ensure that S3 bucket has a Public Access block
Ensure that Amazon EMR clusters' security groups are not open to the world
Ensure that RDS clusters has backup plan of AWS Backup
Ensure that EBS are added in the backup plans of AWS Backup
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure VPC flow logging is enabled in all VPCs
Ensure the default security group of every VPC restricts all traffic
Ensure that IAM groups includes at least one IAM user
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
Ensure that Auto Scaling is enabled on your DynamoDB tables
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure that ALB redirects HTTP requests into HTTPS ones
Ensure that all IAM users are members of at least one IAM group.
Ensure an IAM User does not have access to the console
Route53 A Record has Attached Resource
Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled
Ensure public facing ALB are protected by WAF
Ensure public API gateway are protected by WAF
Ensure Postgres RDS as aws_db_instance has Query Logging enabled
Ensure WAF2 has a Logging Configuration
Ensure CloudFront distribution has a response headers policy attached
Ensure AppSync is protected by WAF
AWS SSM Parameter should be Encrypted
AWS NAT Gateways should be utilized for the default route
Ensure terraform is not sending SSM secrets to untrusted domains over HTTP
Ensure CodeCommit associates an approval rule
Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones
Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones
Ensure AWS IAM policy does not allow full IAM privileges
Ensure an IAM role is attached to EC2 instance
Ensure AWS CloudFront distribution uses custom SSL certificate
Ensure S3 Bucket does not allow access to all Authenticated users
Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic
Ensure AWS Config recorder is enabled to record all supported resources
Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Ensure AWS Config must record all possible resources
Ensure AWS Database Migration Service endpoints have SSL configured
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
Ensure AWS API Gateway endpoints uses client certificate authentication
Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled
Ensure AWS API gateway request is validated
Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
Ensure AWS EMR cluster is configured with security configuration
Ensure AWS Managed IAMFullAccess IAM policy is not used.
Ensure Secrets Manager secrets should have automatic rotation enabled
Ensure AWS Neptune cluster deletion protection is enabled
Ensure ElasticSearch/OpenSearch has dedicated master node enabled
Ensure RDS instance with copy tags to snapshots is enabled
Ensure that an S3 bucket has a lifecycle configuration
Ensure S3 buckets should have event notifications enabled
Ensure Network firewall has logging configuration defined
Ensure KMS key Policy is defined
Ensure access control lists for S3 buckets are disabled
Ensure MWAA environment is not publicly accessible
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)
Ensure Azure managed disk have encryption enabled
Ensure that 'supportsHttpsTrafficOnly' is set to 'true'
Ensure AKS logging to Azure Monitoring is Configured
Ensure RBAC is enabled on AKS clusters
Ensure AKS has an API Server Authorized IP Ranges enabled
Ensure AKS cluster has Network Policy configured
Ensure Kubernetes Dashboard is disabled
Ensure that RDP access is restricted from the internet
Ensure that SSH access is restricted from the internet
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Ensure App Service Authentication is set on Azure App Service
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Ensure web app is using the latest version of TLS encryption
Ensure that Register with Azure Active Directory is enabled on App Service
Ensure the web app has 'Client Certificates (Incoming client certificates)' set
Ensure that 'HTTP Version' is the latest if used to run the web app
Ensure that standard pricing tier is selected
Ensure that security contact 'Phone number' is set
Ensure that 'Send email notification for high severity alerts' is set to 'On'
Ensure that 'Auditing' is set to 'Enabled' for SQL servers
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
Ensure that 'Threat Detection types' is set to 'All'
Ensure that 'Send Alerts To' is enabled for MSSQL servers
Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure Storage logging is enabled for Queue service for read, write and delete requests
Ensure that 'Public access level' is set to Private for blob containers
Ensure default network access rule for Storage Accounts is set to deny
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Ensure that Activity Log Retention is set 365 days or greater
Ensure audit profile captures all the activities
Ensure that no custom subscription owner roles are created
Ensure that the expiration date is set on all keys
Ensure that the expiration date is set on all secrets
Ensure the key vault is recoverable
Ensure Storage Accounts adhere to the naming rules
Ensure Storage Account is using the latest version of TLS encryption
Ensure that no sensitive credentials are exposed in VM custom_data
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers
Ensure 'public network access enabled' is set to 'False' for MariaDB servers
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)
Ensure Virtual Machine Extensions are not Installed
Ensure MSSQL is using the latest version of TLS encryption
Ensure 'public network access enabled' is set to 'False' for mySQL servers
Ensure MySQL is using the latest version of TLS encryption
Ensure that Azure Defender is set to On for Servers
Ensure that function apps enables Authentication
Ensure that CORS disallows every resource to access app services
Ensure that Azure Synapse workspaces enables managed virtual networks
Ensure that Storage accounts disallow public access
Ensure that Azure Defender is set to On for App Service
azurerm_security_center_subscription_pricing
