1 November 27 2024
2 November 20 2024
3 November 13 2024
4 November 06 2024
5 October 30 2024
6 October 23 2024
7 October 16 2024
8 October 09 2024
9 October 01 2024
10 September 25 2024
11 September 18 2024
12 September 11 2024
13 September 04 2024
14 August 28 2024
15 August 21 2024
16 August 14 2024
17 August 07 2024
18 July 31 2024
19 July 24 2024
20 July 17 2024
21 July 10 2024
22 July 03 2024
23 June 26 2024
24 June 19 2024
25 June 13 2024
26 June 12 2024
27 June 05 2024
28 May 29 2024
29 May 22 2024
30 May 15 2024
31 May 08 2024
32 May 01 2024
33 April 24 2024
34 April 17 2024
35 April 10 2024
36 April 04 2024
37 April 03 2024
38 March 27 2024
39 March 20 2024
40 March 13 2024
41 March 06 2024
42 February 28 2024
43 February 21 2024
44 February 14 2024
45 February 07 2024
46 January 31 2024
47 January 24 2024
48 January 17 2024
49 January 10 2024
50 January 03 2024

November 27 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Affected Rulesets
D9.AWS.IAM.30	Ensure that policies attached to Amazon Bedrock service roles are configured to prevent cross-service impersonation	High	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.29	Ensure that policies attached to Amazon Bedrock service roles adhere to the Principle of Least Privilege	High	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.CRY.08	Ensure Azure Data Factory is using a customer-managed key for encryption at rest	High	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.CAM.139	Machine Learning Workspace Private Link endpoints should exist and be approved	Medium	New	Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure ACSC ISM Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure AI Best Practice Ruleset
D9.AZU.CAM.141	Machine Learning Workspace should have a private endpoint	Medium	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure AI Best Practice Ruleset
D9.AZU.CAM.137	Machine Learning workspace High Business Impact should be enabled	Medium	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure HIPAA Azure AI Best Practice Ruleset
D9.AZU.CAM.138	Ensure Databricks Workspace Private Link endpoints should exist and be approved	High	New	Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure ACSC ISM Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure AI Best Practice Ruleset
D9.AZU.CAM.140	Ensure Databricks Workspace should be in a virtual network	Medium	New	Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure ACSC ISM Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure AI Best Practice Ruleset
D9.AZU.CAM.142	Ensure the Databricks Workspace denies public IPs for Databricks clusters	High	New	Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure ACSC ISM Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure AI Best Practice Ruleset
D9.AZU.IAM.05	Machine Learning Workspace should use user-assigned managed identity	Low	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure AI Best Practice Ruleset
D9.AZU.IAM.06	Ensure Azure Data Factory should use Managed Identity for authentication	High	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.32	Ensure a private endpoint that connects to Azure AI Search Services is configured with a private DNS zone	High	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure AI Best Practice Ruleset
D9.AZU.NET.34	Ensure that Azure AI Search services with public network access enabled have firewall rules configured	Medium	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.ALI.NET.08	Ensure NAT Gateway Security Protection is Enabled	Medium	New	CloudGuard Alibaba All Rules Ruleset

November 20 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.26	Ensure that agent session data is encrypted with Amazon KMS Customer Managed Keys (CMKs)	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.22	Ensure that SageMaker notebook instances are referencing active execution roles	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.26	Ensure that Amazon Bedrock agents are referencing active service roles	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.28	Ensure that permissions boundaries are set for IAM identities used by Amazon Bedrock	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AAA.161	Ensure that model invocation logging is enabled in the Amazon Bedrock account level settings	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS Secure Controls Framework (SCF) v2024.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.21	Ensure that root access is disabled for Amazon SageMaker notebook instances	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.07	Ensure that network isolation is enabled for your SageMaker training jobs to prevent unauthorized access.	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.19	Ensure that SageMaker notebook instances deployed into a VPC can access required resources	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.AAA.121	Enable network logging for Azure Databricks	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.CRY.05	Ensure customer-managed key is used for Azure Databricks	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.CRY.07	Use secure key management process for Azure Databricks	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.CAM.118	Establish network segment boundaries in Azure Databricks	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.GCP.AAA.56	Ensure continuous monitoring of Blockchain Node Engine node state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.12	Ensure KMS key utilization for enhanced encryption in Dataform	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.14	Ensures that media is encrypted using MACsec protocol	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.05	Ensure 'macsec.failOpen' option is not set	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.NET.11	Ensure Private Service Connect is enabled for the Blockchain Node Engine node	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.OPE.09	Ensure Interconnect is active and can carry traffic	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2
D9.GCP.OPE.11	Ensure 'nocContactEmail' is not empty	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.ALI.IAM.19	Enforce Custom RAM Role for ROS Stack	Low	Modification	Name Logic Severity	Ensure access keys are rotated every 90 days or less RamUser where (firstAccessKey.status='Active' or secondAccessKey.status='Active') should not have (firstAccessKey.createDate before(-90, 'days') or secondAccessKey.createDate before(-90, 'days')) High	Enforce Custom RAM Role for ROS Stack ROSStack should have ramRoleName Low	Alibaba CIS Foundations Benchmark v1.0.0 CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0 Alibaba ACSC ISM Alibaba NIST SP 800-172 Alibaba Secure Controls Framework (SCF) v2024.1 Alibaba SOX (Section 404) Alibaba FedRAMP R5 (moderate) Alibaba CMMC 2.0 v1.02 Alibaba NY DFS 23 CRR 500 Alibaba NIST SP 800-82 R3 (high) Alibaba UK Cyber Essentials Alibaba Security for Industrial Automation and Control Systems, Part 4-2 Alibaba NIST SP 800-171A R3 Alibaba NIST SP 800-161 Alibaba Shared Assessments SIG Questionnaire Alibaba TISAX ISA Alibaba NIST SP 800-171 R3
D9.AWS.CRY.25	Ensure that inter-container traffic encryption is enabled for your SageMaker training jobs	Medium	New				CloudGuard AWS All Rules Ruleset
D9.ALI.AAA.12	Enable logging for Simple Message Queue (SMQ) queues	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.AAA.13	Enable logging for Simple Message Queue (SMQ) topics	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.AAA.14	Ensure logging is enabled for domain activity with Cloud DNS	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.14	Ensure that PolarDB cluster requires all incoming connections to use SSL	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.15	Ensure that all PolarDB cluster have SSL auto-rotation enabled	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.16	Ensure that all PolarDB cluster endpoints use private network types	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.23	Ensure that PolarDB cluster SSL certificate has at least one month before expiration	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.IAM.22	Validate Custom Execution Role for ROS Stack Group	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.IAM.23	Validate Custom Administration Role for ROS Stack Group	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.OPE.04	Ensure all ROS Stack Status is Successful	Low	New				CloudGuard Alibaba All Rules Ruleset

November 13 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.168	Ensure Amazon Storage Gateway file share uses AWS KMS Keys that are customer managed for encryption	High	Modification	Logic	StorageGateway should have fileShares.nfsFileShares contain [ kmsEncrypted = true]	StorageGateway should have (fileShares.nfsFileShares contain [ kmsEncrypted = true] or fileShares.smbFileShares contain [ kmsEncrypted = true])	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.OCI.CAM.27	Ensure default tags are used on resources	Low	Modification	Logic	TagDefault should have lifecycleState='ACTIVE' and value='${iam.principal.name}'	TagDefault where compartmentId regexMatch /tenancy/i should have lifecycleState = 'ACTIVE' and value = '${iam.principal.name}' and tagDefinitionName = 'CreatedBy'	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI FedRAMP R5 (low) OCI MPA Content Security Program OCI DORA OCI ENISA Technical Guideline on Security Measures OCI IEC/ISO 27701:2019 OCI NIST CSF v2.0 OCI ACSC ISM OCI FFIEC Cybersecurity Assessment Tool (CAT) OCI ISO 27002:2022 OCI NIST SP 800-172 OCI Secure Controls Framework (SCF) v2024.1 OCI SOX (Section 404) OCI FedRAMP R5 (moderate) OCI ISO 27017:2015 OCI NIST SP 800-171 R2 OCI New Zealand ISM v3.6 OCI CMMC 2.0 v1.02 OCI NY DFS 23 CRR 500 OCI NIST SP 800-82 R3 (high) OCI Security for Industrial Automation and Control Systems, Part 4-2 OCI NIST SP 800-171A R3 OCI NIST AI RMF OCI NIST Privacy Framework OCI SCF-Z Zero Trust Architecture (ZTA) OCI NIST SP 800-37 OCI COBIT 2019 OCI NIST SP 800-161 OCI NIST SP 800-207 OCI Shared Assessments SIG Questionnaire OCI TISAX ISA OCI NIST SP 800-171 R3
D9.AZU.PMT.14	Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'	Low	Modification	Logic	PolicyAssignment where id like '%SecurityCenterBuiltIn' should have properties.parametersCollection with [ key='systemUpdatesMonitoringEffect' and value contain-any ['AuditIfNotExists']]	PolicyAssignment where id like '%SecurityCenterBuiltIn' should have properties.parametersCollection with [(key='systemUpdatesMonitoringEffect' and value contain-any ['AuditIfNotExists']) or (key='systemUpdatesV2MonitoringEffect' and value contain-any ['AuditIfNotExists'])]	CloudGuard Azure All Rules Ruleset Azure CIS Foundations Benchmark v2.1.0 Azure Shared Assessments SIG Questionnaire Azure CIS Foundations v. 3.0.0
D9.ALI.CAM.17	Ensure that CDN domain SSL certificate status is valid	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.18	Ensure that CDN domain has a valid CNAME record status	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.19	Ensure that CDN domain SSL certificate has sufficient validity period	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.20	Ensure that CDN domain has HTTPS enabled	Medium	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.21	Ensure that CDN domain has SSL certificate enabled	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.22	Ensure that Cloud CDN Domain is free from configuration or check failures	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.11	Ensure that SSL is Enabled for ApsaraDB Redis Instance	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.13	Ensure that Encryption Key is Configured for ApsaraDB Redis Instance	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.14	Ensure KMS ID is specified for encrypted disks on AnalyticDB for MySQL	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.15	Ensure SSL is enabled when using AnalyticDB for MySQL with Data Warehouse Edition	High	New				CloudGuard Alibaba All Rules Ruleset

November 06 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CAM.257	S3 Bucket should not have CDK generated default name	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CRY.31	Ensure ElastiCache clusters have encryption for data at rest enabled	High	Modification	Name Logic	Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled ElastiCache where engine='redis' should have atRestEncryptionEnabled=true	Ensure ElastiCache clusters have encryption for data at rest enabled ElastiCache should have atRestEncryptionEnabled=true	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS CloudGuard CheckUp AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS Dashboard System Ruleset AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.32	Ensure ElastiCache clusters have in-transit encryption enabled	High	Modification	Name Logic	Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled ElastiCache where engine='redis' should have transitEncryptionEnabled=true	Ensure ElastiCache clusters have in-transit encryption enabled ElastiCache should have transitEncryptionEnabled=true	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS Generally Accepted Privacy Principles (GAPP) AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-161 AWS NIST SP 800-207 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.52	Ensure that AWS SQS is encrypted using customer-managed instead of AWS-owned KMS Key	Low	Modification	Name	Ensure that AWS SQS is encrypted using 'KMS Key' instead of AWS-owned 'AWS KMS Key'	Ensure that AWS SQS is encrypted using customer-managed instead of AWS-owned KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.94	Ensure OpenSearch domains are encrypted using customer managed KMS keys	High	Modification	Name Severity	Ensure that your OpenSearch domains are encrypted using KMS KMS Keys Low	Ensure OpenSearch domains are encrypted using customer managed KMS keys High	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.113	Ensure AWS Code Artifact Domain is using encryption with customer managed KMS Key	High	Modification	Name	Ensure AWS Code Artifact Domain is using encryption with KMS Key	Ensure AWS Code Artifact Domain is using encryption with customer managed KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.117	Ensure HealthLake Datastore has data-at-rest encryption using customer managed KMS Keys	High	Modification	Name	Ensure HealthLake Datastore has data-at-rest encryption using KMS Keys	Ensure HealthLake Datastore has data-at-rest encryption using customer managed KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.CRY.138	Ensure AppFabric App Bundle is encrypted using customer managed KMS Key	High	Modification	Name Severity	Ensure that AppFabric App Bundle is encrypted using KMS Key Low	Ensure AppFabric App Bundle is encrypted using customer managed KMS Key High	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.142	Ensure that Comprehend Flywheel's model is encrypted with KMS Key	High	Modification	Severity	Low	High	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.143	Ensure that Comprehend Flywheel's volume is encrypted with KMS Key	High	Modification	Severity	Low	High	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AZU.CAM.88	Ensure that 'Public access level' is Disabled for Blob Containers	Critical	Modification	Severity	High	Critical	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure China Cybersecurity Law Azure Spanish Royal Decree 311/2022 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure ISO/SAE 21434:2021 Azure ISO/IEC 42001:2023 Azure NIST Privacy Framework Azure SCF-Z Zero Trust Architecture (ZTA) Azure COBIT 2019 Azure NIST SP 800-160 Vol. 1 Azure NIST SP 800-161 Azure NIST SP 800-207 Azure Shared Assessments SIG Questionnaire Azure TISAX ISA Azure NIST SP 800-171 R3 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.BDR.05	Ensure ElastiCache clusters have the Multi-AZ feature enabled	High	Modification	Name Logic Severity	Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled ElastiCache where engine='redis' should have replicationGroup.multiAZ.value='enabled' Low	Ensure ElastiCache clusters have the Multi-AZ feature enabled ElastiCache should have replicationGroup.multiAZ.value='enabled' High	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS MLPS 2.0 (Level 3) AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS FedRAMP R5 (low) AWS DORA AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS SOC 2 (AICPA TSC 2017 Controls) AWS Shared Assessments SIG Questionnaire
D9.AZU.CAM.89	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Critical	Modification	Severity	High	Critical	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.AAA.119	Ensure continuous monitoring of Resource Mover Move Resource state	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.NET.36	Ensure continuous monitoring of Network Function Manager state	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.08	Ensure continuous monitoring of Traffic Manager Profile state	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.33	Ensure public network access is disabled for Databricks Workspace	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.AAA.62	Ensure continuous monitoring of Vertex AI Search Retail Catalog state	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.AAA.60	Ensure continuous monitoring of Data Protection DLP Job state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.17	Ensure continuous monitoring of Vertex AI Agent Builder DS encryption state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.AZU.IAM.73	Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'	Critical	Modification	Severity	High	Critical	Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure ENISA Technical Guideline on Security Measures Azure Generally Accepted Privacy Principles (GAPP) Azure GLBA Azure IEC TR 60601-4-5 Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure UK Cyber Essentials Azure China Cybersecurity Law Azure Spanish Royal Decree 311/2022 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure NIST Privacy Framework Azure SCF-Z Zero Trust Architecture (ZTA) Azure COBIT 2019 Azure NIST SP 800-161 Azure NIST SP 800-207 Azure HIPAA Azure OWASP Top 10 - 2021 Azure Shared Assessments SIG Questionnaire Azure TISAX ISA Azure CIS Foundations v. 3.0.0 Azure NIST SP 800-171 R3
D9.AWS.OPE.10	Ensure AWS Mainframe Modernization Environment Status is Healthy	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.11	Ensure AWS Mainframe Modernization App Version Statuses are Healthy	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AAA.120	Ensure Azure Health Data Workspace Statuses are Healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.18	Ensure Azure Health Data Workspace Private Endpoint Connection Statuses are Healthy	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.10	Ensure Azure Health Data Service does not have public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.09	Ensure Azure Web PubSub does not have public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.14	Ensure Azure Health Data Service Statuses are Healthy	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.21	Ensure Azure Health Data Workspace Discom Service does not have public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.04	Ensure Azure Web PubSub Statuses are Healthy	Low	New				CloudGuard Azure All Rules Ruleset
D9.TF.AWS.CRY.51	Ensure that AWS SNS topic is encrypted using Customer-managed KMS Key instead of AWS-owned KMS Key	Low	Modification	Name	Ensure that AWS SNS topic is encrypted using KMS Key instead of AWS-owned AWS KMS Key	Ensure that AWS SNS topic is encrypted using Customer-managed KMS Key instead of AWS-owned KMS Key	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.CRY.52	Ensure that AWS SQS is encrypted using Customer-managed KMS Key instead of AWS-owned key	Low	Modification	Name	Ensure that AWS SQS is encrypted using KMS Key instead of AWS-owned key	Ensure that AWS SQS is encrypted using Customer-managed KMS Key instead of AWS-owned key	Terraform CIS AWS Foundations Benchmarks
D9.AZU.VTM.15	Ensure that Microsoft Defender for Container Registries is set to 'On'	High	Removal				Azure CIS Foundations Benchmark v1.4.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CRI Profile v1.2 Azure FedRAMP R5 (moderate) Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure OWASP Top 10 - 2021 Azure Shared Assessments SIG Questionnaire Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1

October 30 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AAA.160	Ensure continuous monitoring of Direct Connect Connection state	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.OPE.05	Ensure continuous monitoring of Fault Injection Simulator Experiment state	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.CAM.88	Ensure that 'Public access level' is Disabled for Blob Containers	High	Modification	Logic Severity	StorageBlobContainer should not have publicAccess in ('Blob', 'Container') Medium	StorageBlobContainer where id split('/') getValue(8) in (getResources('StorageAccount') with [ allowBlobPublicAccess=true ] getValues('name') ) should not have publicAccess in ('Blob', 'Container') High	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure China Cybersecurity Law Azure Spanish Royal Decree 311/2022 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure ISO/SAE 21434:2021 Azure ISO/IEC 42001:2023 Azure NIST Privacy Framework Azure SCF-Z Zero Trust Architecture (ZTA) Azure COBIT 2019 Azure NIST SP 800-160 Vol. 1 Azure NIST SP 800-161 Azure NIST SP 800-207 Azure Shared Assessments SIG Questionnaire Azure TISAX ISA Azure NIST SP 800-171 R3 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.NET.06	Ensure that AWS Direct Connect Connection has encryption enabled	High	New				AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS Secure Controls Framework (SCF) v2024.1
D9.AWS.OPE.08	Ensure continuous monitoring of Direct Connect Virtual Interface state	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AZU.AAA.123	Ensure continuous monitoring of Managed Grafana state	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.AAA.122	Ensure continuous monitoring of HDS Deid Service state	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.AAA.118	Ensure continuous monitoring of Managed Applications Application state	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.NET.25	Ensure public network access is disabled for Managed Grafana	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.06	Disable public network access for HDS Deid Service	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.03	Ensure 'skipVerify' is disabled for SMTP in Managed Grafana	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.GCP.AAA.55	Ensure continuous monitoring of Firebase Hosting Site state	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.14	Ensure continuous monitoring of Migrate to Virtual Machines Source state	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR

