Table of Contents

May 01 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.IAM.09	Ensure that Register with Entra ID is enabled on App Service	Low	Modification	Name	Ensure that Register with Azure Active Directory is enabled on App Service	Ensure that Register with Entra ID is enabled on App Service	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AZU.IAM.03	Ensure that Microsoft Entra authentication is Configured for SQL Servers	Low	Modification	Name	Ensure that Azure Active Directory Admin is Configured for SQL Servers	Ensure that Microsoft Entra authentication is Configured for SQL Servers	Azure LGPD Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CIS Foundations Benchmark v1.0.0 Azure ENS 2022 Spain Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure NIST SP 800-171 R1 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure New Zealand ISM v3.4 Azure HITRUST CSF v9.5 Azure ITSG-33 Canada
D9.AZU.IAM.48	Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'	Low	Modification	Name	Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'	Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.MON.108	Ensure that NAT Gateway is Healthy	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.NET.119	Ensure that Network Security Group should restrict ArangoDB access (TCP and UDP - port 8529)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.120	Ensure that Network Security Group should restrict Cassandra access (TCP - port 7000)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.122	Ensure that Network Security Group should restrict CouchDB access (TCP - port 5984)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.123	Ensure that Network Security Group should restrict etcd access (TCP - port 2379)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.124	Ensure that Network Security Group should restrict Kibana access (TCP - port 5601)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.125	Ensure that Network Security Group should restrict LDAP access (TCP - port 389)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.126	Ensure that Network Security Group should restrict MaxDB access (TCP - port 7210)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.127	Ensure that Network Security Group should restrict Memcached access (TCP/UDP - port 11211)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.128	Ensure that Network Security Group should restrict Neo4J access (TCP - port 7473)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.129	Ensure that Network Security Group should restrict POP3 access (TCP - port 110)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.130	Ensure that Network Security Group should restrict Redis access (TCP - port 6379)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.131	Ensure that Network Security Group should restrict RethinkDB access (TCP - port 8080)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.132	Ensure that Network Security Group should restrict Riak access (TCP - port 8087)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.133	Ensure that Network Security Group should restrict Solr access (TCP - port 7574)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.134	Ensure that Network Security Group should restrict Elastic Search access (TCP - port 9200 and 9300)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.135	Ensure that Network Security Group should restrict access over ports higher than 1024	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.82	Ensure NAT Gateway is Configured with Tags	Informational	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1 Azure NIST CSF v1.1
D9.AZU.IAM.73	Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'	High	Modification	Name	Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts	Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'	Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure SOX (Section 404) Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure HIPAA
D9.AWS.IAM.46	Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)	High	Removal				AWS LGPD AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS ISO 27001:2013 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10

April 24 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.GCP.DR.01	Ensure That Cloud SQL Database Instances Are Configured With Automated Backups	Low	Modification	Logic	CloudSql should have settings.backupConfiguration.enabled=true	CloudSql where instanceType!="READ_REPLICA_INSTANCE" should have settings.backupConfiguration.enabled=true	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP PCI DSS v4 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ENS 2022 Spain GCP RMiT Malaysia GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP New Zealand ISM v3.6 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v1.1 GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.NET.VirtualMachine.TCPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports	High	Modification	Name Logic	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports	High	Modification	Name Logic	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.TCP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports	High	Modification	Name Logic Severity	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ] Medium	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ] High	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports	High	Modification	Name Logic Severity	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ] Medium	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ] High	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AWS.LOG.04	Ensure that AWS Config is Enabled in All Regions	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.LOG.39	Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones	High	Modification	Logic	Route53HostedZone should have queryLoggingConfigs	Route53HostedZone where metadata.type like 'public' should have queryLoggingConfigs	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.IAM.186	Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled	High	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1

...

Versions Compared

Old Version 239

New Version 240

Key

May 01 2024

April 24 2024

Page Comparison

Versions Compared

Old Version 239

New Version 240

Key

May 01 2024

April 24 2024