resource. This ensures that they are optimizing spend and not paying for more protection than they actually need. It gives the teams more control over their security budget and priorities.Ensure function apps are not accessible from all regions
Ensure that App service enables HTTP logging
Ensure that Azure File Sync disables public network access
Ensure that App service enables detailed error messages
Ensure that App service enables failed request tracing
Ensure that 'HTTP Version' is the latest, if used to run the Function app
Ensure that PostgreSQL server disables public network access
Ensure that Azure Defender is set to On for Azure SQL database servers
Ensure that Function apps is only accessible over HTTPS
Ensure that Managed identity provider is enabled for app services
Ensure that remote debugging is not enabled for app services
Ensure that Automation account variables are encrypted
Ensure that Azure Data Explorer (Kusto) uses disk encryption
Ensure that Azure Data Explorer uses double encryption
Ensure that Azure Batch account uses key vault to encrypt data
Ensure that UDP Services are restricted from the Internet
Ensure FTP deployments are disabled
Ensure that Azure Defender is set to On for SQL servers on machines
Ensure that 'Net Framework' version is the latest, if used as a part of the web app
Ensure that 'PHP version' is the latest, if used to run the web app
Ensure that 'Python version' is the latest, if used to run the web app
Ensure that 'Java version' is the latest, if used to run the web app
Ensure that Azure Defender is set to On for Storage
Ensure that Azure Defender is set to On for Kubernetes
Ensure that Azure Defender is set to On for Container Registries
Ensure that Azure Defender is set to On for Key Vault
Ensure that app services use Azure Files
Ensure that Azure Cache for Redis disables public network access
Ensure that only SSL are enabled for Cache for Redis
Ensure that Virtual Machines use managed disks
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
Ensure that My SQL server enables geo-redundant backups
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets
Ensure that MySQL server enables infrastructure encryption
Ensure that Virtual machine scale sets have encryption at host enabled
Ensure that Azure Container group is deployed into virtual network
Ensure Cosmos DB accounts have restricted access
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
Ensure that Azure Cosmos DB disables public network access
Ensure that PostgreSQL server enables geo-redundant backups
Ensure that Azure Data Factory uses Git repository for source control
Ensure that Azure Data factory public network access is disabled
Ensure that Data Lake Store accounts enables encryption
Ensure that Azure Event Grid Domain public network access is disabled
Ensure that API management services use virtual networks
Ensure that Azure IoT Hub disables public network access
Ensure that key vault allows firewall rules settings
Ensure that key vault enables purge protection
Ensure that key vault enables soft delete
Ensure that key vault key is backed by HSM
Ensure that SQL server disables public network access
Ensure that key vault secrets have 'content_type' set
Ensure that AKS enables private clusters
Ensure that AKS uses Azure Policies Add-on
Ensure that AKS uses disk encryption set
Ensure that Network Interfaces disable IP forwarding
Ensure that Network Interfaces don't use public IPs
Ensure that Application Gateway enables WAF
Ensure that Azure Front Door enables WAF
Ensure that Application Gateway uses WAF in 'Detection' or 'Prevention' modes
Ensure that Azure Front Door uses WAF in 'Detection' or 'Prevention' modes
Ensure that Azure Cognitive Search disables public network access
Ensures that Service Fabric use three levels of protection available
Ensures that Active Directory is used for authentication for Service Fabric
Ensure that My SQL server enables Threat detection policy
Ensure that PostgreSQL server enables Threat detection policy
Ensure that MariaDB server enables geo-redundant backups
Ensure that PostgreSQL server enables infrastructure encryption
Ensure that 'Security contact emails' is set
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes
Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure that Cognitive Services accounts disable public network access
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure that PostgreSQL Flexible server enables geo-redundant backups
Ensure ACR admin account is disabled
Ensures that ACR disables anonymous pulling of images
Ensure ACR set to disable public networking
Ensure that Local Authentication is disabled on CosmosDB
Ensure AKS local admin account is disabled
Ensure Machine Learning Compute Cluster Local Authentication is disabled
Ensure AKS cluster nodes do not have public IP addresses
Ensure that Public Access is disabled for Machine Learning Workspace
Ensure Function app is using the latest version of TLS encryption
Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server
Ensure PostgreSQL is using the latest version of TLS encryption
Ensure Redis Cache is using the latest version of TLS encryption
Ensure that Virtual machine does not enable password authentication
Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0
Ensure Windows VM enables encryption
Ensure Client Certificates are enforced for API management
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
Ensure the App service slot is using the latest version of TLS encryption
azurerm_app_service_slot
in Azure Resource Manager to prevent the potential exploitation of any known vulnerabilities present in older TLS versions, thus reducing overall security risk.Ensure debugging is disabled for the App service slot
Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs
Ensure that Synapse workspace has data_exfiltration_protection_enabled
Ensure that databricks workspace is not public
Ensure function app builtin logging is enabled
Ensure that HTTP (port 80) access is restricted from the internet
Ensures Spring Cloud API Portal is enabled on for HTTPS
Ensures Spring Cloud API Portal Public Access Is Disabled
Enable vulnerability scanning for container images.