October 23 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.PMT.06	Ensure that 'Java version' is the latest, if used to run the Linux Web App (Linux)	Low	Modification	Logic	WebApp where config.linuxFxVersion regexMatch /JAVA/ should have config.linuxFxVersion regexMatch /[1-2][1-9]/	WebApp where config.linuxFxVersion regexMatch /JAVA/ should have config.linuxFxVersion in ($Java_Supported_Versions)	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ASD Essential Eight Azure ACSC ISM Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure DORA Azure NIST CSF v2.0 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure Shared Assessments SIG Questionnaire Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.PMT.07	Ensure that 'PHP version' is the latest, if used to run a Linux Web App (Linux)	Low	Modification	Logic	WebApp where config.linuxFxVersion regexMatch /PHP/ should have config.linuxFxVersion regexMatch /(8\x2e[2-9]\|9\x2e[0-9])/	WebApp where config.linuxFxVersion regexMatch /PHP/ should have config.linuxFxVersion in ($PHP_Supported_Versions)	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure ASD Essential Eight Azure ACSC ISM Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure DORA Azure NIST CSF v2.0 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure Shared Assessments SIG Questionnaire Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.PMT.08	Ensure that 'Python version' is the latest stable version, if used to run a Linux Web App (Linux)	Low	Modification	Logic	WebApp where config.linuxFxVersion regexMatch /PYTHON/ should have config.linuxFxVersion regexMatch /(3\x2e([8-9]\|1[0-9]))/	WebApp where config.linuxFxVersion regexMatch /PYTHON/ should have config.linuxFxVersion in ($Python_Supported_Versions)	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure ASD Essential Eight Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure NIST CSF v2.0 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure Shared Assessments SIG Questionnaire Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.PMT.09	Ensure that 'Java version' is the latest, if used to run the Web App (Windows)	Low	Modification	Logic	WebApp where not config.javaVersion isEmpty() should have config.javaVersion>=11	WebApp where not config.javaVersion isEmpty() should have config.javaVersion in ($Java_Supported_Versions)	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure ASD Essential Eight Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure NIST CSF v2.0 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure Shared Assessments SIG Questionnaire Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.OPE.18	Ensure continuous monitoring of CodeDeploy Deploy state	Low	New				AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AZU.CAM.136	Ensure Azure Batch Account pools are deployed in a specific subnet	High	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure ACSC ISM Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.CAM.38	Ensure there is more than one owner assigned to your Microsoft Azure subscription	High	Modification	Logic	List<RoleAssignment> where items with [getResources('RoleDefinition', properties.roleDefinitionId, 'id' ) getValues('properties.roleName') contain [ 'Owner' ]] should have length() >=2	List<User> should have items with [ assignmentRoles with [ roleName like 'Owner' ] ] length() >= 2	Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure EU GDPR Azure DORA Azure ENISA Technical Guideline on Security Measures Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure Spanish Royal Decree 311/2022 Azure NIST AI RMF Azure NIST Privacy Framework Azure SCF-Z Zero Trust Architecture (ZTA) Azure NIST SP 800-37 Azure SOC 2 (AICPA TSC 2017 Controls) Azure COBIT 2019 Azure NIST SP 800-161 Azure NIST SP 800-207 Azure Shared Assessments SIG Questionnaire Azure TISAX ISA Azure NIST SP 800-171 R3
D9.OCI.NET.03	Ensure the default security list of every VCN restricts all traffic except ICMP	High	Modification	Logic	SecurityList where name regexMatch /Default.*vcn/i should have ingressSecurityRules contain-none [ tcpOptions or udpOptions or protocol !='1' or icmpOptions isEmpty() ]	SecurityList where compartmentId != getResource('Compartment', 'ManagedCompartmentForPaaS', 'name').id and name regexMatch /Default.*vcn/i should have ingressSecurityRules contain-none [ tcpOptions or udpOptions or protocol !='1' or icmpOptions isEmpty() ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI MPA Content Security Program OCI DORA OCI IEC/ISO 27701:2019 OCI NIST CSF v2.0 OCI ISO 27002:2022 OCI Secure Controls Framework (SCF) v2024.1 OCI SOX (Section 404) OCI FedRAMP R5 (moderate) OCI ISO 27017:2015 OCI NIST SP 800-171 R2 OCI SWIFT Customer Security Programme CSCF OCI New Zealand ISM v3.6 OCI CMMC 2.0 v1.02 OCI NY DFS 23 CRR 500 OCI NIST SP 800-82 R3 (high) OCI UK Cyber Essentials OCI Spanish Royal Decree 311/2022 OCI NIST Privacy Framework OCI SCF-Z Zero Trust Architecture (ZTA) OCI COBIT 2019 OCI NIST SP 800-161 OCI NIST SP 800-207 OCI Shared Assessments SIG Questionnaire OCI TISAX ISA OCI NIST SP 800-171 R3
D9.AZU.PMT.03	Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database	High	Modification	Logic	PostgreSQL should have version='11'	PostgreSQL should have version in ($SQL_POSTGRES_Supported_Versions)	CloudGuard Azure All Rules Ruleset Azure ASD Essential Eight Azure ACSC ISM Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure DORA Azure NIST CSF v2.0 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure Shared Assessments SIG Questionnaire
D9.GCP.PMT.04	Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database	Low	Modification	Logic	CloudSql where databaseVersion regexMatch /POSTGRES.*/ should have databaseVersion regexMatch /POSTGRES_(1[5-9]\|[2-9]\d+\|\d{3,})/	CloudSql where databaseVersion regexMatch /POSTGRES.*/ should have databaseVersion in ($SQL_POSTGRES_Supported_Versions)	CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP APRA 234 GCP ACSC ISM GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP DORA GCP NIST CSF v2.0 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP Shared Assessments SIG Questionnaire

October 16 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AAA.44	Ensure KMS Key configuration changes are being monitored using CloudWatch alarms	Medium	Modification	Name	Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms	Ensure KMS Key configuration changes are being monitored using CloudWatch alarms	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS SCF-Z Zero Trust Architecture (ZTA) AWS COBIT 2019 AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.AAA.74	Ensure disabling or scheduled deletion of KMS Keys is monitored	Low	Modification	Name	Ensure disabling or scheduled deletion of customer created CMKs is monitored	Ensure disabling or scheduled deletion of KMS Keys is monitored	AWS HIPAA AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS ENISA Technical Guideline on Security Measures AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS ISO/SAE 21434:2021 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-37 AWS COBIT 2019 AWS NIST SP 800-161 AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS CIS Foundations Benchmark v1.2.0 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.03	Ensure that S3 Buckets are encrypted with KMS Key	Medium	Modification	Name	Ensure that S3 Buckets are encrypted with CMK	Ensure that S3 Buckets are encrypted with KMS Key	AWS HIPAA CloudGuard AWS Dashboards AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS Dashboard System Ruleset AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.15	Use KMS Keys for Redshift clusters	High	Modification	Name	Use KMS CMK customer-managed keys for Redshift clusters	Use KMS Keys for Redshift clusters	AWS HIPAA AWS Security Risk Management AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS CloudGuard CheckUp AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.21	AWS Kinesis streams are encrypted with KMS Key	Low	Modification	Name	AWS Kinesis streams are encrypted with customer managed CMK	AWS Kinesis streams are encrypted with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS CloudGuard CheckUp AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.23	Ensure that your Amazon EFS file systems are encrypted using KMS Keys	Low	Modification	Name	Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys	Ensure that your Amazon EFS file systems are encrypted using KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.30	Ensure AWS DynamoDB is encrypted using KMS Key that is customer-managed	Low	Modification	Name	Ensure that AWS DynamoDB is encrypted using customer-managed CMK	Ensure AWS DynamoDB is encrypted using KMS Key that is customer-managed	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS CloudGuard CheckUp AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.36	Ensure SageMaker notebook instance storage volumes are encrypted with KMS Keys that are customer-managed	High	Modification	Name	Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)	Ensure SageMaker notebook instance storage volumes are encrypted with KMS Keys that are customer-managed	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.50	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS Key	High	Modification	Name	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.51	Ensure that AWS SNS topic is encrypted using 'Customer managed' KMS key instead of 'AWS owned' keys or 'AWS managed' keys	Low	Modification	Name	Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs	Ensure that AWS SNS topic is encrypted using 'Customer managed' KMS key instead of 'AWS owned' keys or 'AWS managed' keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.52	Ensure that AWS SQS is encrypted using 'KMS Key' instead of AWS-owned 'AWS KMS Key'	Low	Modification	Name	Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs	Ensure that AWS SQS is encrypted using 'KMS Key' instead of AWS-owned 'AWS KMS Key'	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.68	Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses KMS Key	Low	Modification	Name	Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)	Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses KMS Key	AWS HIPAA AWS Security Risk Management AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices
D9.AWS.CRY.75	Ensure AWS MemoryDB for Redis clusters have at-rest encryption with KMS Key	High	Modification	Name	Ensure AWS MemoryDB for Redis clusters have Customer Managed CMK at-rest encryption	Ensure AWS MemoryDB for Redis clusters have at-rest encryption with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.87	Ensure AWS MemoryDB for Redis manual snapshots have encryption using KMS Key	High	Modification	Name	Ensure AWS MemoryDB for Redis manual snapshots have Customer Managed CMK encryption	Ensure AWS MemoryDB for Redis manual snapshots have encryption using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.90	Ensure that Amazon DocumentDB clusters are encrypted with KMS Keys that are customer-managed	High	Modification	Name	Ensure that Amazon DocumentDB clusters are encrypted with KMS Customer Master Keys (CMKs)	Ensure that Amazon DocumentDB clusters are encrypted with KMS Keys that are customer-managed	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.94	Ensure that your OpenSearch domains are encrypted using KMS KMS Keys	Low	Modification	Name	Ensure that your OpenSearch domains are encrypted using KMS Customer Master Keys	Ensure that your OpenSearch domains are encrypted using KMS KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.103	Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using customer managed KMS Keys	High	Modification	Name	Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys	Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using customer managed KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.105	Ensure EBS volumes are encrypted with KMS Key to have full control over encrypting and decrypting data	Low	Modification	Name	Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data	Ensure EBS volumes are encrypted with KMS Key to have full control over encrypting and decrypting data	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.CRY.109	Ensure AWS FSx for Windows File Server file systems data is encrypted using KMS Keys	High	Modification	Name	Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs	Ensure AWS FSx for Windows File Server file systems data is encrypted using KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.111	Ensure rotation is enabled in KMS for customer managed keys	High	Modification	Name	Ensure rotation for customer created CMKs is enabled	Ensure rotation is enabled in KMS for customer managed keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.113	Ensure AWS Code Artifact Domain is using encryption with KMS Key	High	Modification	Name	Ensure AWS Code Artifact Domain is using Customer managed key (CMK) KMS encryption	Ensure AWS Code Artifact Domain is using encryption with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.115	Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS Keys	High	Modification	Name	Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs	Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.CRY.117	Ensure HealthLake Datastore has data-at-rest encryption using KMS Keys	High	Modification	Name	Ensure HealthLake Datastore has data-at-rest encryption using KMS CMKs	Ensure HealthLake Datastore has data-at-rest encryption using KMS Keys	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.CRY.123	Ensure that Amazon Translate custom terminology is encrypted using KMS Keys	High	Modification	Name	Ensure that Amazon Translate custom terminology is encrypted using KMS CMKs	Ensure that Amazon Translate custom terminology is encrypted using KMS Keys	AWS HIPAA AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.133	Ensure DevOps Guru Service Integration is encrypted with customer managed KMS Key	Low	Modification	Name	Ensure DevOps Guru Service Integration is encrypted with CMK	Ensure DevOps Guru Service Integration is encrypted with customer managed KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.136	Ensure that AppRunner Service is encrypted using KMS Key	Low	Modification	Name	Ensure that AppRunner Service is encrypted using CMK	Ensure that AppRunner Service is encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.138	Ensure that AppFabric App Bundle is encrypted using KMS Key	Low	Modification	Name	Ensure that AppFabric App Bundle is encrypted using CMK	Ensure that AppFabric App Bundle is encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.139	Ensure that MWAA Environment is encrypted with KMS Key	High	Modification	Name	Ensure that MWAA Environment is encrypted with CMK	Ensure that MWAA Environment is encrypted with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.141	Ensure that Nimble Studio is encrypted using KMS Key that is customer managed	Low	Modification	Name	Ensure that Nimble Studio is encrypted using CMK	Ensure that Nimble Studio is encrypted using KMS Key that is customer managed	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.142	Ensure that Comprehend Flywheel's model is encrypted with KMS Key	Low	Modification	Name	Ensure that Comprehend Flywheel's model is encrypted with CMK	Ensure that Comprehend Flywheel's model is encrypted with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.143	Ensure that Comprehend Flywheel's volume is encrypted with KMS Key	Low	Modification	Name	Ensure that Comprehend Flywheel's volume is encrypted with CMK	Ensure that Comprehend Flywheel's volume is encrypted with KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.146	Ensure that FinSpace Environment is encrypted using customer managed KMS Key	Low	Modification	Name	Ensure that FinSpace Environment is encrypted using CMK	Ensure that FinSpace Environment is encrypted using customer managed KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.147	Ensure that Forecast Dataset is encrypted using KMS Key	Low	Modification	Name	Ensure that Forecast Dataset is encrypted using CMK	Ensure that Forecast Dataset is encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.148	Ensure that Forecast Predictor is encrypted using KMS Key	Low	Modification	Name	Ensure that Forecast Predictor is encrypted using CMK	Ensure that Forecast Predictor is encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.150	Ensure that Bedrock Custom Model is encrypted using KMS Key	Low	Modification	Name	Ensure that Bedrock Custom Model is encrypted using CMK	Ensure that Bedrock Custom Model is encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.165	Ensure CodeCommit repositories are encrypted with KMS Keys that are customer managed	Medium	Modification	Name	Ensure CodeCommit repositories are encrypted with KMS CMKs	Ensure CodeCommit repositories are encrypted with KMS Keys that are customer managed	AWS HIPAA AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.167	Ensure that AWS Glue DataBrew Jobs are encrypted using KMS Key	Low	Modification	Name	Ensure that AWS Glue DataBrew Jobs are encrypted using customer-managed CMK	Ensure that AWS Glue DataBrew Jobs are encrypted using KMS Key	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CRY.168	Ensure Amazon Storage Gateway file share uses AWS KMS Keys that are customer managed for encryption	High	Modification	Name	Ensure that the Amazon Storage Gateway file share uses AWS KMS Customer Master Keys (CMKs) for encryption	Ensure Amazon Storage Gateway file share uses AWS KMS Keys that are customer managed for encryption	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.OPE.170	Ensure rotation for customer-created symmetric KMS Keys is enabled	High	Modification	Name	Ensure rotation for customer-created symmetric CMKs is enabled	Ensure rotation for customer-created symmetric KMS Keys is enabled	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS UK GDPR AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS NIST AI RMF AWS NIST Privacy Framework AWS NIST SP 800-37 AWS Shared Assessments SIG Questionnaire AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices
D9.AZU.AAA.11	Ensure that logging for Azure Key Vault is 'Enabled'	Low	Modification	Logic	KeyVault should have diagnosticSettings contain [ logs contain [ (category='AuditEvent' or categoryGroup='audit') and enabled=true ] ]	KeyVault should have diagnosticSettings contain [ logs contain [ (category like 'AuditEvent' or categoryGroup like 'audit') and enabled=true ] ]	Azure CloudGuard CheckUp Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure CIS Foundations Benchmark v1.0.0 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure NIST SP 800-82 R3 (high) Azure NIST SP 800-171A R3 Azure SOC 2 (AICPA TSC 2017 Controls) Azure OWASP Top 10 - 2021 Azure Shared Assessments SIG Questionnaire Azure CIS Foundations v. 3.0.0 Azure CIS Foundations Benchmark v1.1.0 Azure NIST SP 800-171 R3 Azure NIST SP 800-171 R1 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure New Zealand ISM v3.4 Azure HITRUST CSF v9.5 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AWS.AAA.06	Ensure CloudTrail logs are encrypted at rest using KMS Keys	Low	Modification	Name	Ensure CloudTrail logs are encrypted at rest using KMS CMKs	Ensure CloudTrail logs are encrypted at rest using KMS Keys	AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS CSA CCM v3 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS CIS Foundations Benchmark v1.2.0 AWS Shared Assessments SIG Questionnaire AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.AAA.15	Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data into Amazon S3	Low	Modification	Name	Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3	Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data into Amazon S3	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS DORA AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CAM.244	Ensure that AWS CloudFormation Hook should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.245	Ensure that AWS API Gateway V2 should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.246	Ensure that AWS CloudFront should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.247	Ensure that AWS Route 53 Hosted Zone should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.248	Ensure that AWS Storage Gateway should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.256	Ensure that AWS Bedrock Agent should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.249	Ensure that AWS Redshift Serverless Namespace should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.250	Ensure that AWS Well-Architected Tool Workload should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.251	Ensure that AWS Audit Manager Assessment should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.252	Ensure that AWS Glue DataBrew Job should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.253	Ensure that AWS Lookout for Metrics Anomaly Detector should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.254	Ensure that AWS EMR Serverless Application should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AZU.CAM.100	Ensure that Azure Bastion should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.101	Ensure that Azure Disk should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.102	Ensure that Azure Container Instance should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.104	Ensure that Azure App Service Environment should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.105	Ensure that Azure Web App should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.106	Ensure that Azure PostgreSQL Flexible Server should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.107	Ensure that Azure Network Security Group should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.108	Ensure that Azure Virtual Machine should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.109	Ensure that Azure Network Watcher should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.91	Ensure that Azure Container Registry should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.92	Ensure that Azure Application Insights should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.94	Ensure that Azure Resource Group should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.95	Ensure that Azure Activity Log Alert Rule should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.96	Ensure that Azure MySQL Database Single Server should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.97	Ensure that Azure Key Vault should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.98	Ensure that Azure NSG Flow Log should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.99	Ensure that Azure Function App should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.110	Ensure that Azure App Registration should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.111	Ensure that Azure PostgreSQL Server should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.112	Ensure that Azure Analysis Services Server should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.113	Ensure that Azure SQL Database should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.114	Ensure that Azure Service Fabric Cluster should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.115	Ensure that Azure User Assigned Identity should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.116	Ensure that Azure Front Door Classic should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.117	Ensure that Azure Front Door should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.119	Ensure that Azure Virtual Network (VNet) should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.129	Ensure that Azure MariaDB Server should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.130	Ensure that Azure Automation Accounts should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.131	Ensure that Azure Data Factory should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.132	Ensure that Azure Virtual Network Gateway should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.133	Ensure that Azure Data Warehouse should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CAM.134	Ensure that Azure Recovery Services Vault should have tags	Informational	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.GCP.BDR.23	Ensure GKE Backup Plan is in a healthy state with acceptable RPO risk level	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.BDR.20	Ensure continuous monitoring of GKE Backup backup state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.AWS.AAA.159	Ensure continuous monitoring of HealthOmics Annotation Store status	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.134	Identify and recover any KMS Keys scheduled for deletion	Critical	Modification	Name	Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion	Identify and recover any KMS Keys scheduled for deletion	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS MLPS 2.0 (Level 3) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS NIST SP 800-160 Vol. 1 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.CAM.243	Ensure that AWS Disaster Recovery Service (DRS) Launch Configuration Template should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.255	Ensure that AWS Bedrock Knowledge Base should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.04	Ensure Lex v2 Bot status is not 'Failed'	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.CAM.120	Ensure that Azure Virtual Machine Scale Set should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.121	Ensure that Azure Virtual Machine Scale Set Instance (VMSS) should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.122	Ensure that Azure Log Profile should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.123	Ensure that Azure Storage Account should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.124	Ensure that Azure MySQL Flexible Server should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.125	Ensure that Azure Application Gateway should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.126	Ensure that Azure Redis Cache should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.127	Ensure that Azure Cosmos DB Account should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.128	Ensure that Azure AKS Cluster should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.135	Ensure continuous monitoring of Cloud Service provisioning state	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.02	Ensure continuous monitoring of Cloud Service provisioning state for extensions	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.103	Ensure that Azure Spring Cloud should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CAM.93	Ensure that Azure SQL Server should have tags	Informational	New				CloudGuard Azure All Rules Ruleset
D9.ALI.CAM.08	Ensure that ECS Disk should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.09	Ensure that ECS Instance should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.10	Ensure that VSwitch should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.11	Ensure that SecurityGroup should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.12	Ensure that VPC should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CAM.13	Ensure that SLB should have tags	Informational	New				CloudGuard Alibaba All Rules Ruleset
D9.TF.AWS.CRY.02	Ensure CloudTrail logs are encrypted at rest using KMS Keys	High	Modification	Name	Ensure CloudTrail logs are encrypted at rest using KMS CMKs	Ensure CloudTrail logs are encrypted at rest using KMS Keys	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.CRY.50	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS Keys	High	Modification	Name	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS Keys	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.CRY.51	Ensure that AWS SNS topic is encrypted using KMS Key instead of AWS-owned AWS KMS Key	Low	Modification	Name	Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's	Ensure that AWS SNS topic is encrypted using KMS Key instead of AWS-owned AWS KMS Key	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.CRY.52	Ensure that AWS SQS is encrypted using KMS Key instead of AWS-owned key	Low	Modification	Name	Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's	Ensure that AWS SQS is encrypted using KMS Key instead of AWS-owned key	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.AAA.06	Ensure CloudTrail logs have 'KmsKeyId' defined	Low	Modification	Name	Ensure CloudTrail logs have KmsKeyId defined	Ensure CloudTrail logs have 'KmsKeyId' defined	Terraform CIS AWS Foundations Benchmarks
D9.TF.AWS.AAA.08	Ensure rotation for customer created keys is enabled	Low	Modification	Name	Ensure rotation for customer created CMKs is enabled	Ensure rotation for customer created keys is enabled	Terraform CIS AWS Foundations Benchmarks
D9.TF.K8S.CRY.01	Ensure Kubernetes Secrets are encrypted using KMS Keys	High	Modification	Name	Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS	Ensure Kubernetes Secrets are encrypted using KMS Keys	Terraform EKS CloudGuard Best Practices
D9.CFT.AAA.01	Ensure CloudTrail logs are encrypted at rest using KMS Keys	High	Modification	Name	Ensure CloudTrail logs are encrypted at rest using KMS CMKs	Ensure CloudTrail logs are encrypted at rest using KMS Keys	AWS CloudFormation Ruleset
D9.CFT.CRY.04	Ensure that AWS DynamoDB is encrypted using KMS Keys that are Customer-managed	Low	Modification	Name	Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's	Ensure that AWS DynamoDB is encrypted using KMS Keys that are Customer-managed	AWS CloudFormation Ruleset
D9.CFT.CRY.08	Ensure that the KMS key should have key rotation enabled	Low	Modification	Name	Ensure that the KMS key have key rotation enabled	Ensure that the KMS key should have key rotation enabled	AWS CloudFormation Ruleset
D9.CFT.CRY.09	Ensure AWS Kinesis streams are encrypted with KMS Keys that are customer managed	High	Modification	Name	Ensure AWS Kinesis streams are encrypted with KMS customer master keys	Ensure AWS Kinesis streams are encrypted with KMS Keys that are customer managed	AWS CloudFormation Ruleset
D9.CFT.CRY.16	Ensure Backup Vault is encrypted at rest using KMS Key	High	Modification	Name	Ensure Backup Vault is encrypted at rest using KMS CMK	Ensure Backup Vault is encrypted at rest using KMS Key	AWS CloudFormation Ruleset