Ensures that ACR uses signed/trusted images
Ensure geo-replicated container registries to match multi-region container deployments.
Ensure container image quarantine, scan, and mark images verified
Ensure a retention policy is set to cleanup untagged manifests.
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.
Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets
Ensure that AKS use the Paid Sku for its SLA
Ensure AKS cluster upgrade channel is chosen
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
Ensure API management uses at least TLS 1.2
Ensure API management public access is disabled
Ensure Web PubSub uses a SKU with an SLA
Ensure Web PubSub uses managed identities to access Azure resources
Ensure Windows VM enables automatic updates
Ensure linux VM enables SSH with keys for secure communication
Ensure VM agent is installed
Ensure that data explorer uses Sku with an SLA
Ensure that data explorer/Kusto uses managed identities to access Azure resources securely.
Ensure that VNET has at least 2 connected DNS Endpoints
Ensure that VNET uses local DNS addresses
Ensure 'local_auth_enabled' is set to 'False'
Ensure 'Public Access' is not Enabled for App configuration
Ensure App configuration encryption block is set.
Ensure App configuration purge protection is enabled
Ensure App configuration Sku is standard
Ensure that Azure Key Vault disables public network access
Ensure that Storage blobs restrict public access
Ensure that Managed identity provider is enabled for Azure Event Grid Topic
Ensure that Azure Event Grid Topic local Authentication is disabled
Ensure public network access is disabled for Azure Event Grid Topic
Ensure that Managed identity provider is enabled for Azure Event Grid Domain
Ensure that Azure Event Grid Domain local Authentication is disabled
Ensure that SignalR uses a Paid Sku for its SLA
Ensure the Azure CDN disables the HTTP endpoint
Ensure the Azure CDN enables the HTTPS endpoint
Ensure that Azure Service Bus uses double encryption
Ensure the Azure CDN endpoint is using the latest version of TLS encryption
Ensure that Azure Service Bus uses a customer-managed key to encrypt data
Ensure that Managed identity provider is enabled for Azure Service Bus
Ensure Azure Service Bus Local Authentication is disabled
Ensure 'public network access enabled' is set to 'False' for Azure Service Bus
Ensure Azure Service Bus is using the latest version of TLS encryption
Ensure that Storage Accounts use replication
Ensure Azure Cognitive Search service uses managed identities to access Azure resources
Ensure that Azure Cognitive Search maintains SLA for index updates
Ensure that Azure Cognitive Search maintains SLA for search index queries
Ensure Azure Cognitive Search service allowed IPS does not give public Access
Ensure App Service plan suitable for production use
Ensure App Service has a minimum number of instances for failover
Ensure that App Service configures health check
Ensure App Service is set to be always on
Ensure API management backend uses https
Ensure DenyIntelMode is set to Deny for Azure Firewalls
Ensure Azure Application gateways listener that allow connection requests over HTTP
Ensure Application Gateway defines secure protocols for in transit communication
Ensure Firewall defines a firewall policy
Ensure Firewall policy has IDPS mode as deny
Ensure that Azure Function App public network access is disabled
Ensure that Azure Web App public network access is disabled
Ensure Event Hub Namespace uses at least TLS 1.2
Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity
Ensure the App Service Plan is zone redundant
Ensure ephemeral disks are used for OS disks
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources
Ensure the Azure Event Hub Namespace is zone redundant
Ensure the Azure SQL Database Namespace is zone redundant
Standard Replication should be enabled
Ensure App Service Environment is zone redundant
Ensure that only critical system pods run on system nodes
Ensure Azure Container Registry (ACR) is zone redundant
Ensure that Azure Defender for cloud is set to On for Resource Manager
Ensure that Azure container environment variables are configured with secure values only
Ensure storage for critical data are encrypted with Customer Managed Key
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
Ensure Azure SQL server ADS VA Send scan reports to is configured
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Ensure that Azure Active Directory Admin is configured
Ensure the storage container storing the activity logs is not publicly accessible
Ensure Virtual Machines are utilizing Managed Disks
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines
Ensure that Azure Data Explorer encryption at rest uses a customer-managed key
Ensure that virtual machines are backed up using Azure Backup
Ensure that sql servers enables data security policy
Ensure that Unattached disks are encrypted
Ensure that Azure data factories are encrypted with a customer-managed key
Ensure that MySQL server enables customer-managed key for encryption
Ensure that PostgreSQL server enables customer-managed key for encryption
Ensure that Azure Synapse workspaces have no IP firewall rules attached
Ensure Storage logging is enabled for Table service for read requests
Ensure Storage logging is enabled for Blob service for read requests
Ensure that Cognitive Services enables customer-managed key for encryption
Ensure Azure spring cloud is configured with Virtual network (Vnet)
Ensure Azure automation account does NOT have overly permissive network access
Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled
Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)
Ensure Container Instance is configured with managed identity
Ensure AKS cluster has Azure CNI networking enabled
Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook
Ensure VNET subnet is configured with a Network Security Group (NSG)
Ensure private endpoint is configured to key vault
Ensure storage account is configured with private endpoint
Ensure Azure SQL server firewall is not overly permissive
Ensure Azure recovery services vault is configured with managed identity
Ensure Azure automation account is configured with managed identity
Ensure Azure MariaDB server is using latest TLS (1.2)
Ensure soft-delete is enabled on Azure storage account
Ensure Azure VM is not configured with public IP and serial console access
Ensure storage account is not configured with Shared Key authorization
Ensure storage account is configured with SAS expiration policy
Ensure Azure PostgreSQL server is configured with private endpoint
Ensure Azure MariaDB server is configured with private endpoint
Ensure Azure MySQL server is configured with private endpoint
Ensure Microsoft SQL server is configured with private endpoint
Ensure that Azure Synapse Workspace vulnerability assessment is enabled
Ensure storage account is configured without blob anonymous access
Ensure container job uses a non latest version tag
Ensure container job uses a version digest
Ensure set variable is not marked as a secret
Detecting image usages in azure pipelines workflows
Ensure no hard coded API token exist in the provider
Merge requests should require at least 2 approvals
Ensure the pipeline image uses a non latest version tag
Ensure the pipeline image version is referenced via hash not arbitrary tag.
Ensure mutable development orbs are not used.
Ensure unversioned volatile orbs are not used.
Suspicious use of netcat with IP address
Ensure run commands are not vulnerable to shell injection
Suspicious use of curl in run task
Detecting image usages in circleci pipelines
Ensure the Spaces bucket has versioning enabled
Ensure the droplet specifies an SSH key
Ensure the Spaces bucket is private
Ensure the firewall ingress is not wide open
Ensure port 22 is not exposed
Ensure that HEALTHCHECK instructions have been added to container images
Ensure that a user for the container has been created
Ensure that COPY is used instead of ADD in Dockerfiles
Ensure update instructions are not use alone in the Dockerfile
Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
Ensure the base image uses a non latest version tag
Ensure the last USER is not root
Ensure that APT isn't used
Ensure that WORKDIR values are absolute paths
Ensure From Alias are unique for multistage builds.