October 09 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.05	Ensure that encryption-at-rest is enabled for RDS instances	High	Modification	Name	Ensure that encryption-at-rest is enabled for RDS Instances	Ensure that encryption-at-rest is enabled for RDS instances	AWS HIPAA AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS CloudGuard CheckUp AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS Dashboard System Ruleset AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.61	Ensure EBS volume encryption is enabled in all regions	High	Modification	Name	Ensure EBS Volume Encryption is Enabled in all Regions	Ensure EBS volume encryption is enabled in all regions	AWS HIPAA AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices AWS CIS Foundations Benchmark v1.3.0 AWS CIS Foundations Benchmark v1.4.0
D9.AWS.IAM.185	Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed	Low	Modification	Name	Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed	Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed	AWS HIPAA AWS Security Risk Management AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS Generally Accepted Privacy Principles (GAPP) AWS GLBA AWS IEC TR 60601-4-5 AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS UK Cyber Essentials AWS China Cybersecurity Law AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS COBIT 2019 AWS NIST SP 800-161 AWS NIST SP 800-207 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices AWS CIS Foundations Benchmark v1.3.0 AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.OPE.170	Ensure rotation for customer-created symmetric CMKs is enabled	High	Modification	Name	Ensure Rotation for Customer-created Symmetric CMKs is Enabled	Ensure rotation for customer-created symmetric CMKs is enabled	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS UK GDPR AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS NIST AI RMF AWS NIST Privacy Framework AWS NIST SP 800-37 AWS Shared Assessments SIG Questionnaire AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices
D9.AWS.AAA.17	Ensure that object-level logging for write events is enabled for S3 buckets	Low	Modification	Name	Ensure that Object-level logging for write events is enabled for S3 bucket	Ensure that object-level logging for write events is enabled for S3 buckets	AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.AAA.81	Ensure Network Access Control List (NACL) changes are monitored	Low	Modification	Name	Ensure Network Access Control Lists (NACL) changes are monitored	Ensure Network Access Control List (NACL) changes are monitored	AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS OWASP Top 10 - 2021 AWS CIS Foundations Benchmark v1.2.0 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CAM.104	Ensure IAM users receive permissions only through groups	Low	Modification	Name	Ensure IAM Users Receive Permissions Only Through Groups	Ensure IAM users receive permissions only through groups	AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CIS Foundations Benchmark v1.2.0 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.IAM.51	Ensure there is only one active access key for any single IAM user	High	Modification	Name	Ensure there is only one active access key available for any single IAM user	Ensure there is only one active access key for any single IAM user	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS UK Cyber Essentials AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.NET.72	Ensure that S3 is configured with 'Block Public Access' enabled	Critical	Modification	Name	Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'	Ensure that S3 is configured with 'Block Public Access' enabled	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS UK Cyber Essentials AWS Spanish Royal Decree 311/2022 AWS NIST Privacy Framework AWS SCF-Z Zero Trust Architecture (ZTA) AWS COBIT 2019 AWS NIST SP 800-161 AWS NIST SP 800-207 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.AAA.22	Ensure that object-level logging for read events is enabled for S3 buckets	High	Modification	Name	Ensure that Object-level logging for read events is Enabled for S3 bucket	Ensure that object-level logging for read events is enabled for S3 buckets	AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CloudGuard Best Practices AWS CIS Foundations Benchmark v1.3.0 AWS CIS Foundations Benchmark v1.4.0
D9.AWS.AAA.41	Ensure usage of the 'root' account is monitored	High	Modification	Name	Ensure usage of 'root' account is monitored	Ensure usage of the 'root' account is monitored	AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0
D9.AWS.AAA.93	Ensure AWS Organizations changes are monitored	Low	Modification	Name	Ensure changes to AWS Organizations are monitored	Ensure AWS Organizations changes are monitored	AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS FedRAMP R5 (low) AWS DORA AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CIS Foundations Benchmark v4.0.0 AWS CIS Foundations Benchmark v1.3.0 AWS CIS Foundations Benchmark v1.4.0
D9.AWS.PMT.13	Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances	Low	Modification	Name	Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances	Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances	AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ASD Essential Eight AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS Shared Assessments SIG Questionnaire AWS CIS Foundations Benchmark v4.0.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AZU.AAA.117	Ensure continuous monitoring of Notification Hubs Namespace state	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.CAM.90	Ensure Notification Hubs Namespace is enabled	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure HIPAA
D9.AZU.NET.05	Ensure public network access is disabled for Notification Hubs	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.BDR.18	Ensure continuous monitoring of Backup DR Management Server state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.CRY.40	Ensure that GCP Live Stream API Channels have sufficient encryption when handling important information processed by the Live Stream API	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.06	Ensure the peering mode is set to PRIVATE_SERVICE_ACCESS for enhanced security of Cloud Backup and DR	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.AWS.CAM.144	Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary	High	Modification	Name	Ensure all data in Amazon S3 has been discovered, classified and secured when required	Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary	CloudGuard AWS All Rules Ruleset AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS Shared Assessments SIG Questionnaire AWS CIS Foundations Benchmark v4.0.0

October 01 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Affected Rulesets
D9.AWS.AAA.158	Ensure User Context Policy is USER_TOKEN on Kendra Index	Low	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AAA.156	Ensure Core Network is in a Healthy State	High	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AAA.157	Ensure Core Network Attachment is in a Healthy State	High	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.OPE.02	Ensure Health Check Configuration for Cloud Map Services	High	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CAM.241	Ensure Kendra Index has KMS Key in Server Side Encryption Configuration	Low	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CAM.242	Ensure Kendra Index Status is Not Failed	Low	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.PMT.18	SSM agents should be configured to automatically update their versions	High	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1
D9.AZU.CAM.89	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	High	New	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.AZU.CRY.04	Ensure Red Hat OpenShift Cluster is encrypted	High	New	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.GCP.AAA.54	Ensure continuous monitoring of Certificate Manager Certificate state	Low	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.BDR.21	Ensure continuous monitoring of GKE Backup restore state	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.CAM.100	Ensure the reCAPTCHA key Web settings do not allow all domains	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.CAM.101	Ensure the reCAPTCHA Key does not allow all package names for Android	Low	New	GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.CAM.102	Ensure that the reCAPTCHA iOS Key does not allow all bundle IDs	High	New	GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP ACSC ISM GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02
D9.GCP.CAM.99	Certificate Manager certificates should be renewed at least seven days before expiration	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.CRY.11	Ensure that GCP Transcoder Job Template is configured with expected encryption options	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.10	Ensure that GCP Transcoder is configured with expected encryption options	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.08	Ensure that Issuance Config has enough time before certificate expiration	Low	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.AWS.AAA.154	Ensure continuous monitoring of Rekognition Project Dataset state	Low	New	CloudGuard AWS All Rules Ruleset
D9.AWS.AAA.155	Ensure continuous monitoring of Comprehend Medical Detect Job state	Low	New	CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.03	Comprehend Medical Detect Job should be renewed at least seven days before expiration	Low	New	CloudGuard AWS All Rules Ruleset

September 25 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AAA.114	Ensure continuous monitoring of Artifact report state	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.18	Ensure that cryptographic keys are non-exportable from Payment Cryptography	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.20	Ensure the necessary cryptographic key is enabled for Payment Cryptography	Informational	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.CAM.88	Ensure that 'Public access level' is Disabled for Blob Containers	Medium	Modification	Name Logic	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers StorageBlobContainer should have publicAccess like 'Disabled'	Ensure that 'Public access level' is Disabled for Blob Containers StorageBlobContainer should not have publicAccess in ('Blob', 'Container')	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure China Cybersecurity Law Azure Spanish Royal Decree 311/2022 Azure Security for Industrial Automation and Control Systems, Part 4-2 Azure ISO/SAE 21434:2021 Azure ISO/IEC 42001:2023 Azure NIST Privacy Framework Azure SCF-Z Zero Trust Architecture (ZTA) Azure COBIT 2019 Azure NIST SP 800-160 Vol. 1 Azure NIST SP 800-161 Azure NIST SP 800-207 Azure Shared Assessments SIG Questionnaire Azure TISAX ISA Azure NIST SP 800-171 R3 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.IAM.04	Ensure credentials unused for 45 days or greater are disabled (Console password)	Low	Modification	Logic	IamUser where passwordEnabled='true' should have passwordLastUsed after(-45, 'days')	IamUser where (passwordEnabled='true' and name unlike '%root_account%') should have passwordLastUsed after(-45, 'days')	CloudGuard AWS Dashboards AWS LGPD AWS Security Risk Management AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS DORA AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS UK Cyber Essentials AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS CIS Foundations Benchmark v1.2.0 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CAM.55	Ensure that Iam User should have tags	Informational	Modification	Logic	IamUser should have tags	IamUser where name unlike '%root_account%' should have tags	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS ENISA Technical Guideline on Security Measures AWS NAIC Insurance Data Security Model Law AWS NIS 2 Directive AWS NIST CSF v1.1 AWS Spanish Royal Decree 311/2022 AWS NIST AI RMF AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS SCF-Z Zero Trust Architecture (ZTA) AWS NIST SP 800-37 AWS COBIT 2019 AWS NIST SP 800-161 AWS NIST SP 800-207 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.CAM.238	Application LoadBalancer deletion protection should be enabled	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.239	Network LoadBalancer deletion protection should be enabled	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.CAM.240	Gateway LoadBalancer deletion protection should be enabled	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.IAM.73	Ensure inactive user for 90 days or greater are disabled	Low	Modification	Logic	IamUser where firstAccessKey.isActive=true or secondAccessKey.isActive=true or passwordEnabled=true should have firstAccessKey.lastUsedDate after('-90', 'days') or secondAccessKey.lastUsedDate after('-90', 'days') or passwordLastUsed after('-90', 'days')	IamUser where (firstAccessKey.isActive=true or secondAccessKey.isActive=true or passwordEnabled=true and name unlike '%root_account%') should have firstAccessKey.lastUsedDate after('-90', 'days') or secondAccessKey.lastUsedDate after('-90', 'days') or passwordLastUsed after('-90', 'days')	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST SP 800-171A R3 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices
D9.AWS.IAM.80	Ensure inactive user for 30 days or greater are disabled	Low	Modification	Logic	IamUser where firstAccessKey.isActive=true or secondAccessKey.isActive=true or passwordEnabled=true should have firstAccessKey.lastUsedDate after('-30', 'days') or secondAccessKey.lastUsedDate after('-30', 'days') or passwordLastUsed after('-30', 'days')	IamUser where (firstAccessKey.isActive=true or secondAccessKey.isActive=true or passwordEnabled=true and name unlike '%root_account%') should have firstAccessKey.lastUsedDate after('-30', 'days') or secondAccessKey.lastUsedDate after('-30', 'days') or passwordLastUsed after('-30', 'days')	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS UK Cyber Essentials AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices
D9.AWS.IAM.98	Ensure IAM user password is rotated every 90 days or less	High	Modification	Logic	IamUser where passwordEnabled='true' should have passwordLastChanged after(-90, 'days')	IamUser where (passwordEnabled='true' and name unlike '%root_account%') should have passwordLastChanged after(-90, 'days')	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS OWASP Top 10 - 2021 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3 AWS CloudGuard Best Practices
D9.AWS.IAM.163	Ensure no AWS IAM users have been inactive for a long (specified) period of time	High	Modification	Logic	IamUser where (firstAccessKey.isActive=false and secondAccessKey.isActive=false) should have passwordLastUsed after(-90, 'days')	IamUser where (firstAccessKey.isActive=false and secondAccessKey.isActive=false and name unlike '%root_account%') should have passwordLastUsed after(-90, 'days')	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST SP 800-171A R3 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.IAM.172	Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)	Low	Modification	Logic	IamUser should have passwordNextRotation<=45	IamUser where (name unlike '%root_account%' and passwordNextRotation) should have passwordNextRotation>-1 and passwordNextRotation<=45	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS UK Cyber Essentials AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AWS.IAM.199	Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)	Low	Modification	Logic	IamUser should have passwordNextRotation<=30	IamUser where (name unlike '%root_account%' and passwordNextRotation) should have passwordNextRotation>-1 and passwordNextRotation<=30	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS UK Cyber Essentials AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST SP 800-171A R3 AWS NIST SP 800-161 AWS Shared Assessments SIG Questionnaire AWS TISAX ISA AWS NIST SP 800-171 R3
D9.AZU.OPE.122	Ensure Hybrid Compute Machine Guest Configuration is Enabled	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.123	Ensure Hybrid Compute Machine Agent Upgrade Status is Successful	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.124	Ensure Hybrid Compute Machine is in a Healthy Status	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AWS.CAM.237	Ensure AWS DataZone Domain Status is Healthy	Low	New				CloudGuard AWS All Rules Ruleset

September 18 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Affected Rulesets
D9.AWS.BDR.23	Ensure recent backup execution within last seven days at least	High	New	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS China Cybersecurity Law AWS Spanish Royal Decree 311/2022 AWS Security for Industrial Automation and Control Systems, Part 4-2 AWS NIST Privacy Framework AWS SOC 2 (AICPA TSC 2017 Controls) AWS COBIT 2019 AWS Shared Assessments SIG Questionnaire AWS NIST SP 800-171 R3
D9.AWS.OPE.01	Ensure continuous monitoring of CodeGuru Scan state	Low	New	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS NIST SP 800-161 AWS NIST 800-218 for SSDF (Version 1.1) AWS Shared Assessments SIG Questionnaire
D9.GCP.AAA.51	Ensure continuous monitoring of Database Migration Service Connection Profile state	Low	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP Spanish Royal Decree 311/2022 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP NIST SP 800-171A R3 GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP NIST SP 800-37 GCP COBIT 2019 GCP SOC 2 (AICPA TSC 2017 Controls) GCP NIST SP 800-161 GCP NIST SP 800-207 GCP OWASP Top 10 - 2021 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP HIPAA GCP EU GDPR
D9.GCP.AAA.53	Ensure continuous monitoring of Database Migration Service Private Connection state	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP Spanish Royal Decree 311/2022 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP NIST SP 800-171A R3 GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP NIST SP 800-37 GCP COBIT 2019 GCP SOC 2 (AICPA TSC 2017 Controls) GCP NIST SP 800-161 GCP NIST SP 800-207 GCP OWASP Top 10 - 2021 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP HIPAA GCP EU GDPR
D9.GCP.CAM.95	Ensure encryption with customer-managed keys (KMS)	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP China Cybersecurity Law GCP Spanish Royal Decree 311/2022 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP ISO/IEC 42001:2023 GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP COBIT 2019 GCP NIST SP 800-160 Vol. 1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP NIST SP 800-161 GCP NIST SP 800-207 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP EU GDPR
D9.GCP.CAM.96	Ensure Database Migration Service Connection Profile has SSL, or TLS, encryption set	Medium	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP China Cybersecurity Law GCP Spanish Royal Decree 311/2022 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP ISO/IEC 42001:2023 GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP COBIT 2019 GCP NIST SP 800-160 Vol. 1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP NIST SP 800-161 GCP NIST SP 800-207 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP EU GDPR
D9.GCP.CAM.97	Ensure continuous monitoring of Database Migration Service Migration Job state	Low	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP NIST SP 800-171A R3 GCP NIST AI RMF GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP NIST SP 800-37 GCP COBIT 2019 GCP NIST SP 800-161 GCP NIST SP 800-207 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP HIPAA
D9.GCP.IAM.14	Ensure that not everyone can access a Workstation	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.NET.04	Ensure that SSH connections are not enabled in the Workstation	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.OPE.04	Ensure continuous monitoring of BigQuery Data Transfer Config state	Low	New	GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP NIST SP 800-161 GCP NIST 800-218 for SSDF (Version 1.1) GCP Shared Assessments SIG Questionnaire
D9.GCP.OPE.10	Ensure Database Migration Service Connection Profile has password set	High	New	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP Spanish Royal Decree 311/2022 GCP NIST CSF v1.1 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP NIST SP 800-171A R3 GCP NIST AI RMF GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP NIST SP 800-37 GCP COBIT 2019 GCP NIST SP 800-160 Vol. 1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP NIST SP 800-161 GCP OWASP Top 10 - 2021 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3 GCP HIPAA GCP EU GDPR
D9.AWS.BDR.24	EFS File Systems should be backed up by AWS Backup	Medium	New	CloudGuard AWS All Rules Ruleset
D9.AWS.BDR.25	EBS volumes should be backed up by AWS Backup	Medium	New	CloudGuard AWS All Rules Ruleset
D9.AWS.BDR.26	EC2 instances should be backed up by AWS Backup	Medium	New	CloudGuard AWS All Rules Ruleset
D9.AWS.BDR.27	Amazon S3 buckets should be backed up by AWS Backup	Medium	New	CloudGuard AWS All Rules Ruleset
D9.AWS.NET.03	Ensure VPC endpoint services should be configured to require manual acceptance	High	New	CloudGuard AWS All Rules Ruleset
D9.GCP.CAM.98	Ensure that Cloud TPU Node IP Address is Private	Low	New	CloudGuard GCP All Rules Ruleset
D9.GCP.CRY.08	Ensure Workstation configuration has a KMS key	Low	New	CloudGuard GCP All Rules Ruleset
D9.GCP.NET.02	Ensure that Cloud TPU Node Health is either at 'HEALTHY' or 'UNHEALTHY_MAINTENANCE'	Low	New	CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.05	Ensure Workstation configuration does have a running time out	High	New	CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.06	Ensure that there is no degraded Workstation configuration	High	New	CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.07	Ensure that there is no degraded Workstation cluster	High	New	CloudGuard GCP All Rules Ruleset GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.OPE.55	Certificate Authority Service certificates should be renewed at least seven days before expiration	Low	New	CloudGuard GCP All Rules Ruleset GCP NY DFS 23 CRR 500 GCP Spanish Royal Decree 311/2022 GCP Security for Industrial Automation and Control Systems, Part 4-2 GCP ISO/SAE 21434:2021 GCP NIST SP 800-171A R3 GCP NIST AI RMF GCP NIST Privacy Framework GCP SCF-Z Zero Trust Architecture (ZTA) GCP NIST SP 800-37 GCP COBIT 2019 GCP NIST SP 800-160 Vol. 1 GCP NIST SP 800-161 GCP OWASP Top 10 - 2021 GCP Shared Assessments SIG Questionnaire GCP TISAX ISA GCP NIST SP 800-171 R3

September 11 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.100	Ensure that the AWS region's Amazon Glue Data Catalog objects and connection passwords are encrypted	High	Modification	Logic	Region should have glueDataCatalogEncryptionSetting.encryptionAtRest.catalogEncryptionMode != 'DISABLED'	Region where getResource('GlueJob', region, 'region') should have glueDataCatalogEncryptionSetting.encryptionAtRest.catalogEncryptionMode != 'DISABLED'	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS CCPA
D9.AZU.AAA.03	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single Server	Low	Modification	Name	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single Server	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations v. 3.0.0 Azure CIS Foundations Benchmark v1.1.0 Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.08	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single Server	Low	Modification	Name	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single Server	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations v. 3.0.0 Azure CIS Foundations Benchmark v1.1.0 Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.09	Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible Server	Low	Modification	Name	Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible Server	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations v. 3.0.0 Azure CIS Foundations Benchmark v1.1.0 Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.14	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests	Low	Modification	Name	Ensure Storage logging is Enabled for Blob Service, for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations v. 3.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.15	Ensure Storage Logging is Enabled for Table Service, for 'Read', 'Write', and 'Delete' Requests	Low	Modification	Name	Ensure Storage Logging is Enabled for Table Service, for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Ensure Storage Logging is Enabled for Table Service, for 'Read', 'Write', and 'Delete' Requests	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations v. 3.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.CRY.36	Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'	Low	Modification	Name	Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'	Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CIS Foundations v. 3.0.0 Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices
D9.AZU.VTM.11	Ensure that Microsoft Defender for SQL Servers on Machines Is Set to 'On'	High	Modification	Name	Ensure that Microsoft Defender for SQL Servers on Machines ss Set to 'On'	Ensure that Microsoft Defender for SQL Servers on Machines Is Set to 'On'	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure CIS Foundations v. 3.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.IAM.198	Ensure API Gateway stages have SSL or client certificate enabled	Low	Modification	Name Logic	Ensure API Gateway endpoints has client certificate authentication ApiGateway should have stages contain-all [ clientCertificateId ]	Ensure API Gateway stages have SSL or client certificate enabled ApiGateway should have stages contain-all [ clientCertificateId length()>0 ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AZU.IAM.48	Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'	Low	Modification	Name	Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'	Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ENS 2022 Spain Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure ENISA Technical Guideline on Security Measures Azure Generally Accepted Privacy Principles (GAPP) Azure GLBA Azure IEC TR 60601-4-5 Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CIS Foundations v. 3.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.IAM.54	Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals	Low	Modification	Name	Ensure Multi-factor Authentication is Required for Azure Management	Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure GLBA Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure CIS Foundations v. 3.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.GCP.AAA.52	Ensure continuous monitoring of Datastream stream state	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.BDR.19	Ensure metadata restores in Dataproc Metastore services do not fail	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.BDR.22	Ensure that failed backups in Dataproc Metastore are addressed	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.CAM.93	Ensure Dataproc Metastore services have deletion protection enabled	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.CAM.94	Ensure metadata exports in Dataproc Metastore service do not fail	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.CRY.04	Ensure Dataproc Metastore service resources have KMS encryption enabled	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.03	Ensure Document AI Processor has valid KMS key configured	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.02	Ensure customer-managed encryption key is configured for Datastream	Critical	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.05	Ensure Workstation has a KMS key	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.02	Ensure Dataproc Metastore service resources are not in an ERROR state	High	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.OPE.03	Ensure that the state of Document AI Processor is not FAILED	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.AWS.AAA.113	Ensure that EC2 Instances should be Managed by Systems Manager	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.229	Ensure that Elastic Disaster Recovery (DRS) Source Network should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.230	Ensure that Elastic Block Store (EBS) Snapshot should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.231	Ensure that DRS Job should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.232	Ensure that Elastic IP should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.233	Ensure that Amazon Elastic Container Services(ECS) Cluster should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.234	Ensure that Kinesis Firehose should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.235	Ensure that Customer Gateway should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.236	Ensure that Simple Email Service (SES) should have tags	Informational	New				CloudGuard AWS All Rules Ruleset