Ensure that sudo isn't used
Ensure that certificate validation isn't disabled with curl
Ensure that certificate validation isn't disabled with wget
Ensure that certificate validation isn't disabled with the pip '--trusted-host' option
Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable
Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable
Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option
Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option
Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option
Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options
Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state
Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable
Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false
Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value
Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option
Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable
Ensure that 'chpasswd' is not used to set or remove passwords
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure Google compute firewall ingress does not allow unrestricted ssh access
Ensure Google compute firewall ingress does not allow unrestricted rdp access
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters
Ensure that Cloud SQL database Instances are not open to the world
Ensure Network Policy is enabled on Kubernetes Engine Clusters
Ensure client certificate authentication to Kubernetes Engine Clusters is disabled
Ensure all Cloud SQL database instance have backup configuration enabled
Ensure that BigQuery datasets are not anonymously or publicly accessible
Ensure that DNSSEC is enabled for Cloud DNS
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
Ensure GKE Control Plane is not public
Ensure master authorized networks is set to enabled in GKE clusters
Ensure Kubernetes Clusters are configured with Labels
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
Ensure that the default network does not exist in a project
Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Ensure that instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure 'Block Project-wide SSH keys' is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure that IP forwarding is not enabled on Instances
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure that Compute instances do not have public IP addresses
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure that Service Account has no Admin privileges
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level
Ensure Default Service account is not used at a project level
Ensure default service account is not used at an organization level
Ensure Default Service account is not used at a folder level
Ensure roles do not impersonate or manage Service Accounts used at project level
Ensure MySQL database 'local_infile' flag is set to 'off'
Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'
Ensure PostgreSQL database 'log_connections' flag is set to 'on'
Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'
Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'
Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value
Ensure PostgreSQL database 'log_temp_files flag is set to '0'
Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'
Ensure SQL database 'cross db ownership chaining' flag is set to 'off'
Ensure SQL database 'contained database authentication' flag is set to 'off'
Ensure Cloud SQL database does not have public IP
Enable VPC Flow Logs and Intranode Visibility
Bucket should log access
Bucket should not log to itself
Ensure clusters are created with Private Nodes
Manage Kubernetes RBAC users with Google Groups for GKE
Ensure use of Binary Authorization
Ensure Secure Boot for Shielded GKE Nodes is Enabled
Ensure the GKE Metadata Server is Enabled
Ensure the GKE Release Channel is set
Ensure Shielded GKE Nodes are Enabled
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure that private_ip_google_access is enabled for Subnet
Ensure Google compute firewall ingress does not allow unrestricted FTP access
Ensure that Private google access is enabled for IPV6
Ensure Google compute firewall ingress does not allow on ftp port
Ensure Cloud storage has versioning enabled
Ensure SQL database is using latest Major version
Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure KMS keys are protected from deletion
Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Cloud build workers are private
Ensure Data fusion instances are private
Ensure Google compute firewall ingress does not allow unrestricted mysql access
Ensure Vertex AI instances are private
Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Vertex AI datasets uses a CMK (Customer Managed Key)
Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Dataflow jobs are private
Ensure Memorystore for Redis has AUTH enabled
Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key)
Ensure Memorystore for Redis uses intransit encryption
Ensure that Dataproc clusters are not anonymously or publicly accessible
Ensure that Pub/Sub Topics are not anonymously or publicly accessible
Ensure that BigQuery Tables are not anonymously or publicly accessible
Ensure that Artifact Registry repositories are not anonymously or publicly accessible
Ensure that GCP Cloud Run services are not anonymously or publicly accessible
Ensure Dataproc Clusters do not have public IPs
Ensure Datafusion has stack driver logging enabled
Ensure Datafusion has stack driver monitoring enabled
Ensure Google compute firewall ingress does not allow unrestricted http port 80 access
Cloud functions should not be public
Ensure hostnames are logged for GCP PostgreSQL databases
Ensure the GCP PostgreSQL database log levels are set to ERROR or lower
Ensure pgAudit is enabled for your GCP PostgreSQL database
Ensure GCP PostgreSQL logs SQL statements
Esnure KMS policy should not allow public access
Ensure IAM policy should not define public access
Ensure public access prevention is enforced on Cloud Storage bucket
Ensure basic roles are not used at organization level.
Ensure basic roles are not used at folder level.
Ensure basic roles are not used at project level.
Ensure IAM workload identity pool provider is restricted
Ensure Spanner Database has deletion protection enabled
Ensure Spanner Database has drop protection enabled
Ensure BigQuery tables have deletion protection enabled
Ensure Big Table Instances have deletion protection enabled
GKE Don't Use NodePools in the Cluster configuration
Ensure GKE clusters are not running using the Compute Engine default service account
Ensure legacy networks do not exist for a project
Ensure that there are only GCP-managed service account keys for each service account
Ensure that retention policies on log buckets are configured using Bucket Lock
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible
Ensure that Container Registry repositories are not anonymously or publicly accessible
Ensure GCP Cloud Function HTTP trigger is secured
Ensure GCP GCR Container Vulnerability Scanning is enabled
Ensure GCP compute firewall ingress does not allow unrestricted access to all ports
Ensure PostgreSQL database flag 'log_duration' is set to 'on'
Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'
Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'
Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'
Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'
Ensure GCP network defines a firewall and does not use the default firewall
Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled
Ensure MySQL DB instance has point-in-time recovery backup configured
Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK)
Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)
Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK)
Ensure Vertex AI endpoint uses a Customer Managed Key (CMK)
Ensure Vertex AI featurestore uses a Customer Managed Key (CMK)
Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK)
Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK)
Ensure Vertex AI workbench instances are private
Ensure logging is enabled for Dialogflow agents
Ensure logging is enabled for Dialogflow CX agents
Ensure logging is enabled for Dialogflow CX webhooks
Ensure TPU v2 is private
Ensure Vertex AI endpoint is private
Ensure Vertex AI index endpoint is private
Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK)
Ensure Vertex AI runtime is private
Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
Suspicious use of curl with secrets
Found artifact build without evidence of cosign sign execution in pipeline
Found artifact build without evidence of cosign sbom attestation in pipeline
The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
Ensure top-level permissions are not set to write-all
Ensure GitHub repository is Private
Ensure GitHub repository webhooks are using HTTPS
Ensure GitHub repository has vulnerability alerts enabled
Ensure GitHub Actions secrets are encrypted
GitHub pull requests should require at least 2 approvals
Ensure GitHub branch protection rules requires signed commits
Ensure each Repository has branch protection associated
Ensure GitHub organization security settings require 2FA
Ensure GitHub organization security settings require SSO
Ensure GitHub organization security settings has IP allow list enabled
Ensure GitHub branch protection rules does not allow force pushes
Ensure GitHub organization webhooks are using HTTPS
Ensure GitHub branch protection rules requires linear history
Ensure 2 admins are set for each repository
Ensure branch protection rules are enforced on administrators
Ensure GitHub branch protection dismisses stale review on new commit
Ensure GitHub branch protection restricts who can dismiss PR reviews
Ensure GitHub branch protection requires CODEOWNER reviews
Ensure all checks have passed before the merge of new code
Ensure inactive branches are reviewed and removed periodically
Ensure GitHub branch protection requires conversation resolution
Ensure GitHub branch protection requires push restrictions
Ensure GitHub branch protection rules does not allow deletions
Ensure any change to code receives approval of two strongly authenticated users
Ensure open git branches are up to date before they can be merged into codebase
Ensure public repository creation is limited to specific members
Ensure private repository creation is limited to specific members
Ensure internal repository creation is limited to specific members
Ensure minimum admins are set for the organization
Ensure strict base permissions are set for repositories
Ensure an organization's identity is confirmed with a Verified badge Passed
Ensure all Gitlab groups require two factor authentication
Suspicious use of curl with CI environment variables in script
Avoid creating rules that generate double pipelines
Detecting image usages in gitlab workflows
Ensure at least two approving reviews are required to merge a GitLab MR
Ensure GitLab branch protection rules does not allow force pushes
Ensure GitLab prevent secrets is enabled
Ensure GitLab commits are signed
Ensure load balancer for VPC is private (disable public access)
Ensure VPC classic access is disabled
Ensure API key creation is restricted in account settings
Ensure Multi-Factor Authentication (MFA) is enabled at the account level
Ensure Service ID creation is restricted in account settings
Ensure Databases network access is restricted to a specific IP range
Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint
Do not admit containers wishing to share the host process ID namespace
Do not admit privileged containers
Do not admit containers wishing to share the host IPC namespace
Do not admit containers wishing to share the host network namespace
Containers should not run with allowPrivilegeEscalation
Do not admit root containers
Do not admit containers with the NET_RAW capability
Liveness Probe Should be Configured
Readiness Probe Should be Configured
CPU requests should be set
CPU limits should be set
Memory requests should be set
Memory limits should be set
Image Tag should be fixed - not latest or blank
Image Pull Policy should be Always
Container should not be privileged
Containers should not share the host process ID namespace
Containers should not share the host IPC namespace
Containers should not share the host network namespace
The default namespace should not be used
Use read-only filesystem for containers where possible
Minimize the admission of root containers
Do not allow containers with added capability
Minimize the admission of containers with added capability
Do not specify hostPort unless absolutely necessary
Do not expose the docker daemon socket to containers
Minimize the admission of containers with the NET_RAW capability
Apply security context to your pods and containers
Apply security context to your containers
Ensure that the seccomp profile is set to docker/default or runtime/default
Ensure default seccomp profile set to docker/default or runtime/default
Ensure the Kubernetes dashboard is not deployed
Ensure that Tiller (Helm v2) is not deployed