September 04 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.169	Ensure Kinesis Video Streams Do Not Use Default AWS KMS Key	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.IAM.04	Ensure that there are only GCP-managed Service Account Keys for each Service Account	High	Modification	Name Logic	Ensure that there are only GCP-Managed Service Account Keys for each Service Account ServiceAccount where name unlike '%CloudGuard%' or (name like '%CloudGuard%' and roles contain-any [not $ in ('roles/viewer', 'roles/iam.securityReviewer')]) should not have keys with [ managedBy = 'User' ]	Ensure that there are only GCP-managed Service Account Keys for each Service Account ServiceAccount should not have keys contain-all [ managedBy like '%user%' ]	GCP CloudGuard CheckUp GCP CIS Foundations Benchmark v1.3.0 GCP LGPD GCP NIST SP 800-53 R5 GCP PCI DSS v4 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2024.1 GCP ISO 27002:2022 GCP ASD Essential Eight GCP NIST SP 800-171 R2 GCP New Zealand ISM v3.6 GCP CIS Foundations Benchmark v3.0.0 GCP MPA Content Security Program GCP DORA GCP IEC/ISO 27701:2019 GCP NIST CSF v2.0 GCP NIST CSF v1.1 GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.CAM.88	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Medium	New				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.NET.62	Ensure that 'Firewalls & Networks' is limited to use Selected Networks instead of All Networks to secure Cosmos DB	High	Modification	Logic	CosmosDbAccount should have publicNetworkAccess like 'ENABLED' and ( virtualNetworkRules or ipRules or isVirtualNetworkFilterEnabled)	CosmosDbAccount should have publicNetworkAccess like 'ENABLED' and ( virtualNetworkRules or ipRangeFilter or isVirtualNetworkFilterEnabled)	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure HITRUST CSF v9.5
D9.AZU.CRY.03	Ensure that customer managed key encryption is enabled for the Load Testing Load Test	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.120	Ensure that Azure Load Testing Load Test's status is not Failed	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.121	Ensure Kubernetes Manager Fleet Provisioning State is Healthy	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.GCP.AAA.49	Activate audit logs for domain operations	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.AAA.50	Ensure that Batch Job has a specified logs destination	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.CAM.88	Ensure that Dataflow Job should have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.CAM.91	Ensure that Workflows should have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.CAM.92	Ensure Cloud Build Worker Pool Network Configuration Prevents Public Egress	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.CAM.87	Ensure that Cloud Spanner Instance should have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.CRY.01	Ensure that Cloud Spanner Database should be encrypted	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.IAM.09	Utilize selective authentication for domain trusts	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.IAM.62	Ensure Google Cloud Deploy Targets require Approval for Deployments	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.NET.01	Ensure VMware Engine Network Policy Disables Internet Access	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.OPE.53	Ensure that Batch Job's task state is not Failed	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.01	Ensure Build Logs are Included for Cloud Build Trigger	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.OPE.54	Ensure that Batch Job's state is not Failed	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.OPE.50	Ensure Google Cloud Deploy Delivery Pipeline has Verification Steps for Canary Deployments	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.51	Ensure Google Cloud Deploy Delivery Pipeline has Verification Steps for Standard Deployments	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.OPE.52	Ensure Google Cloud Deploy Delivery Pipeline has Verification Steps for Custom Canary Deployments	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP PIPEDA GCP Secure Controls Framework (SCF) v2024.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.AWS.CAM.221	Ensure that Simple Queue Service (SQS) should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.222	Ensure that Subnet should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.223	Ensure that X-Ray Group should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.224	Ensure that Iam OpenId Connect Provider should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.225	Ensure that Redshift should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.226	Ensure that S3 Bucket should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.227	Ensure that Acm Certificate should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.228	Ensure that Ecr Repository should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.212	Ensure that Ecs Task should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.213	Ensure that VPN Gateway should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.214	Ensure that Route53 Domain should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.215	Ensure that AppSync should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.216	Ensure that Route53 Custom Domain Name should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.217	Ensure that Application Load Balancer should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.218	Ensure that RDS Database Snapshot should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.219	Ensure that Elastic Search Domain should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.CAM.220	Ensure that Secret Manager should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.OCI.CAM.28	Ensure that Event Rules should have Tags	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.CAM.29	Ensure that Log Group should have Tags	Low	New				CloudGuard OCI All Rules Ruleset
D9.AZU.NET.66	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Critical	Removal				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.CAM.150	Ensure that CodeStar should have tags	Informational	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS ENISA Technical Guideline on Security Measures AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.125	Ensure IAM policy does not allow privilege escalation, via Codestar 'create project' and 'associate team member' permissions	Medium	Removal				AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS GLBA AWS IEC TR 60601-4-5 AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high)
D9.AWS.IAM.131	Ensure AWS IAM policy prevents escalation, via 'PassRole' and 'CreateProject' permissions	Medium	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS GLBA AWS IEC TR 60601-4-5 AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AWS.OPE.176	Ensure that CodeStar user profile should have SSH public key	High	Removal				AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1

August 28 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.AAA.13	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Logic	StorageAccount should have queueServiceProperties.classicDiagnosticSettings.logging.read=true and queueServiceProperties.classicDiagnosticSettings.logging.write=true and queueServiceProperties.classicDiagnosticSettings.logging.delete=true	StorageAccount where primaryEndpoints contain [ uri regexMatch /queue/ ] should have ( queueServiceProperties.classicDiagnosticSettings.logging.read and queueServiceProperties.classicDiagnosticSettings.logging.write and queueServiceProperties.classicDiagnosticSettings.logging.delete ) or ( queueServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageRead' and enabled ] ] and queueServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageWrite' and enabled ] ] and queueServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageDelete' and enabled ] ] )	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.14	Ensure Storage logging is Enabled for Blob Service, for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Logic	StorageAccount should have blobServiceProperties.classicDiagnosticSettings.logging.read=true and blobServiceProperties.classicDiagnosticSettings.logging.write=true and blobServiceProperties.classicDiagnosticSettings.logging.delete=true	StorageAccount where primaryEndpoints contain [ uri regexMatch /blob/ ] should have ( blobServiceProperties.classicDiagnosticSettings.logging.read and blobServiceProperties.classicDiagnosticSettings.logging.write and blobServiceProperties.classicDiagnosticSettings.logging.delete ) or ( blobServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageRead' and enabled ] ] and blobServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageWrite' and enabled ] ] and blobServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageDelete' and enabled ] ] )	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.AAA.15	Ensure Storage Logging is Enabled for Table Service, for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Low	Modification	Logic	StorageAccount should have tableServiceProperties.classicDiagnosticSettings.logging.read=true and tableServiceProperties.classicDiagnosticSettings.logging.write=true and tableServiceProperties.classicDiagnosticSettings.logging.delete=true	StorageAccount where primaryEndpoints contain [ uri regexMatch /table/ ] should have ( tableServiceProperties.classicDiagnosticSettings.logging.read and tableServiceProperties.classicDiagnosticSettings.logging.write and tableServiceProperties.classicDiagnosticSettings.logging.delete ) or ( tableServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageRead' and enabled ] ] and tableServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageWrite' and enabled ] ] and tableServiceProperties.diagnosticSettings contain [ logs contain [ category='StorageDelete' and enabled ] ] )	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.AAA.117	Ensure Amazon Relational Database activity is monitored with Database Activity Streams	High	Modification	Name Logic Severity	Ensure that Amazon Aurora database activity is monitored with the Database Activity Stream RDSDBCluster should not have activityStreamStatus.value like 'stopped' Medium	Ensure Amazon Relational Database activity is monitored with Database Activity Streams RDSDBCluster where engine != 'docdb' should not have activityStreamStatus.value like 'stopped' High	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset
D9.AZU.CRY.88	Ensure Application Gateway is using the latest version of TLS encryption	High	Modification	Logic	ApplicationGateway should have (sslProfiles isEmpty() and sslPolicyInListener.minProtocolVersion regexMatch /TLSv1_[23]/) or (sslPolicyInListener.minProtocolVersion isEmpty() and sslProfiles contain [ sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ ]) or (sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ and sslPolicyInListener.minProtocolVersion regexMatch /TLSv1_[23]/) or (sslPolicyInListener.minProtocolVersion isEmpty() and sslProfiles isEmpty() and defaultPredefinedSslPolicy like 'AppGwSslPolicy20220101')	ApplicationGateway should have (sslProfiles isEmpty() and sslPolicyInListener.minProtocolVersion regexMatch /TLSv1_[23]/) or (sslPolicyInListener.minProtocolVersion isEmpty() and sslProfiles contain [ sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ ] ) or (sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ and sslPolicyInListener.minProtocolVersion regexMatch /TLSv1_[23]/) or (sslPolicyInListener.minProtocolVersion isEmpty() and sslProfiles isEmpty() and defaultPredefinedSslPolicy like 'AppGwSslPolicy20220101')	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure GLBA Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CloudGuard Best Practices Azure HITRUST CSF v9.5
D9.AZU.IAM.85	Ensure That No Custom Subscription Administrator Roles Exist	Medium	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.PMT.14	Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'	Low	New				CloudGuard Azure All Rules Ruleset Azure CIS Foundations Benchmark v2.1.0

August 21 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.K8S.IAM.56	Verify that the node authorizer is enabled (API Server) (Openshift)	High	Modification	Name Logic	Verify that the Node authorizer is enabled (API Server) (Openshift) KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.authorization-mode contain-any ['Node']	Verify that the node authorizer is enabled (API Server) (Openshift) KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.authorization-mode contain-any ['Node']	CIS OpenShift Container Platform v4 Benchmark v1.1.0
D9.K8S.IAM.75	Ensure that the admission control plugin NamespaceLifecycle is set (API Server) (Openshift)	Low	Modification	Logic	KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.enable-admission-plugins contain-any ['NamespaceLifecycle'] and not kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.disable-admission-plugins contain-any ['NamespaceLifecycle']	KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.enable-admission-plugins contain-any ['NamespaceLifecycle'] and not kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.disable-admission-plugins contain-any ['NamespaceLifecycle']	CIS OpenShift Container Platform v4 Benchmark v1.1.0 CIS OpenShift Container Platform v4 Benchmark v1.4.0
D9.AZU.AAA.110	Ensure that the Machine Learning Workspace is not using legacy mode	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.AAA.112	Ensure that diagnostic level is not set to 'Off' for Azure Stack HCI Cluster	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure ACSC ISM Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.AAA.113	Ensure Azure Stack HCI Cluster Provisioning State is Not 'Failed'	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.AAA.114	Ensure Cluster Agent Status is Not 'Error', 'ValidationFailed', or 'DeploymentFailed'	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.AAA.108	Ensure that at least one log category is proactively enabled for the SignalR service	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.AAA.109	Ensure 'EnableConnectivityLogs' flag is set to True in SignalR Service	Low	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.AAA.111	Ensure Live Trace is enabled in SignalR Service	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.CRY.09	Ensure that customer managed key encryption is enabled for the Machine Learning Workspace	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.CAM.86	Ensure SignalR Service provisioning state is not failed	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure HIPAA
D9.AZU.CRY.10	Enforce Key Vault Encryption for Azure App Configuration	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.IAM.82	Configure Azure SignalR Service to enforce Azure Active Directory authentication (Microsoft Entra ID authentication)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.IAM.83	Ensure that Azure SignalR Service has client certificate validation enabled	High	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.17	Ensure that Azure ExpressRoute Circuit's classic operations are disabled	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.20	Prevent Rejected Private Endpoint Connections for Azure App Configuration	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.28	Ensure that Azure ExpressRoute Circuit's Global Reach is disabled	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.29	Ensure Public Network Access is Disabled for Azure App Configuration	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.151	Ensure that private endpoint connections are not rejected or timed out	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.153	Ensure that public network access is disabled for the Machine Learning Workspace	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.154	Ensure that the Machine Learning Workspace does not allow public access when behind a virtual network	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.155	Ensure that the managed network for the Machine Learning workspace is configured to allow only approved outbound traffic	High	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.NET.157	Ensure that shared private link resources are not in a rejected or timeout status	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.84	Ensure that the provisioning state of providers within the Quantum Workspace is not failed	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1
D9.AZU.OPE.86	Ensure that Azure SignalR Service has local authentication disabled	Medium	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.116	Ensure that the Quantum Workspace's Provisioning State is not Failed	Low	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2024.1 Azure NIST CSF v1.1
D9.AZU.OPE.108	Ensure that data isolation is enabled for the Machine Learning Workspace	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.110	Ensure that the provisioning state of the Machine Learning workspace is successful	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.112	Ensure that the Machine Learning Workspace is free from notebook preparation errors	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.113	Ensure App Configuration resource's Configuration Store Private Endpoint Connections Provisioning State is Not Failed	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.117	Ensure Azure App Configuration Store Has Local Authentication Disabled	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.118	Ensure Azure App Configuration Store Has Purge Protection Enabled	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.119	Ensure App Configuration resource's Configuration Store Provisioning State is Not Failed	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure NIST SP 800-172 Azure PIPEDA Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.IAM.81	Ensure that the Quantum Workspace API Key is not Enabled	Low	New				Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2024.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.AAA.115	Ensure that all private endpoint connections for the Machine Learning workspace are successfully provisioned	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AAA.116	Ensure No Advisor Recommendations Have Risk Level 'Error'	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.156	Ensure public network access is disabled for SignalR Service	High	New				CloudGuard Azure All Rules Ruleset Azure ACSC ISM Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.NET.152	Ensure that serverless compute in the Machine Learning Workspace has no public IP	High	New				CloudGuard Azure All Rules Ruleset Azure ACSC ISM Azure Secure Controls Framework (SCF) v2024.1
D9.AZU.CAM.87	Ensure that ExpressRoute Circuit is Healthy	High	New				CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure Secure Controls Framework (SCF) v2024.1 Azure HIPAA
D9.GCP.CAM.89	Ensure that Dataplex lake should have labels	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.CAM.90	Ensure that Cloud Composer environment should have labels	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.102	Ensure appropriate Networking Type is Selected in Cloud Composer Environment Configuration	High	New				CloudGuard GCP All Rules Ruleset

August 14 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.165	Ensure CodeCommit repositories are encrypted with KMS CMKs	Medium	New				AWS HIPAA AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.166	Ensure that Glue DataBrew Job has encryption mode enabled	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.167	Ensure that AWS Glue DataBrew Jobs are encrypted using customer-managed CMK	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AAA.152	Ensure AWS Glue DataBrew jobs capture detailed log data to Amazon CloudWatch	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.OPE.160	Ensure that ECS services with Port Mappings should have an attached Load Balancer	Medium	Modification	Name Logic	Ensure that at least one Load Balancer is attached to the service EcsService should have loadBalancers length()>0	Ensure that ECS services with Port Mappings should have an attached Load Balancer EcsService should have taskDefinition.containerDefinitions contain [ portMappings length()>0] and loadBalancers length()>0	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AZU.NET.62	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	High	Modification	Logic	CosmosDbAccount should not have publicNetworkAccess like 'ENABLED'	CosmosDbAccount should have publicNetworkAccess like 'ENABLED' and ( virtualNetworkRules or ipRules or isVirtualNetworkFilterEnabled)	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure HITRUST CSF v9.5
D9.AZU.AS.89	Ensure 'Cross Tenant Replication' is not enabled	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure ISO 27017:2015 Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure EU GDPR Azure NIST CSF v1.1
D9.GCP.AS.95	Ensure API Gateway is using OpenAPI spec for API Config	Low	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2024.1
D9.GCP.AS.97	Artifact Registry Repositories should have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.99	Ensure that Service Directory should have annotations	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.NET.98	Ensure Analytics Hub Data Exchange is not publicly discoverable	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.NET.101	Ensure that Service Directory should have endpoints	High	New				CloudGuard GCP All Rules Ruleset
D9.AZU.AAA.86	Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'	Low	Removal				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure MLPS 2.0 (Level 3) Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1

August 07 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.168	Ensure that the Amazon Storage Gateway file share uses AWS KMS Customer Master Keys (CMKs) for encryption	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.AS.94	Ensure Cloud Data Fusion instance is private	Critical	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP ACSC ISM GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02
D9.AWS.AAA.104	Ensure SNS Topics do not allow Everyone to subscribe	High	Modification	Name Logic	Ensure SNS topics do not allow Everyone to subscribe SnsTopic should not have policy.Statement contain [ Condition.StringEquals ]	Ensure SNS Topics do not allow Everyone to subscribe SnsTopic where policy.Statement contain [ Sid contain [ $ like '%console_sub%' ] ] should not have policy.Statement contain [ Effect='Allow' and Principal.AWS='*' and Action='SNS:Subscribe' ]	AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high)

July 31 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.OPE.128	Ensure that trustedAdvisorIntegrationStatus in discoveryConfig is Enabled	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.105	Ensure Soft Delete is Enabled for Azure Containers and Blob Storage	High	Modification	Logic	StorageAccount should have blobServiceProperties.deleteRetentionPolicy.enabled=true	StorageAccount should have blobServiceProperties.containerDeleteRetentionPolicy.enabled=true and blobServiceProperties.deleteRetentionPolicy.enabled=true	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure UK GDPR Azure NIST CSF v2.0 Azure HIPAA Azure CloudGuard Best Practices
D9.AWS.IAM.24	Ensure Admin Password Management for Redshift Serverless Namespace	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1
D9.AWS.LOG.04	Ensure that AWS Config is Enabled in All Regions	High	Modification	Logic	Region should have configurationRecordingStatus.recording	Region should have configurationRecordingStatus.recording and configurationRecorders contain [ arn like '%AWSServiceRoleForConfig%']	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AWS.LOG.70	Ensure EMR Serverless Application CloudWatch logging is enabled	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) v2024.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.LOG.72	Ensure Redshift Serverless Namespace Has Audit Logging Enabled	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2024.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.169	Ensure EC2 Instances are Protected against Termination Actions	High	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.119	Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process	High	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AWS.MON.54	Detect when a canary token access key has been used	Critical	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ENS 2022 Spain AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AWS.OPE.159	Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices	Low	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS Generally Accepted Privacy Principles (GAPP) AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS UK GDPR AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS COSO AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.OPE.185	Identify and remove any unused AWS DynamoDB tables to optimize AWS costs	High	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS ENISA Technical Guideline on Security Measures AWS Generally Accepted Privacy Principles (GAPP) AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS UK GDPR AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS COSO AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.110	Ensure IMDS Response Hop Limit is Set to One	Low	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS IEC TR 60601-4-5 AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AWS.AS.191	Ensure AWS EBS Volumes are attached to instances	Low	Removal				AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS COSO AWS CloudGuard CheckUp AWS SOC 2 (AICPA TSC 2017 Controls) AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.MON.53	Validate the Cost Anomaly Detection Monitor in Use	Low	Removal				AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS MPA Content Security Program AWS NIST SP 800-82 R3 (high)
D9.AZU.AS.22	Identify and remove empty virtual machine scale sets from your Azure cloud account	Low	Removal				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure ENISA Technical Guideline on Security Measures Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.AS.156	Validate the Budget service in Use	Low	Removal				AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS ENISA Technical Guideline on Security Measures AWS NAIC Insurance Data Security Model Law AWS NIS 2 Directive AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.PMT.10	Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements	Medium	Removal				CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ASD Essential Eight AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS DORA AWS NIST CSF v2.0

July 24 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.LOG.03	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Low	Modification	Logic	PostgreSQL should have logsConfiguration contain [ name='log_disconnections' and value='on' ]	PostgreSQL should have logsConfiguration contain [ name='log_disconnections' and value like 'on' ]	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure CIS Foundations Benchmark v1.1.0 Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.GCP.IAM.53	Ensure that Email Enumeration Protection or Email Privacy Config is Enabled	High	Modification	Name	Ensure that Email Enumeration Protection is Enabled	Ensure that Email Enumeration Protection or Email Privacy Config is Enabled	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2024.1 GCP ISO 27002:2022 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP New Zealand ISM v3.6 GCP FedRAMP R5 (low) GCP MPA Content Security Program GCP ENISA Technical Guideline on Security Measures GCP Generally Accepted Privacy Principles (GAPP) GCP GLBA GCP IEC TR 60601-4-5 GCP IEC/ISO 27701:2019 GCP NAIC Insurance Data Security Model Law GCP NIS 2 Directive GCP NIST SP 800-82 R3 (high) GCP NIST CSF v1.1 GCP HIPAA GCP EU GDPR

July 17 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.OPE.161	Ensure that at least one instance is registered with an ECS Cluster	Low	Removal				AWS LGPD AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS DORA AWS IEC/ISO 27701:2019 AWS NIST CSF v2.0 AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Network Security Alerts AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.OCI.NET.30	Ensure no Object Storage buckets are publicly visible	High	Removal				OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI MPA Content Security Program OCI DORA OCI IEC/ISO 27701:2019 OCI NIST CSF v2.0 OCI ACSC ISM OCI ISO 27002:2022 OCI NIST SP 800-172 OCI Secure Controls Framework (SCF) v2024.1 OCI SOX (Section 404) OCI FedRAMP R5 (moderate) OCI ISO 27017:2015 OCI NIST SP 800-171 R2 OCI New Zealand ISM v3.6 OCI CMMC 2.0 v1.02 OCI NIST SP 800-82 R3 (high)

July 10 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.OPE.101	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL Flexible Database Server	High	Modification	Logic	MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value like 'TLSv1.2' ]	MySQLDBFlexibleServer should have parameters with [ name='tls_version' and (value like '%TLSv1.2%' or value like '%TLSv1.3%') ]	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure Generally Accepted Privacy Principles (GAPP) Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure Database Services Benchmark v1.0.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.OPE.102	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' or higher	High	Modification	Name Logic	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' StorageAccount should have minimumTlsVersion='TLS1_2'	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' or higher StorageAccount should have minimumTlsVersion regexMatch /TLS1_[23]/	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2024.1 Azure ISO 27002:2022 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure Generally Accepted Privacy Principles (GAPP) Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.IAM.80	Ensure only MFA enabled identities can access privileged Virtual Machine	High	New				CloudGuard Azure All Rules Ruleset Azure CIS Foundations Benchmark v2.1.0

July 03 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.105	Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data	Low	Modification	Severity	Critical	Low	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS ISO 27002:2022 AWS FedRAMP R5 (low) AWS MPA Content Security Program AWS DORA AWS GLBA AWS IEC/ISO 27701:2019 AWS NAIC Insurance Data Security Model Law AWS NIST CSF v2.0 AWS NIS 2 Directive AWS NIST SP 800-82 R3 (high) AWS NIST CSF v1.1
D9.AZU.AS.61	Ensure Trusted Launch is enabled on Virtual Machines	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure Secure Controls Framework (SCF) v2024.1 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.AS.73	Ensure Service Mesh Client TLS Policies have Labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.74	Ensure Service Mesh gRPC Routes have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.75	Ensure Service Mesh TCP Routes have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.76	Ensure Service Mesh TLS Routes have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.77	Ensure Service Mesh Auth Policies have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.AS.78	Ensure Service Mesh Meshes have labels	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP EU GDPR
D9.GCP.CRY.39	Validate server certificates using CA	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2024.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.95	Enable case sensitivity for method matches	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.NET.96	Specify exact match for header description	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.NET.97	Ensure mutual TLS is configured	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2024.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.AWS.PMT.08	Ensure EKS cluster version is up to date	Informational	Modification	Logic	EksCluster should have version split('.') getValue(1) >= 27	EksCluster should have version in ($EKS_Supported_Versions)	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS ASD Essential Eight AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2024.1 AWS DORA AWS NIST CSF v2.0 AWS CloudGuard Best Practices

June 26 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.15	Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380	High	Modification	Logic	RedisCache should have subnet.securityGroup.inboundSecurityRules contain-any [ destinationPortRanges contain [ destinationPort<=6379 and destinationPortTo>=6379 ] ] and subnet.securityGroup.inboundSecurityRules contain-any [ destinationPortRanges contain [ destinationPort<=6380 and destinationPortTo>=6380 ] ]	RedisCache where sku.name like '%premium%' should have subnet.securityGroup.inboundSecurityRules contain-any [ destinationPortRanges contain [ destinationPort<=6379 and destinationPortTo>=6379 ] ] and subnet.securityGroup.inboundSecurityRules contain-any [ destinationPortRanges contain [ destinationPort<=6380 and destinationPortTo>=6380 ] ]	Azure CloudGuard CheckUp Azure LGPD Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure ISO 27001:2022 Azure CMMC 2.0 v1.02 Azure FedRAMP R5 (moderate) Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure NIST SP 800-82 R3 (high) Azure CloudGuard Network Security Alerts Azure NIST SP 800-171 R1 Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.CRY.35	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' or higher	High	Modification	Logic	StorageAccount should have minimumTlsVersion like '%TLS1_2%' or minimumTlsVersion like '%TLS1_3%'	StorageAccount should have minimumTlsVersion regexMatch /TLS1_[23]/	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure CIS Foundations Benchmark v2.1.0 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure Generally Accepted Privacy Principles (GAPP) Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.NET.62	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	High	Modification	Logic	CosmosDbAccount should have publicNetworkAccess='Disabled'	CosmosDbAccount should not have publicNetworkAccess like 'ENABLED'	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset CloudGuard Azure Default Ruleset Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure HITRUST CSF v9.5
D9.AZU.CRY.88	Ensure Application Gateway is using the latest version of TLS encryption	High	Modification	Logic	ApplicationGateway should have sslProfiles contain [ sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ ]	ApplicationGateway should have sslProfiles contain [ sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ ] or sslPolicyInListener.minProtocolVersion regexMatch /TLSv1_[23]/ or sslPolicyInListener.minProtocolVersion isEmpty()	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure EU GDPR Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure GLBA Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CloudGuard Best Practices Azure HITRUST CSF v9.5
D9.GCP.NET.91	Use Secure Web Gateway type for maximum security	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.NET.92	Disable envoy internal debug headers for security	Informational	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2
D9.GCP.NET.93	Ensure TLS termination is enabled	Medium	New				GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST CSF v1.1
D9.GCP.NET.94	Apply a security policy for inbound connections	Medium	New				GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST CSF v1.1

June 19 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.66	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Critical	Modification	Logic	StorageAccount should have publicNetworkAccessAsDisplayedInPortal like 'Disabled'	StorageAccount should not have publicNetworkAccessAsDisplayedInPortal='Enabled from all networks'	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure CRI Profile v1.2 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure MPA Content Security Program Azure DORA Azure IEC/ISO 27701:2019 Azure NIST CSF v2.0 Azure NIST SP 800-82 R3 (high) Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.CRY.88	Ensure Application Gateway is using the latest version of TLS encryption	High	Modification	Logic	ApplicationGateway should have sslPolicy.minProtocolVersion='TLSv1_2'	ApplicationGateway should have sslProfiles contain [ sslPolicy.minProtocolVersion regexMatch /TLSv1_[23]/ ]	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure CRI Profile v1.2 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure FedRAMP R5 (low) Azure MPA Content Security Program Azure DORA Azure GLBA Azure IEC/ISO 27701:2019 Azure NAIC Insurance Data Security Model Law Azure NIST CSF v2.0 Azure NIS 2 Directive Azure NIST SP 800-82 R3 (high) Azure HIPAA Azure CloudGuard Best Practices Azure HITRUST CSF v9.5
D9.GCP.CRY.38	Enforce Minimum TLS Version on Service Mesh Server TLS Policy	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.88	Ensure Server TLS Policy Rejects Invalid Client Certificates	High	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP Secure Controls Framework (SCF) v2023.1
D9.GCP.NET.89	Ensure Server TLS Policy Denies Plain Text Connections	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.NET.90	Enable HTTPS Redirect for All Traffic	Low	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1
D9.GCP.OPE.44	Set Request Timeout for Routes	Low	New				GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.OCI.LOG.03	Ensure Write Level Object Storage Logging is Enabled for All Buckets	Low	Modification	Name Logic	Ensure write level Object Storage logging is enabled for all buckets LogGroup should have log contain [ configuration.source.sourceType='OCISERVICE' and configuration.source.service='objectstorage' and configuration.source.category='write' ]	Ensure Write Level Object Storage Logging is Enabled for All Buckets StorageBucket should have logs with [ configuration.source.category='write' ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI IEC/ISO 27701:2019 OCI NIST CSF v2.0
D9.AWS.NET.132	Ensure that EC2 instances are not exposed to the entire VPC, available within the peering connection	High	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1

June 13 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.K8S.IA.UN.1	Container Image - Package with Critical Severity CVEs	Critical	Modification	Name	Container Image - Package of Critical Severity	Container Image - Package with Critical Severity CVEs	Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.K8S.IA.UN.2	Container Image - Package with High Severity CVEs	High	Modification	Name	Container Image - Package of High Severity	Container Image - Package with High Severity CVEs	Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.AWP.1	AWS Workloads - Package with Critical Severity CVEs	Critical	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.AWP.2	AWS Workloads - Package with High Severity CVEs	High	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.AWP.3	AWS Workloads - Malware	High	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.AWP.4	AWS Workloads – Insecure Content	Low	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AZU.AWP.1	Azure Workloads - Package with Critical Severity CVEs	Critical	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AZU.AWP.2	Azure Workloads - Package with High Severity CVEs	High	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AZU.AWP.3	Azure Workloads - Malware	High	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule
D9.AZU.AWP.4	Azure Workloads – Insecure Content	Low	New				Workload Vulnerability Default 2.0 Workload Vulnerability 2.0 with ScanSummary rule