Prefer using secrets as files over secrets as environment variables
Minimize the admission of containers with capabilities assigned
Ensure that Service Account Tokens are only mounted where necessary
Do not use the CAP_SYS_ADMIN linux capability
Containers should run as a high UID to avoid host conflict
Ensure that default service accounts are not actively used
Image should use digest
Ensure that the Tiller Service (Helm v2) is deleted
Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster
Minimize wildcard use in Roles and ClusterRoles
Ensure that the --anonymous-auth argument is set to false
Ensure that the --basic-auth-file argument is not set
Ensure that the --token-auth-file argument is not set
Ensure that the --kubelet-https argument is set to true
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
Ensure that the --kubelet-certificate-authority argument is set as appropriate
Ensure that the --authorization-mode argument is not set to AlwaysAllow
Ensure that the --authorization-mode argument includes Node
Ensure that the --authorization-mode argument includes RBAC
Ensure that the admission control plugin EventRateLimit is set
Ensure that the admission control plugin AlwaysAdmit is not set
Ensure that the admission control plugin AlwaysPullImages is set
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Ensure that the admission control plugin ServiceAccount is set
Ensure that the admission control plugin NamespaceLifecycle is set
Ensure that the admission control plugin PodSecurityPolicy is set
Ensure that the admission control plugin NodeRestriction is set
Ensure that the --insecure-bind-address argument is not set
Ensure that the --insecure-port argument is set to 0
Ensure that the --secure-port argument is not set to 0
Ensure that the --profiling argument is set to false
Ensure that the --audit-log-path argument is set
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
--audit-log-maxbackup
argument controls the maximum number of audit log files to retain. Setting it to an appropriate value, such as 10, ensures older log files are automatically removed, preventing potential disk space issues in the Kubernetes environment.Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
Ensure that the --request-timeout argument is set as appropriate
Ensure that the --service-account-lookup argument is set to true
Ensure that the --service-account-key-file argument is set as appropriate
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
Ensure that the --etcd-cafile argument is set as appropriate
Ensure that encryption providers are appropriately configured
Ensure that the API Server only makes use of Strong Cryptographic Ciphers
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
Ensure that the --use-service-account-credentials argument is set to true
Ensure that the --service-account-private-key-file argument is set as appropriate
Ensure that the --root-ca-file argument is set as appropriate
Ensure that the RotateKubeletServerCertificate argument is set to true
Ensure that the --bind-address argument is set to 127.0.0.1
Ensure that the --cert-file and --key-file arguments are set as appropriate
Ensure that the --client-cert-auth argument is set to true
Ensure that the --auto-tls argument is not set to true
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
Ensure that the --peer-client-cert-auth argument is set to true
Ensure that the --client-ca-file argument is set as appropriate
Ensure that the --read-only-port argument is set to 0
Ensure that the --streaming-connection-idle-timeout argument is not set to 0
Ensure that the --protect-kernel-defaults argument is set to true
Ensure that the --make-iptables-util-chains argument is set to true
Ensure that the --hostname-override argument is not set
Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
Ensure that the --rotate-certificates argument is not set to false
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742
Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742
Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742
Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation
create
permissions to nodes/proxy
or pods/exec
sub resources could give users or entities too much control over the system. This would make it easier for those with malicious intent to escalate their privileges and compromise the system.create
permissions for the nodes/proxy
or pods/exec
sub resources, the policy ensures the principle of least privilege is upheld across the Kubernetes environment, thereby enhancing overall security.No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts
Impersonate
permissions allow an account to act as another user, which can pose serious threats if leveraged by malicious actors.impersonate
greatly reduces the potential surface area for attacks.ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.
status.loadBalancer.ingress.ip
, the policy reduces the attack surface.status.loadBalancer.ingress.ip
helps maintain the expected service state and reduces the possibility of service disruptions, improving the cluster’s reliability and uptime.No ServiceAccount/Node should be able to read all secrets
Minimize the admission of pods which lack an associated NetworkPolicy
Ensure no hard coded Linode tokens exist in provider
Ensure SSH key set in authorized_keys
Ensure email is set
Ensure username is set
Ensure Inbound Firewall Policy is not set to ACCEPT
Ensure Outbound Firewall Policy is not set to ACCEPT
Ensure every access control groups rule has a description
Ensure no security group rules allow outbound traffic to 0.0.0.0/0
Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22
Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389
Ensure Server instance is encrypted.
Ensure Basic Block storage is encrypted.
Ensure no NACL allow inbound from 0.0.0.0:0 to port 20
Ensure no NACL allow inbound from 0.0.0.0:0 to port 21
Ensure no NACL allow inbound from 0.0.0.0:0 to port 22
Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389
An inbound Network ACL rule should not allow ALL ports.
Ensure LB Listener uses only secure protocols
Ensure NAS is securely encrypted
Ensure Load Balancer Target Group is not using HTTP
Ensure Load Balancer isn't exposed to the internet
Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.
Ensure Naver Kubernetes Service public endpoint disabled
Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity
Ensure NKS control plane logging enabled for all log types
Ensure Server instance should not have public IP.