June 12 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AS.125	Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition	Critical	Modification	Logic	S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='' or Principal.AWS='') and Condition isEmpty()]	S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='' or Principal.AWS='') and Condition isEmpty()]	AWS HIPAA AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.128	Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users	Critical	Modification	Logic	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'WRITE_ACP']	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'WRITE_ACP']	AWS HIPAA AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.129	Ensure that EC2 instance's custom AMI is not publicly shared	Critical	Modification	Logic	Instance where imageDetails.imageLocation regexMatch /^(?!amazon\|aws-marketplace\/).+/ should not have imageDetails.isPublic	Instance where imageDetails.imageLocation regexMatch /^(?!amazon\|aws-marketplace\/).+/ should not have imageDetails.isPublic	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.AS.130	Ensure that SQS policy does not allow all actions from all principals	High	Modification	Logic	Sqs should not have policy.Statement contain [Effect='Allow' and ((Principal='' or Principal.AWS='') and Action contain ['%SQS:*%']) and Condition ]	Sqs should not have policy.Statement contain [Effect='Allow' and ((Principal='' or Principal.AWS='') and Action contain ['%SQS:*%']) and Condition ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.133	Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition	Medium	Modification	Logic	EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='' or Principal.AWS='') and Condition]	EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='' or Principal.AWS='') and Condition]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.AS.134	Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone	Critical	Modification	Logic	EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='' or Principal.AWS='') and not Condition]	EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='' or Principal.AWS='') and not Condition ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.AS.136	Ensure that AWS resources are not publicly accessible through IAM policies	High	Modification	Logic	IamPolicy should not have PolicyDocument.Statement contain-any [Effect='Allow' and Action='' and Resource='']	IamPolicy should not have PolicyDocument.Statement contain-any [Effect='Allow' and Action='' and Resource='']	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.140	Ensure that AWS Secrets Manager Secrets are not publicly accessible through IAM policies	High	Modification	Logic	SecretManager should not have accessPolicy.Statement contain [Effect='Allow' and Action='secretsmanager:GetSecretValue' and Resource='*']	SecretManager should not have accessPolicy.Statement contain [Effect='Allow' and Action='secretsmanager:GetSecretValue' and Resource='*']	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.142	Ensure AWS KMS Key should not be publicly accessible through IAM policies	High	Modification	Logic	KMS should not have policies with [ document.Statement with [Effect='Allow' and Action='kms:' and (Principal='' or Principal.AWS='*') ]]	KMS should not have policies with [ document.Statement with [Effect='Allow' and Action='kms:' and (Principal='' or Principal.AWS='*') ]]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.143	Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users	Critical	Modification	Logic	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'READ']	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'READ']	AWS HIPAA AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.147	Ensure that S3 bucket ACLs do not allow 'WRITE' access for anonymous / AWS authenticated users	Critical	Modification	Logic	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'WRITE']	S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'WRITE']	AWS HIPAA AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.149	Ensure that S3 bucket ACLs do not allow 'READ_ACP' access for anonymous / AWS authenticated users	High	Modification	Name Logic	Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'READ_ACP']	Ensure that S3 bucket ACLs do not allow 'READ_ACP' access for anonymous / AWS authenticated users S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'READ_ACP']	AWS HIPAA AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS PCI DSS v3.2.1 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.BDR.22	Ensure replication is enabled for EventBridge global endpoints	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.CRY.154	Ensure ELB listener uses a secure HTTPS or SSL protocol	High	Modification	Logic	ELB should have elbListeners contain-all [ sourceProtocol in ('HTTPS', 'TLS') ]	ELB should have elbListeners contain-all [ sourceProtocol in ('HTTPS', 'TLS') ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.IAM.192	Ensure that Username is set for AWS MediaLive Channel Output Destination Settings	High	Modification	Logic	MediaLiveChannel should not have destinations contain [ settings contain [ username isEmpty() ] ]	MediaLiveChannel should not have destinations contain [ settings contain [ username isEmpty() ] ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.195	Ensure that Password parameter is set for AWS MediaLive Channel Output Destination Settings	High	Modification	Logic	MediaLiveChannel should not have destinations contain [ settings contain [ passwordParam isEmpty() ] ]	MediaLiveChannel should not have destinations contain [ settings contain [ passwordParam isEmpty() ] ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.197	Ensure that an API Key is required on a Method Request	High	Modification	Logic	ApiGateway should have resources contain-all [ (methods contain-all [ apiKeyRequired=true ]) or (methods isEmpty()) ] or authorizers isEmpty() = false	ApiGateway should have resources contain-all [ (methods contain-all [ apiKeyRequired=true ]) or (methods isEmpty()) ] or authorizers isEmpty() = false	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.LOG.59	Ensure AWS CloudFront distribution with access logging is enabled	Low	Modification	Logic	CloudFront should have distributionConfig.logging.enabled=true and distributionConfig.logging.bucket like '%.s3.amazonaws.com'	CloudFront should have distributionConfig.logging.enabled=true and distributionConfig.logging.bucket like '%.s3.amazonaws.com'	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS Foundational Security Best Practices (FSBP) AWS CRI Profile v1.2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls) AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.147	Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint	Critical	Modification	Name Logic	Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint Route53RecordSetGroup where recordSets contain [ records contain [ assetMetadata.type='S3Bucket'] ] should have recordSets contain [ records contain-all [ assetMetadata.type='S3Bucket' and assetMetadata.exists=true] ]	Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint Route53RecordSetGroup where recordSets contain [ records contain [ assetMetadata.type='S3Bucket'] ] should have recordSets contain [ records contain-all [ assetMetadata.type='S3Bucket' and assetMetadata.exists=true] ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.NET.148	Ensure S3 Bucket exists for 'A' records routing traffic to an S3 Bucket Website endpoint	Critical	Modification	Name Logic	Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint Route53RecordSetGroup where recordSets contain [ aliasTarget.dnsName regexMatch /s3-website/ ] should have getResources('S3Bucket') contain [join('.' , name, ' ') = join(' ' , ~getValue('name'), ' ')]	Ensure S3 Bucket exists for 'A' records routing traffic to an S3 Bucket Website endpoint Route53RecordSetGroup where recordSets contain [ aliasTarget.dnsName regexMatch /s3-website/ ] should have getResources('S3Bucket') contain [join('.' , name, ' ') = join(' ' , ~getValue('name'), ' ')]	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.NET.155	Ensure that Lambda Function URL is secured with IAM authentication	Critical	Modification	Logic	Lambda where urlConfigs should not have urlConfigs contain [ authType='NONE' ]	Lambda where urlConfigs should not have urlConfigs contain [ authType='NONE' ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.NET.161	Ensure that MediaLive Input Security Groups do not implicitly whitelist all public IP addresses	High	Modification	Logic	MediaLiveInputSecurityGroup should not have whitelistRules with [ cidr='0.0.0.0/0' ]	MediaLiveInputSecurityGroup should not have whitelistRules with [ cidr='0.0.0.0/0' ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.OPE.164	Ensure unused Virtual Private Gateways are removed	Critical	Modification	Logic	Instance should not have nics contain [ subnet.vpc.vpnGateways contain [ state='detached' ] ]	Instance should not have nics contain [ subnet.vpc.vpnGateways contain [ state='detached' ] ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.VTM.18	Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices	High	Modification	Logic	Instance where volumes contain [ encryptionKey.arn regexMatch /^ssh.*/ ] should have volumes with [ encryptionKey.keyState='Active' or encryptionKey.keyState='Available' ]	Instance where volumes contain [ encryptionKey.arn regexMatch /^ssh.*/ ] should have volumes with [ encryptionKey.keyState='Active' or encryptionKey.keyState='Available' ]	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.GCP.OPE.36	Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'	Medium	Modification	Logic	CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like '3625' and value like 'on' ]	CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like '3625' and value like 'on' ]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP ENS 2022 Spain GCP RMiT Malaysia GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP HITRUST CSF v11.2 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CRI Profile v1.2 GCP CIS Foundations Benchmark v3.0.0 GCP DORA GCP NIST CSF v2.0 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.CRY.33	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server	High	Modification	Logic	MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value like 'TLSv1.2' ]	MySQLDBFlexibleServer should have parameters with [ name='tls_version' and (value like '%TLSv1.2%' or value like '%TLSv1.3%') ]	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure NIST CSF v2.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.CRY.35	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' or higher	High	Modification	Name Logic	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' StorageAccount should have minimumTlsVersion='TLS1_2'	Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' or higher StorageAccount should have minimumTlsVersion like '%TLS1_2%' or minimumTlsVersion like '%TLS1_3%'	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure DORA Azure NIST CSF v2.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.VTM.16	Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'	High	Modification	Logic	PolicyAssignment where properties.displayName like '%ASC Default%' should not have properties.parametersCollection with [ value contain-any ['Disabled']] and properties.enforcementMode='DoNotEnforce'	PolicyAssignment where properties.displayName like '%ASC Default%' should not have properties.parametersCollection with [ value contain-any ['Disabled']] and properties.enforcementMode='DoNotEnforce'	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure DORA Azure NIST CSF v2.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.AS.124	ECS Cluster should not have running container instances with unconnected agents	High	Modification	Logic	EcsCluster should not have containerInstances contain [ agentConnected = false and status != 'DRAINING' ]	EcsCluster should not have containerInstances contain [ agentConnected = false and status != 'DRAINING' ]	AWS LGPD AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS Well-Architected Framework AWS CloudGuard Network Security Alerts AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.AS.126	Ensure IAM Users Receive Permissions Only Through Groups	Low	Modification	Logic	IamUser where not (name regexMatch /^<root_account>$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()	IamUser where not (name regexMatch /^<root_account>$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()	AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS DORA AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CIS Foundations Benchmark v1.2.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.AS.132	Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)	High	Modification	Logic	S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='' or Principal.AWS='') and Condition]	S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='' or Principal.AWS='') and Condition]	AWS LGPD AWS CloudGuard S3 Bucket Security AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS PCI DSS v3.2.1 AWS New Zealand ISM v3.6 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.156	Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys	Low	Modification	Logic	IamPolicy where document.Statement contain [Effect='Allow' and Action regexMatch /AccessKey/ ] and not ( roles isEmpty() and users isEmpty() and groups isEmpty()) should have document.Statement with [Effect='Allow' and Action regexMatch /AccessKey/ ] contain-all [Condition.Bool.aws:SecureTransport = 'true']	IamPolicy where document.Statement contain [Effect='Allow' and Action regexMatch /AccessKey/ ] and not ( roles isEmpty() and users isEmpty() and groups isEmpty()) should have document.Statement with [Effect='Allow' and Action regexMatch /AccessKey/ ] contain-all [Condition.Bool.aws:SecureTransport='true']	AWS LGPD AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS CCPA
D9.AWS.AS.112	RDS Databases with Direct Connect virtual interface should not have public interfaces	Critical	Modification	Logic	RDS where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false	RDS where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS ISO 27001:2013 AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard CheckUp AWS SOC 2 (AICPA TSC 2017 Controls) AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.OPE.154	Ensure that EKS cluster's Kubernetes API endpoints are not publicly accessible	Critical	Modification	Logic	EksCluster should not have resourcesVpcConfig.endpointPublicAccess=true and resourcesVpcConfig.publicAccessCidrs contain [ '0.0.0.0/0' ]	EksCluster should not have resourcesVpcConfig.endpointPublicAccess=true and resourcesVpcConfig.publicAccessCidrs contain [ '0.0.0.0/0' ]	AWS Security Risk Management AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.VTM.19	Ensure AWS AppSync attached WAFv2 ACL configured with AMR to mitigate Log4j Vulnerability	High	Modification	Logic	AppSync should have getResource('WAFRegionalV2', wafWebAclArn, 'arn') getValues('rules') with [ statement.managedRuleGroupStatement.name = 'AWSManagedRulesAnonymousIpList' or statement.managedRuleGroupStatement.name = 'AWSManagedRulesKnownBadInputsRuleSet'] and getValues('postProcessFirewallManagerRuleGroups ') with [ firewallManagerStatement.managedRuleGroupStatement.name = 'AWSManagedRulesAnonymousIpList' or firewallManagerStatement.managedRuleGroupStatement.name = 'AWSManagedRulesKnownBadInputsRuleSet']	AppSync should have getResource('WAFRegionalV2', wafWebAclArn, 'arn') getValues('rules') with [ statement.managedRuleGroupStatement.name = 'AWSManagedRulesAnonymousIpList' or statement.managedRuleGroupStatement.name = 'AWSManagedRulesKnownBadInputsRuleSet'] and getValues('postProcessFirewallManagerRuleGroups ') with [ firewallManagerStatement.managedRuleGroupStatement.name = 'AWSManagedRulesAnonymousIpList' or firewallManagerStatement.managedRuleGroupStatement.name = 'AWSManagedRulesKnownBadInputsRuleSet']	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.108	Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC)	Low	Modification	Logic	RDS should not have nics contain [ subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId regexMatch /igw-.*/ ] ]	RDS should not have nics contain [ subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId regexMatch /igw-.*/ ] ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.110	Ensure IMDS Response Hop Limit is Set to One	Low	Modification	Logic	Instance where metadataOptions.httpEndpoint = 'enabled' should not have metadataOptions.httpPutResponseHopLimit > 1	Instance where metadataOptions.httpEndpoint = 'enabled' should not have metadataOptions.httpPutResponseHopLimit > 1	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.111	Ensure that your AWS SES identities (domains or email addresses) are not exposed to everyone	High	Modification	Name Logic	Ensure that your AWS SES identities (domains and/or email addresses) are not exposed to everyone SES where (not policies isEmpty()) should not have policies contain [ policy.Statement with [ Principal='' or Principal.AWS='' ] and policy.Statement with [ Condition.StringEquals.aws:SourceAccount ] ]	Ensure that your AWS SES identities (domains or email addresses) are not exposed to everyone SES where (not policies isEmpty()) should not have policies contain [ policy.Statement with [ Principal='' or Principal.AWS='' ] and policy.Statement with [ Condition.StringEquals.aws:SourceAccount ] ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.113	Ensure that security groups are using proper naming conventions	Low	Modification	Logic	Instance should have nics contain-all [ securityGroups contain-all [ tags contain-all [ value regexMatch /^security-group-(ue1\|uw1\|uw2\|ew1\|ec1\|an1\|an2\|as1\|as2\|se1)-(d\|t\|s\|p)-([a-z0-9\-]+)/ ] ] ]	Instance should have nics contain-all [ securityGroups contain-all [ tags contain-all [ value regexMatch /^security-group-(ue1\|uw1\|uw2\|ew1\|ec1\|an1\|an2\|as1\|as2\|se1)-(d\|t\|s\|p)-([a-z0-9\-]+)/ ] ] ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.117	Instances with Direct Connect virtual interface should not have public interfaces	Critical	Modification	Logic	Instance where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false	Instance where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard CheckUp AWS SOC 2 (AICPA TSC 2017 Controls) AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.121	Ensure AWS VPC does not allow unauthorized peering	High	Modification	Logic	VPC where vpcPeeringConnections length()>0 should have vpcPeeringConnections with [ targetVpc.ownerId = ~.accountNumber ]	VPC where vpcPeeringConnections length()>0 should have vpcPeeringConnections with [ targetVpc.ownerId = ~.accountNumber ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS PCI DSS v3.2.1 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS CCPA
D9.AWS.AS.127	Ensure that Lambda Function is not publicly exposed via resource policy without a condition	Critical	Modification	Logic	Lambda should not have resourcePolicy.Statement contain [ Effect='Allow' and (Principal = '' or Principal.AWS = '') and not Condition ]	Lambda should not have resourcePolicy.Statement contain [ Effect='Allow' and (Principal = '' or Principal.AWS = '') and not Condition ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.AS.131	Ensure OpenSearch should have IAM permissions restricted	Low	Modification	Logic	ElasticSearchDomain should not have accessPolicies.Statement contain [ Effect='Allow' and ( Principal.AWS='*' ) ]	ElasticSearchDomain should not have accessPolicies.Statement contain [ Effect='Allow' and ( Principal.AWS='*' ) ]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.AS.135	Ensure that SQS policy won't allow all actions from all principals without a condition	Critical	Modification	Logic	Sqs should not have policy.Statement contain [Effect='Allow' and ((Principal='' or Principal.AWS='') and Action contain ['%SQS:*%']) and not Condition]	Sqs should not have policy.Statement contain [Effect='Allow' and ((Principal='' or Principal.AWS='') and Action contain ['%SQS:*%']) and not Condition]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.137	Ensure API gateway policy limits public access	High	Modification	Logic	ApiGateway should not have policy.Statement isEmpty() or policy.Statement contain [Effect='Allow' and (Principal = '' or Principal.AWS = '') and not Condition]	ApiGateway should not have policy.Statement isEmpty() or policy.Statement contain [Effect='Allow' and (Principal = '' or Principal.AWS = '') and not Condition]	AWS NIST SP 800-53 R5 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.139	Follow proper naming conventions for Virtual Private Clouds	Low	Modification	Logic	VPC should have tags contain-all [ value regexMatch /^vpc-(ue1\|uw1\|uw2\|ew1\|ec1\|an1\|an2\|as1\|as2\|se1)-(d\|t\|s\|p)-([a-z0-9\\-]+)$/ ]	VPC should have tags contain-all [ value regexMatch /^vpc-(ue1\|uw1\|uw2\|ew1\|ec1\|an1\|an2\|as1\|as2\|se1)-(d\|t\|s\|p)-([a-z0-9\\-]+)$/ ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.AS.152	Ensure Managed Streaming for Apache Kafka (MSK) clusters have only authenticated access	High	Modification	Logic	MskCluster where provisioned should have provisioned.clientAuthentication.tls.enabled=true or provisioned.clientAuthentication.sasl.iam.enabled=true or provisioned.clientAuthentication.sasl.scram.enabled=true	MskCluster where provisioned should have provisioned.clientAuthentication.tls.enabled=true or provisioned.clientAuthentication.sasl.iam.enabled=true or provisioned.clientAuthentication.sasl.scram.enabled=true	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.168	Ensure that EventBridge Event Bus should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.161	Ensure that DataSync Agent should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.162	Ensure that DataSync Task should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.CRY.152	Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates	Low	Modification	Logic	CloudFront should not have distributionConfig.viewerCertificate.certificateSource like '%cloudfront%'	CloudFront should not have distributionConfig.viewerCertificate.certificateSource like '%cloudfront%'	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.155	Enforce HTTPS for Amazon Elastic Beanstalk environment load balancers	High	Modification	Logic	ElasticBeanstalk should not have settings.configurationSettings contain [ optionSettings contain [ resourceName='AWSEBV2LoadBalancerListener' and optionName='Protocol' and value='HTTP' ] ]	ElasticBeanstalk should not have settings.configurationSettings contain [ optionSettings contain [ resourceName='AWSEBV2LoadBalancerListener' and optionName='Protocol' and value='HTTP' ] ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.IAM.143	Ensure basic authorization is enabled for Amplify App	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.194	ECS Task Definitions should Mount the Root File System as Read-only	High	Modification	Logic	EcsTaskDefinition should have containerDefinitions contain-all [ readonlyRootFilesystem=true ]	EcsTaskDefinition should have containerDefinitions contain-all [ readonlyRootFilesystem=true ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.IAM.201	Ensure SNS topics do not allow Everyone to publish	Low	Modification	Logic	SnsTopic where policy.Statement contain [ Principal.AWS='*' and Principal='sns:Publish' and Effect='Allow' ] should have policy.Statement contain [ Condition.StringEquals.AWS:SourceOwner ]	SnsTopic where policy.Statement contain [ Principal.AWS='*' and Principal='sns:Publish' and Effect='Allow' ] should have policy.Statement contain [ Condition.StringEquals.AWS:SourceOwner ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.LOG.60	Ensure Step Functions state machine logging is enabled	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.MON.54	Detect when a canary token access key has been used	Critical	Modification	Logic	IamUser where not (name regexMatch /^<root_account>$/i ) should have inlinePolicies isEmpty() and managedPolicies isEmpty() and passwordEnabled=false and passwordLastUsed=-62135596800 and (firstAccessKey.isActive=true or secondAccessKey.isActive=true)	IamUser where not (name regexMatch /^<root_account>$/i ) should have inlinePolicies isEmpty() and managedPolicies isEmpty() and passwordEnabled=false and passwordLastUsed=-62135596800 and (firstAccessKey.isActive=true or secondAccessKey.isActive=true)	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.MON.55	Ensure that root account credentials have not been used recently to access your AWS account	High	Modification	Logic	IamUser where name like '%root_account%' should not have passwordLastUsed after(-7, 'days')	IamUser where name like '%root_account%' should not have passwordLastUsed after(-7, 'days')	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.MON.57	Ensure that Amazon Aurora database activity is monitored with the Database Activity Stream	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ENS 2022 Spain AWS ASD Essential Eight AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.NET.150	Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain	Medium	Modification	Name Logic	Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain Route53RecordSetGroup where recordSets contain [ type='TXT' ] should have recordSets contain [ records contain-all [ value regexMatch /v=spf1.+/ ] ]	Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain Route53RecordSetGroup where recordSets contain [ type='TXT' ] should have recordSets contain [ records contain-all [ value regexMatch /v=spf1.+/ ] ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.NET.153	Mapping and Approval of Roles Accessible by External Federated Accounts	High	Modification	Logic	IamRole should not have assumeRolePolicy.Statement contain [ Principal.Federated ]	IamRole should not have assumeRolePolicy.Statement contain [ Principal.Federated ]	AWS NIST SP 800-53 R5 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.NET.154	Ensure that DS Directory's RADIUS server is configured and in healthy state	High	Modification	Logic	DirectoryServiceDirectory where directoryType.value='MicrosoftAD' or directoryType.value='ADConnector' should have radiusStatus.value!='Failed' and radiusSettings	DirectoryServiceDirectory where directoryType.value='MicrosoftAD' or directoryType.value='ADConnector' should have radiusStatus.value!='Failed' and radiusSettings	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.NET.159	Ensure that DS Directory RADIUS authentication protocol is configured and not set to 'PAP'	Low	Modification	Logic	DirectoryServiceDirectory where directoryType.value='MicrosoftAD' or directoryType.value='ADConnector' should have radiusSettings.authenticationProtocol.value!='PAP'	DirectoryServiceDirectory where directoryType.value='MicrosoftAD' or directoryType.value='ADConnector' should have radiusSettings.authenticationProtocol.value!='PAP'	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.OPE.153	Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA)	Medium	Modification	Logic	List<NatGateway> where not items isEmpty() should have items contain-any [ state='available' ]	List<NatGateway> where not items isEmpty() should have items contain-any [ state='available' ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.OPE.157	Ensure CloudFront origins don't use insecure SSL protocols	High	Modification	Logic	CloudFront should not have distributionConfig.origins.items with [ customOriginConfig.originSslProtocols.items contain [ 'SSLv3' ] ]	CloudFront should not have distributionConfig.origins.items with [ customOriginConfig.originSslProtocols.items contain [ 'SSLv3' ] ]	AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.OPE.158	Ensure that Classic Load Balancers are using one of the latest predefined security policies	Low	Modification	Logic	ELB should not have elbListeners contain [ policies contain [ policyName!='ELBSecurityPolicy-TLS13-1-2-2021-06' ] ]	ELB should not have elbListeners contain [ policies contain [ policyName!='ELBSecurityPolicy-TLS13-1-2-2021-06' ] ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.OPE.163	Ensure that Amazon ALBs are using the latest predefined security policy for their SSL/TLS negotiation configuration	Low	Modification	Logic	ApplicationLoadBalancer should have listeners contain-all [ securityPolicy in ('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-3-2021-06', 'ELBSecurityPolicy-TLS13-1-2-Res-2021-06' ) ]	ApplicationLoadBalancer should have listeners contain-all [ securityPolicy in ('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-3-2021-06', 'ELBSecurityPolicy-TLS13-1-2-Res-2021-06' ) ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.PMT.15	Ensure that ECR Registry-level configuration is enabled for image scanning	High	Modification	Logic	EcrRegistryScanningConfig where scanningConfiguration.rules should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	EcrRegistryScanningConfig where scanningConfiguration.rules should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.VTM.04	Ensure that Amazon Macie was run in the last 30 days and its security findings are highlighted, analyzed, and resolved	High	Modification	Logic	S3Bucket should have macieFindings length()<1 and macieInformation.jobDetails.lastJobRunTime and not macieInformation.jobDetails.lastJobRunTime before(-30, 'days')	S3Bucket should have macieFindings length()<1 and macieInformation.jobDetails.lastJobRunTime and not macieInformation.jobDetails.lastJobRunTime before(-30, 'days')	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS New Zealand ISM v3.6 AWS ACSC ISM AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.VTM.09	Ensure Aurora PostgreSQL is not exposed to local file read vulnerability	Critical	Modification	Logic	RDSDBCluster where status = 'available' and engine = 'aurora-postgresql' should not have engineVersion in('10.11','10.12','10.13','11.6','11.7','11.8')	RDSDBCluster where status = 'available' and engine = 'aurora-postgresql' should not have engineVersion in('10.11','10.12','10.13','11.6','11.7','11.8')	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AWS.VTM.11	Ensure that Amazon Inspector Findings are analyzed and resolved (EC2)	High	Modification	Logic	Inspector2Ec2FindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	Inspector2Ec2FindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.VTM.12	Ensure that Amazon Inspector Findings are analyzed and resolved (ECR)	High	Modification	Logic	Inspector2EcrFindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	Inspector2EcrFindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.VTM.13	Ensure that Amazon Inspector Findings are analyzed and resolved (Lambda)	High	Modification	Logic	Inspector2LambdaFindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	Inspector2LambdaFindingsAggregation should have externalFindings.findings with [ findingTitle='No potential security issues found' ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.144	Ensure that Authorization Type in API Gateway is not set to None	High	Modification	Logic	ApiGateway where not authorizers should not have resources contain-any [ methods contain-any [ authorizationType='NONE' ] ]	ApiGateway where not authorizers should not have resources contain-any [ methods contain-any [ authorizationType='NONE' ] ]	AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.AS.146	Ensure SNS Topics are not publicly accessible	Critical	Modification	Logic	SnsTopic where policy.Statement contain [Effect='Allow' and (Principal='' or Principal.AWS='')] should have policy.Statement contain [Condition]	SnsTopic where policy.Statement contain [Effect='Allow' and (Principal='' or Principal.AWS='')] should have policy.Statement contain [Condition]	AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 (Level 3) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AZU.OPE.93	Ensure that a resource locking administrator role is available for each Azure subscription	High	Modification	Logic	List<RoleDefinition> should have items with [properties.permissions contain [ actions with [$ in('Microsoft.Authorization/locks/read','Microsoft.Authorization/locks/write','Microsoft.Authorization/locks/delete')] length() = 3]]	List<RoleDefinition> should have items with [properties.permissions contain [ actions with [$ in('Microsoft.Authorization/locks/read','Microsoft.Authorization/locks/write','Microsoft.Authorization/locks/delete')] length() = 3]]	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure DORA Azure NIST CSF v2.0 Azure NIST CSF v1.1 Azure HIPAA Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.OPE.95	Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication	Low	Modification	Logic	VirtualMachine should have extensions contain [ virtualMachineExtensionType='AADSSHLoginForLinux' or virtualMachineExtensionType='AADLoginForWindows' ]	VirtualMachine should have extensions contain [ virtualMachineExtensionType='AADSSHLoginForLinux' or virtualMachineExtensionType='AADLoginForWindows' ]	Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure DORA Azure NIST CSF v2.0 Azure NIST CSF v1.1 Azure HIPAA
D9.AZU.VTM.08	Ensure Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is enabled	Low	Modification	Logic	ApplicationGateway where getResources('RegionalWAF',properties.regionalWAFPolicyId,'id') contain [ policySettings.state='Enabled' and not managedRules.managedRuleSets isEmpty()] should not have getResources('RegionalWAF', properties.regionalWAFPolicyId, 'id' ) getValues('managedRules.managedRuleSets.ruleGroupOverrides.rules') contain [ ruleId='944240' and state='Disabled' ]	ApplicationGateway where getResources('RegionalWAF',properties.regionalWAFPolicyId,'id') contain [ policySettings.state='Enabled' and not managedRules.managedRuleSets isEmpty()] should not have getResources('RegionalWAF', properties.regionalWAFPolicyId, 'id' ) getValues('managedRules.managedRuleSets.ruleGroupOverrides.rules') contain [ ruleId='944240' and state='Disabled' ]	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure DORA Azure NIST CSF v2.0 Azure HIPAA Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.AS.41	Ensure there is more than one owner assigned to your Microsoft Azure subscription	High	Modification	Logic	List<RoleAssignment> where items with [getResources('RoleDefinition', properties.roleDefinitionId, 'id' ) getValues('properties.roleName') contain [ 'Owner' ]] should have length() >=2	List<RoleAssignment> where items with [getResources('RoleDefinition', properties.roleDefinitionId, 'id' ) getValues('properties.roleName') contain [ 'Owner' ]] should have length() >=2	Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure DORA Azure NIST CSF v2.0 Azure HIPAA
D9.ALI.CRY.04	Ensure that Virtual Machine's disks are encrypted	High	Modification	Name	Ensure that 'Virtual Machine's disk' are encrypted	Ensure that Virtual Machine's disks are encrypted	Alibaba CIS Foundations Benchmark v1.0.0 CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba HIPAA Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0
D9.ALI.MON.04	Ensure that notification is enabled on all high risk items	Low	Modification	Logic	SecCenNotificationConfig should have noticeConfigList contain-all [ route>=1 ]	SecCenNotificationConfig should have noticeConfigList contain-all [ route>=1 ]	Alibaba CIS Foundations Benchmark v1.0.0 CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba HIPAA Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0
D9.ALI.NET.33	Ensure that OSS bucket is not anonymously or publicly accessible	Critical	Modification	Logic	OssBucket should not have accessControlList.grant like '%public%' or policy.Statement contain [ Principal contain [ '*' ] and Effect = 'Allow' ]	OssBucket should not have accessControlList.grant like '%public%' or policy.Statement contain [ Principal contain [ '*' ] and Effect = 'Allow' ]	Alibaba CIS Foundations Benchmark v1.0.0 CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba HIPAA Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0
D9.ALI.PMT.02	Ensure that the latest OS Patches for all Virtual Machines are applied	High	Modification	Logic	SecCenLinuxVulnerability should have groupedVulItems contain-all [ asapCount=0 ]	SecCenLinuxVulnerability should have groupedVulItems contain-all [ asapCount=0 ]	Alibaba CIS Foundations Benchmark v1.0.0 CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba HIPAA Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0
D9.OCI.AS.13	Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389	Critical	Modification	Logic	SecurityList should not have ingressSecurityRules contain [ protocol='6' and source='0.0.0.0/0' and (tcpOptions contain [ destinationPortRange contain [ max=3389 or min=3389]]) ]	SecurityList should not have ingressSecurityRules contain [ protocol='6' and source='0.0.0.0/0' and (tcpOptions contain [ destinationPortRange contain [ max=3389 or min=3389]]) ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.14	Ensure no security lists allow ingress from 0.0.0.0/0 to port 22	Critical	Modification	Logic	SecurityList should not have ingressSecurityRules contain [ protocol='6' and source='0.0.0.0/0' and (tcpOptions contain [ destinationPortRange contain [ max=22 or min=22]]) ]	SecurityList should not have ingressSecurityRules contain [ protocol='6' and source='0.0.0.0/0' and (tcpOptions contain [ destinationPortRange contain [ max=22 or min=22]]) ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.19	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22	Critical	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=22 and tcpOptions.destinationPortRange.max>=22]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=22 and tcpOptions.destinationPortRange.max>=22]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.23	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389	Critical	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=3389 and tcpOptions.destinationPortRange.max>=3389 ]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=3389 and tcpOptions.destinationPortRange.max>=3389 ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.NET.31	Ensure VCN flow logging is enabled for all subnets	Low	Modification	Logic	LogGroup should have log contain [ configuration.source.sourceType='OCISERVICE' and configuration.source.service='flowlogs' and configuration.source.category='all' ]	LogGroup should have log contain [ configuration.source.sourceType='OCISERVICE' and configuration.source.service='flowlogs' and configuration.source.category='all' ]	OCI CIS Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations Benchmark v2.0.0 OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.AWS.AS.105	Amazon System Manager Document should not be publicly available	Critical	Modification	Logic	SystemManagerDocument should not have accountSharingInfoList contain [ accountId='all' ]	SystemManagerDocument should not have accountSharingInfoList contain [ accountId='all' ]	CloudGuard AWS All Rules Ruleset
D9.AWS.AS.106	Ensure that public System Manager Documents include parameters	High	Modification	Logic	SystemManagerDocument where accountSharingInfoList contain [ accountId='all' ] should not have parameters isEmpty()	SystemManagerDocument where accountSharingInfoList contain [ accountId='all' ] should not have parameters isEmpty()	CloudGuard AWS All Rules Ruleset
D9.AWS.AS.114	Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts	Critical	Modification	Logic	RDSDBSnapshot should not have dbSnapshotAttributes contain [ attributeName='restore' and attributeValues contain [ 'all' ] ]	RDSDBSnapshot should not have dbSnapshotAttributes contain [ attributeName='restore' and attributeValues contain [ 'all' ] ]	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.115	Ensure that your Amazon RDS database cluster snapshots are not accessible to all AWS accounts	Critical	Modification	Logic	RdsDbClusterSnapshot should not have dbClusterSnapshotAttributes contain [ attributeName='restore' and attributeValues contain [ 'all' ] ]	RdsDbClusterSnapshot should not have dbClusterSnapshotAttributes contain [ attributeName='restore' and attributeValues contain [ 'all' ] ]	CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.AS.122	Ensure that Drop Invalid Header Fields feature is enabled for your Application Load Balancers to remove non-standard headers	High	Modification	Logic	ApplicationLoadBalancer should have attributes contain-any [ key='routing.http.drop_invalid_header_fields.enabled' and value='true' ]	ApplicationLoadBalancer should have attributes contain-any [ key='routing.http.drop_invalid_header_fields.enabled' and value='true' ]	CloudGuard AWS All Rules Ruleset AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.PMT.03	Ensure that your Amazon ECS instances are using the latest ECS container agent version	Medium	Modification	Logic	EcsCluster where containerInstances length() should have containerInstances contain-all [ versionInfo.agentVersion in ($CloudGuard_ECS_Cluster_Latest_Agent_Versions) ]	EcsCluster where containerInstances length() should have containerInstances contain-all [ versionInfo.agentVersion in ($CloudGuard_ECS_Cluster_Latest_Agent_Versions) ]	CloudGuard AWS All Rules Ruleset AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.PMT.04	Ensure managed platform updates are enabled for your AWS Elastic Beanstalk environments	Low	Modification	Logic	ElasticBeanstalk should not have settings.configurationSettings contain [ optionSettings contain [ optionName='ManagedActionsEnabled' and value='false' ] ]	ElasticBeanstalk should not have settings.configurationSettings contain [ optionSettings contain [ optionName='ManagedActionsEnabled' and value='false' ] ]	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AWS.PMT.10	Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements	Medium	Modification	Logic	ElastiCache should not have cacheNodeType in ( 'cache.t1.micro', 'cache.m1.small', 'cache.m1.medium', 'cache.m1.large', 'cache.m1.xlarge', 'cache.m3.medium', 'cache.m3.large', 'cache.m3.xlarge', 'cache.m3.2xlarge', 'cache.c1.xlarge', 'cache.m2.xlarge', 'cache.m2.2xlarge', 'cache.m2.4xlarge', 'cache.r3.large', 'cache.r3.xlarge', 'cache.r3.2xlarge', 'cache.r3.4xlarge', 'cache.r3.8xlarge' )	ElastiCache should not have cacheNodeType in ( 'cache.t1.micro', 'cache.m1.small', 'cache.m1.medium', 'cache.m1.large', 'cache.m1.xlarge', 'cache.m3.medium', 'cache.m3.large', 'cache.m3.xlarge', 'cache.m3.2xlarge', 'cache.c1.xlarge', 'cache.m2.xlarge', 'cache.m2.2xlarge', 'cache.m2.4xlarge', 'cache.r3.large', 'cache.r3.xlarge', 'cache.r3.2xlarge', 'cache.r3.4xlarge', 'cache.r3.8xlarge' )	CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.GCP.OPE.39	Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled	Informational	Modification	Name Logic	Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled Router where nats length()=1 should have nats with [ type like 'PUBLIC' and natIpAllocateOption like 'AUTO_ONLY' ]	Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled Router where nats length()=1 should have nats with [ type like 'PUBLIC' and natIpAllocateOption like 'AUTO_ONLY' ]	CloudGuard GCP All Rules Ruleset GCP HITRUST CSF v11.2 GCP ITSG-33 Canada GCP SOX (Section 404) GCP ISO 27002:2022 GCP CRI Profile v1.2 GCP DORA GCP NIST CSF v2.0 GCP HIPAA
D9.ALI.AS.04	Ensure that ECS data disk is not configured with 'release disk with instance' feature	Low	Modification	Name	Ensure that ECS data disk is not configured with 'release disk with instance feature'	Ensure that ECS data disk is not configured with 'release disk with instance' feature	CloudGuard Alibaba All Rules Ruleset Alibaba ISO 27001:2022 Alibaba NIST SP 800-53 R5 Alibaba HIPAA Alibaba PCI DSS v4 Alibaba SOC 2 (AICPA TSC 2017 Controls) Alibaba DORA Alibaba NIST CSF v2.0
D9.OCI.AS.09	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1433	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1433 and tcpOptions.destinationPortRange.max>=1433]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1433 and tcpOptions.destinationPortRange.max>=1433]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.10	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 7001	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=7001 and tcpOptions.destinationPortRange.max>=7001]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=7001 and tcpOptions.destinationPortRange.max>=7001]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.11	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 53	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=53 and tcpOptions.destinationPortRange.max>=53]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=53 and tcpOptions.destinationPortRange.max>=53]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.15	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 2483	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=2483 and tcpOptions.destinationPortRange.max>=2483]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=2483 and tcpOptions.destinationPortRange.max>=2483]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.16	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 27017	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=27017 and tcpOptions.destinationPortRange.max>=27017]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=27017 and tcpOptions.destinationPortRange.max>=27017]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.17	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 80	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=80 and tcpOptions.destinationPortRange.max>=80]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=80 and tcpOptions.destinationPortRange.max>=80]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.18	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 25	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=25 and tcpOptions.destinationPortRange.max>=25]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=25 and tcpOptions.destinationPortRange.max>=25]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.20	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5432	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=5432 and tcpOptions.destinationPortRange.max>=5432]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=5432 and tcpOptions.destinationPortRange.max>=5432]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.21	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 6379	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=6379 and tcpOptions.destinationPortRange.max>=6379]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=6379 and tcpOptions.destinationPortRange.max>=6379]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.22	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 20	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=20 and tcpOptions.destinationPortRange.max>=20]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=20 and tcpOptions.destinationPortRange.max>=20]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.24	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1521	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1521 and tcpOptions.destinationPortRange.max>=1521]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1521 and tcpOptions.destinationPortRange.max>=1521]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.25	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3306	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=3306 and tcpOptions.destinationPortRange.max>=3306]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=3306 and tcpOptions.destinationPortRange.max>=3306]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.26	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 21	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=21 and tcpOptions.destinationPortRange.max>=21]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=21 and tcpOptions.destinationPortRange.max>=21]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.27	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1434	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1434 and tcpOptions.destinationPortRange.max>=1434]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=1434 and tcpOptions.destinationPortRange.max>=1434]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0
D9.OCI.AS.28	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5900	High	Modification	Logic	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=5900 and tcpOptions.destinationPortRange.max>=5900]	NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=5900 and tcpOptions.destinationPortRange.max>=5900]	CloudGuard OCI All Rules Ruleset OCI CloudGuard Network Security Alerts OCI ISO 27001:2022 OCI NIST SP 800-53 R5 OCI HIPAA OCI PCI DSS v4 OCI SOC 2 (AICPA TSC 2017 Controls) OCI DORA OCI NIST CSF v2.0