Ensure Load Balancer Listener Using HTTPS
Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80
Ensure Access Control Group has Access Control Group Rule attached
Ensure no hard coded OCI private key in provider
Ensure OCI Block Storage Block Volume has backup enabled
OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)
Ensure OCI Compute Instance boot volume has in-transit data encryption enabled
Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled
Ensure OCI Compute Instance has monitoring enabled
Ensure OCI Object Storage bucket can emit object events
Ensure OCI Object Storage has versioning enabled
Ensure OCI Object Storage is encrypted with Customer Managed Key
Ensure OCI Object Storage is not Public
OCI IAM password policy - must contain lower case
OCI IAM password policy - must contain Numeric characters
OCI IAM password policy - must contain Special characters
OCI IAM password policy - must contain Uppercase characters
Ensure OCI File System is Encrypted with a customer Managed Key
Ensure VCN has an inbound security list
Ensure VCN inbound security lists are stateless
OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters
Ensure no security list allow ingress from 0.0.0.0:0 to port 22.
Ensure no security list allow ingress from 0.0.0.0:0 to port 3389.
Ensure security group has stateless ingress security rules
Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22
Ensure administrator users are not associated with API keys
Ensure NSG does not allow all traffic on RDP port (3389)
Ensure Kubernetes engine cluster is configured with NSG(s)
Ensure File Storage File System access is restricted to root users
Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption
Ensure Kubernetes Engine Cluster pod security policy is enforced
Ensure that securityDefinitions is defined and not empty - version 2.0 files
Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files
Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files
Ensure that the global security field has rules defined
Ensure that security operations is not empty.
Ensure that security requirement defined in securityDefinitions - version 2.0 files
Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files
Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files
Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files
Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files
Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files
Ensure security definitions do not use basic auth - version 2.0 files
Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files
Ensure that operation objects do not use basic auth - version 2.0 files
Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files
Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files
Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files
Ensure that global security scope is defined in securityDefinitions - version 2.0 files
Ensure that API keys are not sent over cleartext
Ensure that arrays have a maximum number of items
Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
Ensure that instance does not use basic credentials
Ensure firewall rule set a destination IP
openstack_fw_rule_v1
) to cyberattacks as unauthorized access to data from unspecified destination IPs is restricted.Ensure no hard coded PAN-OS credentials exist in provider
Ensure plain-text management HTTP is not enabled for an Interface Management Profile
Ensure plain-text management Telnet is not enabled for an Interface Management Profile
Ensure DSRI is not enabled within security policies
Ensure security rules do not have 'applications' set to 'any'
Ensure security rules do not have 'services' set to 'any'
Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'
Ensure description is populated within security policies
Ensure a Log Forwarding Profile is selected for each security policy rule
Ensure logging at session end is enabled within security policies
Ensure IPsec profiles do not specify use of insecure encryption algorithms
Ensure IPsec profiles do not specify use of insecure authentication algorithms
Ensure IPsec profiles do not specify use of insecure protocols
Ensure a Zone Protection Profile is defined within Security Zones
Ensure an Include ACL is defined for a Zone when User-ID is enabled
Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels
Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any'
Artifactory Credentials
AWS Access Key
Azure Storage Account access key
Basic Auth Credentials
Cloudant Credentials
Base64 High Entropy String
IBM Cloud IAM Key
IBM COS HMAC Credentials
JSON Web Token
Mailchimp Access Key
NPM tokens
Private Key
Slack Token
SoftLayer Credentials
Square OAuth Secret
Stripe Access Key
Twilio API Key
Hex High Entropy String
Ensure Terraform module sources use a commit hash
Ensure security group is assigned to database cluster.
Ensure compute instance does not have public IP.
Ensure storage bucket is encrypted.
Ensure compute instance does not have serial console enabled.
Ensure Kubernetes cluster does not have public IP address.
Ensure Kubernetes cluster node group does not have public IP addresses.
Ensure Kubernetes cluster auto-upgrade is enabled.
Ensure Kubernetes node group auto-upgrade is enabled.
Ensure KMS symmetric key is rotated.
Ensure etcd database is encrypted with KMS key.
Ensure security group is assigned to network interface.
Ensure public IP is not assigned to database cluster.
Ensure cloud member does not have elevated access.
Ensure security group is assigned to Kubernetes cluster.
Ensure security group is assigned to Kubernetes node group.
Ensure network policy is assigned to Kubernetes cluster.
Ensure storage bucket does not have public access permissions.
Ensure compute instance group does not have public IP.
Ensure security group does not contain allow-all rules.
Ensure security group rule is not allow-all.
Ensure organization member does not have elevated access.
Ensure compute instance group has security group assigned.
Ensure folder member does not have elevated access.
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.