June 05 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Affected Rulesets
D9.AWS.DR.25	Ensure that Backup Vault should be locked	High	New	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.OPE.42	Ensure that Google Cloud Source Repository Mirroring should have Key authentication set	High	New	GCP NIST SP 800-53 R5 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.AWS.AS.156	Validate the Budget service in Use	Low	New	CloudGuard AWS All Rules Ruleset
D9.AWS.DR.24	S3 bucket should have versioning enabled	Low	Removal	AWS LGPD AWS CloudGuard S3 Bucket Security AWS NIST SP 800-53 R5 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS ENS 2022 Spain AWS FedRAMP R5 (moderate) AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Network Security Alerts AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10

May 29 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Affected Rulesets
D9.AWS.AS.86	Ensure that Security Group should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.87	Ensure that AMI should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.88	Ensure that MQ Broker should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.89	Ensure that X-Ray Sampling Rule should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.90	Ensure that Auto Scaling Group should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.91	Ensure that IAM Role should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.92	Ensure that ELB should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.93	Ensure that SageMaker Notebook should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.94	Ensure that Api Gateway should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.95	Ensure that RDS should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.96	Ensure that IAM Policy should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.97	Ensure that Kinesis should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.98	Ensure that IAM SAML Provider should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.99	Ensure that Network Load Balancer should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.100	Ensure that Network Interface should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.101	Ensure that Elasti Cache Cluster should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.102	Ensure that KMS should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.103	Ensure that Transfer Server should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.104	Ensure that ECS Task Definition should have tags	Informational	New	AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.MON.53	Validate the Cost Anomaly Detection Monitor in Use	Low	New	AWS NIST SP 800-53 R5 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS Secure Controls Framework (SCF) v2023.1

May 22 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.IAM.186	Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.130	Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA)	Medium	Modification	Logic	List<NatGateway> should have items contain-any [ state='available' ]	List<NatGateway> where not items isEmpty() should have items contain-any [ state='available' ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS DORA AWS NIST CSF v2.0
D9.AZU.IAM.74	Ensure Users with Owner or Contributor Role are Not Assigned Directly at Subscription or Resource Group Level in Azure	High	Modification	Logic	User where assignmentRoles with [ roleName like '%owner%' or roleName like '%contributor%' ] should not have assignmentRoles with [ scope like '/' or scope like '/providers/Microsoft.Management/managementGroups%' or scope like '/subscription%' ]	User where assignmentRoles with [ roleName like '%owner%' or roleName like '%contributor%' ] should not have assignmentRoles with [ ( roleName like '%owner%' or roleName like '%contributor%' ) and ( ( scope like '/subscription%' and scope unlike '%/resourceGroups/%-rg/provider' and scope unlike '%/resourceGroups/%-rg' ) or ( scope like '/providers/Microsoft.Management/managementGroups%' ) or ( scope ='/' ) ) ]	Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.IAM.75	Ensure user is active and has signed in within the last 90 days	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1
D9.AZU.IAM.76	Ensure group is active and has members that have signed in within the last 90 days	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1
D9.GCP.IAM.34	Ensure anonymous user access is disabled	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.IAM.46	Ensure that Multi-Factor Authentication is Enabled for Identity Platform Tenants	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1
D9.GCP.IAM.47	Ensure that reCAPTCHA is enforced for all Identity Platform Tenants	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.IAM.48	Ensure that Account Defender for reCAPTCHA is active for all Identity Platform Tenants	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.IAM.49	Ensure that Password Policy is enforced	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.IAM.50	Ensure that every Password Policy is as strict as possible	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1
D9.GCP.IAM.51	Ensure Identity Platform user has passed email verification	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP ISO 27017:2015 GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.IAM.52	Ensure that Identity Platform Tenant is authenticated	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.IAM.53	Ensure that Email Enumeration Protection is Enabled	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.MON.09	Ensure that Request Logging is enabled	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.AZU.CRY.40	Ensure That 'PHP version' is the Latest, If Used to Run the Web App	Low	Removal				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure ISO 27017:2015 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v2.0 Azure HIPAA Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1

May 15 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.GCP.LOG.20	Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ENS 2022 Spain GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.LOG.21	Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="iam_role" AND protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="iam_role" AND protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.LOG.22	Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete"']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete"']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.LOG.23	Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_route" AND protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert"']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_route" AND protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert"']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.LOG.24	Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gce_network AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gce_network AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.LOG.26	Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='protoPayload.methodName="cloudsql.instances.update"']	List<AlertPolicy> where items with [conditions contain [ conditionThreshold.logName]] and enabled='true' should have items with [conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='protoPayload.methodName="cloudsql.instances.update"']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v2.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.CRY.41	Ensure that 'Python version' is the latest stable version, if used to run a Linux Web App (Linux)	Low	Modification	Name Logic	Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App WebApp where config.linuxFxVersion regexMatch /PYTHON*/ should have config.linuxFxVersion='PYTHON\|3.8'	Ensure that 'Python version' is the latest stable version, if used to run a Linux Web App (Linux) WebApp where config.linuxFxVersion regexMatch /PYTHON/ should have config.linuxFxVersion regexMatch /(3\x2e([8-9]\|1[0-9]))/	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v2.0 Azure HIPAA Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.CRY.44	Ensure that 'PHP version' is the latest, if used to run a Linux Web App (Linux)	Low	Modification	Name Logic	Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App WebApp where config.linuxFxVersion regexMatch /PHP*/ should have config.linuxFxVersion regexMatch /PHP\|[7.0-8.0]/	Ensure that 'PHP version' is the latest, if used to run a Linux Web App (Linux) WebApp where config.linuxFxVersion regexMatch /PHP/ should have config.linuxFxVersion regexMatch /(8\x2e[2-9]\|9\x2e[0-9])/	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure ISO 27017:2015 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure NIST CSF v2.0 Azure HIPAA Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.NET.VirtualMachine.TCPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports	High	Modification	Logic	VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]	VirtualMachine where isPublic=true should not have nics with [ networkSecurityGroup.inboundSecurityRules contain [ protocol in ('TCP', 'All') and action like '%allow%' and sourceAddressPrefixes contain [ $ like '0.0.0.0/0' ] and destinationPortRanges contain [ destinationPort in ($CloudGuard_Known_DB_TCP_Ports) or destinationPortTo in ($CloudGuard_Known_DB_TCP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports	High	Modification	Logic	VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]	VirtualMachine where isPublic=true should not have nics with [ networkSecurityGroup.inboundSecurityRules contain [ protocol in ('UDP', 'All') and action like '%allow%' and sourceAddressPrefixes contain [ $ like '0.0.0.0/0' ] and destinationPortRanges contain [ destinationPort in ($CloudGuard_Known_DB_UDP_Ports) or destinationPortTo in ($CloudGuard_Known_DB_UDP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.TCP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports	High	Modification	Logic	VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ]	VirtualMachine where isPublic=true should not have nics with [ networkSecurityGroup.inboundSecurityRules contain [ protocol in ('TCP', 'All') and action like '%allow%' and sourceAddressPrefixes contain [ $ like '0.0.0.0/0' ] and destinationPortRanges contain [ destinationPort in ($CloudGuard_Known_TCP_Ports) or destinationPortTo in ($CloudGuard_Known_TCP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports	High	Modification	Logic	VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ]	VirtualMachine where isPublic=true should not have nics with [ networkSecurityGroup.inboundSecurityRules contain [ protocol in ('UDP', 'All') and action like '%allow%' and sourceAddressPrefixes contain [ $ like '0.0.0.0/0' ] and destinationPortRanges contain [ destinationPort in ($CloudGuard_Known_UDP_Ports) or destinationPortTo in ($CloudGuard_Known_UDP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure NIST CSF v2.0 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AWS.AS.76	Ensure that MediaLiveMultiplex should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.78	Ensure that DrsReplicationConfigTemplate should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.79	Ensure that SnsPlatformApplication should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.80	Ensure that Route53RecordSetGroup should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.81	Ensure that CodeBuildProject should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.82	Ensure that FSxSnapshot should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.83	Ensure that DynamoDbTable should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.84	Ensure that AmplifyApp should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.85	Ensure that EcsService should have tags	Informational	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.69	Ensure that DrsSourceServer should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.70	Ensure that BackupVault should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.71	Ensure that SnsTopic should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.72	Ensure that VPNConnection should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.73	Ensure that Account should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.74	Ensure that EmrCluster should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.75	Ensure that IamUser should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.60	Ensure that GuardDutyDetector should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.61	Ensure that NACL should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.62	Ensure that TimestreamQuery should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.63	Ensure that IamServerCertificate should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.64	Ensure that WAFRegional should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.65	Ensure that DmsEndpoint should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.66	Ensure that DrsRecoveryInstances should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.67	Ensure that Volume should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.AS.68	Ensure that FSxBackup should have tags	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1
D9.AWS.IAM.117	Ensure IAM User Organization Write Access is Prohibited	High	Modification	Logic	IamUser should not have combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') ] ] ]	IamUser should not have combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_Org_Write_Permissions) ] ] ]	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v2.0
D9.AWS.IAM.157	Ensure that AWS Lambda function should not have org write access level	High	Modification	Name	Ensure that AWS Lambda function should not have org write access level	Ensure that AWS Lambda function should not have org write access level	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v2.0 AWS NIST CSF v1.1
D9.AZU.NET.117	Ensure that Virtual Network Type is configured for API Management services	Medium	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.121	Ensure that API Management minimum API version should be set to 2019-12-01 or higher	Medium	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.137	Ensure that Azure Service Bus is using the latest version of the TLS protocol	Medium	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.56	Ensure that Azure Service Bus should have tags	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure NY DFS 23 CRR 500 Azure ISO 27017:2015 Azure PIPEDA Azure Secure Controls Framework (SCF) v2023.1 Azure EU GDPR Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.OPE.83	Ensure that Azure API Management services should have tags	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ACSC ISM Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1
D9.AZU.OPE.85	Ensure that Azure Logic apps should have tags	Low	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ACSC ISM Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1
D9.AZU.OPE.87	Ensure that Api Management Service should have Client Certificate enabled	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ACSC ISM Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1
D9.GCP.CRY.30	Ensure that Binary Authorization is enabled for Google Cloud Run services	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.31	Ensure that Binary Authorization is enabled for Google Cloud Run Jobs	Medium	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.82	Ensure that Ingress Traffic to Cloud Run Services is Restricted	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP SOC 2 (AICPA TSC 2017 Controls)

May 08 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.NET.145	AWS Route 53 Domain Name Renewal (7 days before expiration)	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.NET.146	AWS Route 53 Domain Name Renewal (30 days before expiration)	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.NET.147	Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint	Critical	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.NET.148	Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint	Critical	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.GCP.LOG.25	Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes	Low	Modification	Logic	AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions"']	List<AlertPolicy> where items with [ conditions contain [ conditionThreshold.logName ]] and enabled='true' should have items with [ conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions"']]	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations Benchmark v1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP RMiT Malaysia GCP HITRUST CSF v11.2 GCP NIST SP 800-172 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.CRY.42	Ensure that 'Java version' is the latest, if used to run the Web App (Windows)	Low	Modification	Name Logic	Ensure that 'Java version' is the latest, if used to run the Web App WebApp where config.javaVersion!='null' should have config.javaVersion>=11	Ensure that 'Java version' is the latest, if used to run the Web App (Windows) WebApp where not config.javaVersion isEmpty() should have config.javaVersion>=11	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure ISO 27001:2022 Azure MLPS 2.0 (Level 3) Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure ISO 27017:2015 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure HIPAA Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AZU.CRY.43	Ensure that 'Java version' is the latest, if used to run the Linux Web App (Linux)	Low	Modification	Name Logic	Ensure that 'Java version' is the latest, if used to run the Linux Web App WebApp where config.linuxFxVersion regexMatch /JAVA*/ should have config.linuxFxVersion regexMatch /JAVA\|[11,17]/	Ensure that 'Java version' is the latest, if used to run the Linux Web App (Linux) WebApp where config.linuxFxVersion regexMatch /JAVA/ should have config.linuxFxVersion regexMatch /[1-2][1-9]/	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure ISO 27017:2015 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure HIPAA Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.NET.142	Expired Route 53 Domain Names	High	New				AWS NIST SP 800-53 R5 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard CheckUp AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.NET.143	Enable AWS Route 53 Domain Auto Renew	Low	New				AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.NET.144	Enable AWS Route 53 Domain Transfer Lock	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.149	Ensure AWS SES identities (email addresses and/or domains) are verified	Low	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022
D9.AWS.NET.150	Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain	Medium	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.NET.132	Ensure that EC2 instances are not exposed to the entire VPC, available within the peering connection	High	Modification	Name	Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy	Ensure that EC2 instances are not exposed to the entire VPC, available within the peering connection	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1
D9.AZU.IAM.74	Ensure Users with Owner or Contributor Role are Not Assigned Directly at Subscription or Resource Group Level in Azure	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.IAM.113	Amazon EBS snapshots should not be publicly accessible	High	Modification	Logic	EbsSnapshot should not have createVolumePermissions contain [ ( group='all' or userId='null' ) ]	EbsSnapshot should have createVolumePermissions isEmpty()	CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard Best Practices
D9.AWS.DNS.04	AWS Route 53 Domain Name Renewal (7 days before expiration)	High	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.DNS.05	AWS Route 53 Domain Name Renewal (30 days before expiration)	Low	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.DNS.06	Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint	Critical	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.DNS.07	Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint	Critical	Removal				AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS CloudGuard Best Practices
D9.AWS.DNS.01	Expired Route 53 Domain Names	High	Removal				AWS NIST SP 800-53 R5 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard CheckUp AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.DNS.02	Enable AWS Route 53 Domain Auto Renew	Low	Removal				AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada
D9.AWS.DNS.03	Enable AWS Route 53 Domain Transfer Lock	Low	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.DNS.08	Ensure AWS SES identities (email addresses and/or domains) are verified	Low	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022
D9.AWS.DNS.09	Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain	Medium	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1

May 01 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.IAM.09	Ensure that Register with Entra ID is enabled on App Service	Low	Modification	Name	Ensure that Register with Azure Active Directory is enabled on App Service	Ensure that Register with Entra ID is enabled on App Service	Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 Azure MLPS 2.0 (Level 3) Azure CRI Profile v1.2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure NIST SP 800-172 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure ITSG-33 Canada Azure CIS Foundations Benchmark v1.3.1
D9.AZU.IAM.03	Ensure that Microsoft Entra authentication is Configured for SQL Servers	Low	Modification	Name	Ensure that Azure Active Directory Admin is Configured for SQL Servers	Ensure that Microsoft Entra authentication is Configured for SQL Servers	Azure LGPD Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure ISO 27001:2022 Azure CIS Foundations Benchmark v1.0.0 Azure ENS 2022 Spain Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure NIST SP 800-171 R1 Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1 Azure New Zealand ISM v3.4 Azure HITRUST CSF v9.5 Azure ITSG-33 Canada
D9.AZU.IAM.48	Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'	Low	Modification	Name	Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'	Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'	Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure APRA 234 Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.MON.108	Ensure that NAT Gateway is Healthy	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ENS 2022 Spain Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure ACSC ISM Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) v2023.1 Azure EU GDPR Azure NIST CSF v1.1 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA
D9.AZU.NET.119	Ensure that Network Security Group should restrict ArangoDB access (TCP and UDP - port 8529)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.120	Ensure that Network Security Group should restrict Cassandra access (TCP - port 7000)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.122	Ensure that Network Security Group should restrict CouchDB access (TCP - port 5984)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.123	Ensure that Network Security Group should restrict etcd access (TCP - port 2379)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.124	Ensure that Network Security Group should restrict Kibana access (TCP - port 5601)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.125	Ensure that Network Security Group should restrict LDAP access (TCP - port 389)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.126	Ensure that Network Security Group should restrict MaxDB access (TCP - port 7210)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.127	Ensure that Network Security Group should restrict Memcached access (TCP/UDP - port 11211)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.128	Ensure that Network Security Group should restrict Neo4J access (TCP - port 7473)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.129	Ensure that Network Security Group should restrict POP3 access (TCP - port 110)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.130	Ensure that Network Security Group should restrict Redis access (TCP - port 6379)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.131	Ensure that Network Security Group should restrict RethinkDB access (TCP - port 8080)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.132	Ensure that Network Security Group should restrict Riak access (TCP - port 8087)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.133	Ensure that Network Security Group should restrict Solr access (TCP - port 7574)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.134	Ensure that Network Security Group should restrict Elastic Search access (TCP - port 9200 and 9300)	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.NET.135	Ensure that Network Security Group should restrict access over ports higher than 1024	High	New				Azure NIST SP 800-53 R5 Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) v2023.1 Azure SOC 2 (AICPA TSC 2017 Controls)
D9.AZU.OPE.82	Ensure NAT Gateway is Configured with Tags	Informational	New				Azure NIST SP 800-53 R5 CloudGuard Azure All Rules Ruleset Azure NIST SP 800-171 R2 Azure FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) v2023.1 Azure NIST CSF v1.1
D9.AZU.IAM.73	Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'	High	Modification	Name	Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts	Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'	Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure SOX (Section 404) Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure HIPAA
D9.AWS.IAM.46	Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)	High	Removal				AWS LGPD AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS PCI DSS v3.2.1 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS ISO 27001:2013 AWS NIST CSF v1.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10

April 24 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.GCP.DR.01	Ensure That Cloud SQL Database Instances Are Configured With Automated Backups	Low	Modification	Logic	CloudSql should have settings.backupConfiguration.enabled=true	CloudSql where instanceType!="READ_REPLICA_INSTANCE" should have settings.backupConfiguration.enabled=true	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP PCI DSS v4 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ENS 2022 Spain GCP RMiT Malaysia GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP New Zealand ISM v3.6 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v1.1 GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.NET.VirtualMachine.TCPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports	High	Modification	Name Logic	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDPdb	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports	High	Modification	Name Logic	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]	Azure LGPD Azure Security Risk Management Azure PCI DSS v4 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure ACSC ISM Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CSA CCM v3 Azure ISO 27001:2013 Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.TCP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports	High	Modification	Name Logic Severity	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ] Medium	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ] High	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AZU.NET.VirtualMachine.UDP	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports	High	Modification	Name Logic Severity	Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ] Medium	Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ] High	Azure LGPD Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure APRA 234 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure PCI DSS v3.2.1 Azure NIST SP 800-53 R4 Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure CIS Foundations Benchmark v2.1.0 Azure CSA CCM v3 Azure ISO 27001:2013 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CloudGuard Network Security Alerts Azure CloudGuard Best Practices Azure New Zealand ISM v3.4
D9.AWS.LOG.04	Ensure that AWS Config is Enabled in All Regions	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ASD Essential Eight AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.LOG.39	Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones	High	Modification	Logic	Route53HostedZone should have queryLoggingConfigs	Route53HostedZone where metadata.type like 'public' should have queryLoggingConfigs	AWS NIST SP 800-53 R5 CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.IAM.186	Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled	High	Removal				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1

April 17 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.49	Ensure that AWS Secrets Manager secret rotation interval is smaller than 30 days	Low	Modification	Name	Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days	Ensure that AWS Secrets Manager secret rotation interval is smaller than 30 days	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.IAM.83	Ensure that SQS policy does not allow all actions from all principals	High	Modification	Name	Ensure that SQS policy won't allow all actions from all principals	Ensure that SQS policy does not allow all actions from all principals	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.OPE.107	Ensure that DAX Parameter Group does not require reboot	High	Modification	Name	Ensure that DAX Parameter Group doesn't require reboot	Ensure that DAX Parameter Group does not require reboot	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1
D9.AWS.IAM.58	Ensure SNS Topics administrative actions are not publicly executable without a condition	Critical	Modification	Name	Ensure SNS Topics administrative actions aren't publicly executable without a condition	Ensure SNS Topics administrative actions are not publicly executable without a condition	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.GCP.CRY.27	Ensure that AlloyDB cluster is encrypted using CMEK	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.28	Ensure that AlloyDB cluster continuous backup is encrypted using CMEK	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.29	Ensure that AlloyDB backup is encrypted	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.DR.06	Ensure that AlloyDB cluster has backup policy enabled	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.MON.07	Ensure that AlloyDB cluster is healthy	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.MON.08	Ensure that AlloyDB instance is healthy	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.81	Ensure that AlloyDB instance enforces using connectors	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.OPE.30	Ensure AlloyDB cluster version is latest	Informational	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1

April 10 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.NET.111	Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices	Low	Modification	Severity	High	Low	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1
D9.AWS.NET.71	EksCluster endpoint should not be publicly accessible	Medium	Modification	Name Severity	EksCluster should not be publicly accessed Critical	EksCluster endpoint should not be publicly accessible Medium	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.1040	Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995)	High	Modification	Logic	SecurityGroup should not have should not have inboundRules contain [ port=110 and portTo=110 or port=995 and portTo=995 and scope in ('0.0.0.0/0', '::/0') ]	SecurityGroup should not have inboundRules contain [ port=110 and portTo=110 or port=995 and portTo=995 and scope in ('0.0.0.0/0', '::/0') ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)

April 04 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.LOG.04	Ensure AWS Config is enabled in all regions	Low	Removal				AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS PCI DSS v3.2.1 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls) AWS CIS Foundations Benchmark v1.2.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10

April 03 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AS.33	Ensure that Media Package Channel should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.45	Ensure that MediaLive Channel should have Log level	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.46	Ensure that Username is set for AWS MediaLive Channel Output Destination Settings	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.47	Ensure that Password parameter is set for AWS MediaLive Channel Output Destination Settings	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.48	Ensure that MediaLive Input should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.49	Ensure that MediaLive Reservation should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.50	Ensure that MediaLive Input SecurityGroup should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.51	Ensure that MediaLive Input Security Groups do not implicitly whitelist all public IP addresses.	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.52	Ensure that MediaPackage Channel should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.53	Ensure that ingress access logs is enabled for MediaPackage Channel	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.54	Ensure that egress access logs is enabled for MediaPackage Channel	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.55	Ensure that only successful MediaPackage Harvest jobs are available	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.56	Ensure that MediaPackage Origin Endpoint should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.57	Ensure that authorization is set for MediaPackage Origin Endpoint	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.58	Ensure that Amazon Elastic Transcoder Pipelines are encrypted	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.59	Ensure that a notification is configured for Amazon Elastic Transcoder Pipelines	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.VLN.04	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on'	Medium	Modification	Name	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on'	GCP CIS Foundations Benchmark v1.3.0 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ENS 2022 Spain GCP RMiT Malaysia GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.VLN.08	Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'	Medium	Modification	Name	Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on'	Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP ENS 2022 Spain GCP RMiT Malaysia GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP HITRUST CSF v11.2 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CRI Profile v1.2 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.IAM.46	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users	High	Modification	Logic	User where assignedRoles with [displayName like '%admin%' or displayName like '%contributor%' or displayName like '%creator%' or displayName like '%manage%' or displayName like '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignmentRoles with [ roleName like '%owner%' or roleName like '%admin%' or roleName like '%contributor%' or roleName like '%creat%' or roleName like '%manage%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure ISO 27001:2022 Azure MLPS 2.0 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure HIPAA Azure Dashboard System Ruleset Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.IAM.47	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users	High	Modification	Logic	User where assignedRoles isEmpty() or assignedRoles with [ displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignmentRoles isEmpty() or assignmentRoles with [ roleName unlike '%owner%' and roleName unlike '%admin%' and roleName unlike '%contributor%' and roleName unlike '%creat%' and roleName unlike '%manage%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure HIPAA Azure Dashboard System Ruleset Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.IAM.59	Ensure that VPC Endpoint policy does not provide excessive permissions	High	Modification	Logic	VpcEndpoint should not have policy.Statement contain [Effect='Allow' and (Action = '' or Action contain ['%s3:%'] or Action contain ['%dynamodb:*%'] )]	VpcEndpoint should have policy.Statement contain-none [ ( (not Principal) or Principal='') and Effect='Allow' ] and policy.Statement contain-none [ Effect='Allow' and (Action = '' or Action contain ['%s3:%'] or Action contain ['%dynamodb:%'] ) ]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls) AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.1029	Ensure no security group allows unrestricted inbound access to TCP etcd port (2379)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1030	Ensure no security group allows unrestricted inbound access to TCP CouchDB port (5984)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1031	Ensure no security group allows unrestricted inbound access to TCP Kibana port (5601)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1032	Ensure no security group allows unrestricted inbound access to TCP LDAP port (389)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1033	Ensure no security group allows unrestricted inbound access to TCP MaxDB port (7210)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1034	Ensure no security group allows unrestricted inbound access to TCP MSSQL port (1434)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1035	Ensure no security group allows unrestricted inbound access to TCP NFS port (2049)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1036	Ensure no security group allows unrestricted inbound access to TCP SQL Analysis Services port (2383)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1037	Ensure no security group allows unrestricted inbound access to TCP VNC port (5500)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1038	Ensure no security group allows unrestricted inbound access to TCP/UDP ArangoDB port (8529)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1039	Ensure no security group allows unrestricted inbound access to TCP/UDP Mini SQL port (4333)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1040	Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1041	Ensure no security group allows unrestricted inbound access to TCP Cassandra ports (7000, 7001, 7199, 9042, 9142, 9160)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1042	Ensure no security group allows unrestricted inbound access to TCP ElasticSearch ports (9200, 9300)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1043	Ensure no security group allows unrestricted inbound access to TCP MongoDB ports (27017-27020)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1044	Ensure no security group allows unrestricted inbound access to TCP Oracle DB ports (1521, 1830, 2483, 8098)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1045	Ensure no security group allows unrestricted inbound access to TCP Riak ports (8087, 8098)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1046	Ensure no security group allows unrestricted inbound access to TCP Solr ports (7574, 8983)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.NET.1047	Ensure no security group allows unrestricted inbound access to TCP VNC ports (5800, 5900)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1048	Ensure no security group allows unrestricted inbound access to TCP RethinkDB ports (8080, 28015, 29015) or UDP ports (28015, 29015)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1049	Ensure no security group allows unrestricted inbound access to TCP Neo4J ports (7473, 7474), or UDP port (7473)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.LOG.31	Ensure Logging is enabled for HTTP(S) Load Balancer	Low	Modification	Name	Ensure that logging is enabled for Google Cloud load balancing backend services	Ensure Logging is enabled for HTTP(S) Load Balancer	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ACSC ISM GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP CRI Profile v1.2 GCP New Zealand ISM v3.6 GCP CIS Foundations Benchmark v3.0.0 GCP HIPAA
D9.GCP.MON.06	Ensure that only usable Instances are available in BigTable	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight
D9.AWS.VLN.08	Ensure Lambda Functions are Not Using Deprecated Runtime	High	Modification	Name	Ensure Lambda functions are not using deprecated runtimes	Ensure Lambda Functions are Not Using Deprecated Runtime	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard Best Practices
D9.GCP.AS.18	Ensure that only operational Firebase Realtime Databases are available.	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.MON.04	Ensure that Split Health Check is enabled for App Engine services	Medium	New				CloudGuard GCP All Rules Ruleset
D9.GCP.MON.05	Enable Identity-Aware Proxy (IAP) for App Engine Services	High	New				CloudGuard GCP All Rules Ruleset

March 27 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.MON.107	Ensure that Azure Network Watcher is Enabled	Low	New				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure HITRUST CSF v9.5 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.CRY.38	Ensure to update the Security Policy of the Network Load Balancer	High	Modification	Logic	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.ALI.CRY.10	Ensure that Automatic Rotation is Enabled for KMS	High	Modification	Name	Ensure that Automatic Rotation is enabled for KMS	Ensure that Automatic Rotation is Enabled for KMS	CloudGuard Alibaba All Rules Ruleset
D9.AZU.NET.28	Ensure that Network Watcher is 'Enabled'	Low	Removal				Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure HITRUST v9.5.0 Azure CIS Foundations v. 1.3.1

March 20 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AS.44	Ensure Resource Access Manager customer managed permissions should have tags	Informational	New				AWS Health Insurance Portability and Accountability Act (U.S. HIPAA) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.DR.17	Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery	High	Modification	Logic	EbsSnapshot should not have createTime before(-7, 'days')	Volume should have getResources('EbsSnapshot') contain [$.createTime after(-7, 'days') and $.volumeId = ~.volumeId]	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS US FedRAMP R5 (moderate) AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.DR.19	Ensure that Lightsail Relational Database has a recent snapshot	High	Modification	Logic	LightsailRelationalDatabase should have latestRestorableTime before(7, 'days')	LightsailRelationalDatabase should have latestRestorableTime after(-7, 'days')	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS US FedRAMP R5 (moderate) AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.LOG.58	Ensure that Access Logging should be enabled for AWS Elemental MediaStore Container	Medium	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.152	Ensure that AWS Elemental MediaStore Container should be ACTIVE	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.OPE.29	Ensure that only usable Instance are available in Filestore	Low	New				CloudGuard GCP All Rules Ruleset
D9.ALI.CRY.08	Ensure Apsara File Storage NAS are encrypted	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.09	Ensure Apsara File Storage NAS should have Encryption Type selected	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.10	Ensure that Automatic Rotation is enabled for KMS	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.11	Ensure that Deletion Protection is Enabled for KMS	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.12	Ensure only usable Keys are in the KMS	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.OPE.03	Ensure that Apsara File Storage NAS should have tags	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.OCI.AS.08	Ensure that a newly created region subscription's status is ready	Informational	New				CloudGuard OCI All Rules Ruleset
D9.K8S.IA.UN.5	Container Image – ScanSummary	Critical	New				Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.OPE.131	Ensure Resource Access Manager customer managed permissions should have tags	Informational	Removal				AWS Health Insurance Portability and Accountability Act (U.S. HIPAA) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF) v1.1

March 13 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.GCP.CRY.01	Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)	Medium	Modification	Severity	High	Medium	GCP CloudGuard CheckUp GCP CIS Foundations v. 1.3.0 GCP Security Risk Management GCP LGPD regulation GCP NIST Special Publication 800-53 (Rev. 5) GCP PCI-DSS 4.0 GCP CIS Foundations v. 2.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations v. 1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP Cloud Security Alliance CCM v4 GCP Esquema Nacional Seguridad (ENS) 2022 GCP Risk Management in Technology (RMiT) GCP Australian Cyber Security Centre (ACSC) Information Security Manual GCP US FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST Special Publication 800-172 GCP U.S. Sarbanes-Oxley Act (Section 404) GCP PCI-DSS 3.2 GCP Secure Controls Framework (SCF) GCP ISO 27002:2022 GCP Cybersecurity Maturity Model Certification (CMMC) 2.0 GCP NIST Special Publication 800-171 (Rev. 2) GCP NIST 800-53 Rev 4 GCP NY Department of Financial Services (DFS) 23 CRR 500 GCP New Zealand Information Security Manual (NZ ISM) v3.6 GCP ISO 27001:2013 GCP NIST Cybersecurity Framework (CSF) v1.1 GCP CloudGuard SOC2 based on AICPA TSC 2017 GCP Health Insurance Portability and Accountability Act (U.S. HIPAA) GCP Dashboard System Ruleset GCP EU GDPR GCP CIS Foundations v. 1.1.0 GCP CIS Foundations v. 1.2.0 GCP CloudGuard Best Practices
D9.AWS.IAM.190	Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None	High	Modification	Logic	MSKConnectConnector should not have kafkaClusterClientAuthentication.authenticationType.value!='None'	MSKConnectConnector should not have kafkaClusterClientAuthentication.authenticationType.value='None'	CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.142	Ensure that AppFlow should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.143	Ensure that MediaStoreContainer should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.144	Ensure that DataSyncStorage should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.145	Ensure that CloudTrail should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.148	Ensure that EksCluster should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.149	Ensure AWS Verified Access should have FIPS status enabled	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.150	Ensure AWS Verified Access should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.NET.80	Cloud Armor Security Policy Default Rule Action should be 'Deny'	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.21	Ensure that DnsManagedZone should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.22	Ensure that PubSubTopic should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.23	Ensure that VMInstance should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.24	Ensure that Filestore Instance should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.25	Ensure that DataprocCluster should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.26	Ensure that Secret should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.27	Ensure that Disk should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.28	Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' policy is enforced for Google Cloud Platform (GCP) organizations	Medium	New				CloudGuard GCP All Rules Ruleset
D9.ALI.OPE.01	Ensure that Auto Scaling Group should have Deletion Protection enabled	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.OPE.02	Ensure Auto Scaling group have scaling cooldown higher than a minute	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.OCI.OPE.05	Ensure that Tenancy should have defined tags	Low	New				CloudGuard OCI All Rules Ruleset

March 06 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.LOG.14	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.LOG.15	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.LOG.16	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1

February 28 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.LOG.16	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests	Low	Modification	Logic	StorageAccount should have tableServiceProperties.classicDiagnosticSettings.logging.read=true and tableServiceProperties.classicDiagnosticSettings.logging.write=true and blobServiceProperties.classicDiagnosticSettings.logging.delete=true	StorageAccount should have tableServiceProperties.classicDiagnosticSettings.logging.read=true and tableServiceProperties.classicDiagnosticSettings.logging.write=true and tableServiceProperties.classicDiagnosticSettings.logging.delete=true	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AWS.CRY.38	Ensure to update the Security Policy of the Network Load Balancer	High	Modification	Logic	NetworkLoadBalancer should have listeners contain [securityPolicy in('ELBSecurityPolicy-2016-08', 'ELBSecurityPolicy-FS-2018-06', 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', 'ELBSecurityPolicy-TLS13-1-2-2021-06') ]	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	AWS NIST Special Publication 800-53 (Rev. 5) AWS MITRE ATT&CK Framework v11.3 AWS HITRUST v11.0.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS NIST Special Publication 800-172 AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AZU.NET.35	Ensure Application Gateway is using the latest version of TLS encryption	High	Modification	Logic	ApplicationGateway should have sslPolicy.minProtocolVersion='1.2'	ApplicationGateway should have sslPolicy.minProtocolVersion='TLSv1_2'	Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure US FedRAMP R5 (moderate) Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Azure HITRUST v9.5.0
D9.AWS.IAM.190	Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.141	Ensure that the AWS Kafka Connect Connector is in a Healthy State	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.CRY.24	Ensure Vertex AI Notebook Instance Have Integrity Monitoring Enabled	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.CRY.26	Ensure That Vertex AI Notebook Instance is encrypted with Customer-Managed Encryption Key (CMEK)	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.77	Ensure GCP Vertex AI Notebook Instance secure boot feature is Enabled	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.78	Ensure GCP Vertex AI Notebook Instance vTPM feature is enabled	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.79	Ensure Firestore Database delete protection enabled	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.17	Ensure that Vertex AI Notebook Instance has tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.18	Ensure that Vertex AI Notebook Instance status is healthy	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.19	Ensure that Vertex AI Notebook Runtime has tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.20	Ensure that Vertex AI Notebook Runtime status is healthy	High	New				CloudGuard GCP All Rules Ruleset

February 21 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.127	Ensure Athena Workgroups should be Encrypted at Rest	High	Modification	Name Logic	Ensure Athena workgroups should be encrypted at rest AthenaWorkGroup should not have configuration.resultConfiguration.encryptionConfiguration.encryptionOption isEmpty()	Ensure Athena Workgroups should be Encrypted at Rest AthenaWorkGroup where configuration.resultConfiguration.outputLocation isEmpty()=false should not have configuration.resultConfiguration.encryptionConfiguration.encryptionOption isEmpty()	AWS Health Insurance Portability and Accountability Act (U. S. HIPAA) AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS Foundational Security Best Practices (FSBP) standard AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AZU.CRY.18	Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)	High	Modification	Logic	VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]])	VirtualMachine should have disks contain [ sseType='EncryptionAtRestWithCustomerKey' ]	Azure CloudGuard CheckUp Azure CIS Foundations v. 1.4.0 Azure Security Risk Management Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 AZURE MLPS 2.0 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure NY Department of Financial Services (DFS) 23 CRR 500 Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure EU General Data Protection Regulation (GDPR) Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA) Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure HITRUST v9.5.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.16	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)	Low	Modification	Name	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.27	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)	Low	Modification	Name	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)	Azure CIS Foundations v. 1.4.0 Azure LGPD regulation Azure CIS Foundations v. 1.5.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure CIS Foundations v. 1.0.0 Azure Esquema Nacional Seguridad (ENS) 2022 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure PCI-DSS 3.2 Azure NIST 800-53 Rev 4 Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CSA CCM v.3.0.1 Azure ISO 27001:2013 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA) Azure Dashboard System Ruleset Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure New Zealand Information Security Manual (NZISM) v.3.4 Azure HITRUST v9.5.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.33	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server	High	Modification	Name	Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AZU.CRY.39	Ensure that Storage Account Access Keys are Periodically Regenerated	High	Modification	Name	Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services	Ensure that Storage Account Access Keys are Periodically Regenerated	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.IAM.38	Ensure Security Defaults is enabled on Microsoft Entra ID	High	Modification	Name	Ensure Security Defaults is enabled on Azure Active Directory	Ensure Security Defaults is enabled on Microsoft Entra ID	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.MON.67	Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'	High	Modification	Name	Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'	Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.IAM.47	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users	High	Modification	Logic	User where assignedRoles with [displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignedRoles isEmpty() or assignedRoles with [ displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure NY Department of Financial Services (DFS) 23 CRR 500 Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Dashboard System Ruleset Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AZU.MON.79	[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	High	Modification	Name	Ensure That Microsoft Defender for DNS Is Set To 'On'	[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 AZURE MLPS 2.0 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.NET.05	Ensure no security groups allow unrestricted ingress (from either IPv4 or IPv6 source IP addresses) to commonly used remote server administration ports	Critical	New				CloudGuard AWS All Rules Ruleset

February 14 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.66	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Critical	Modification	Name Logic	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers StorageAccount should have publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.IAM.175	Ensure that Multi-Factor Authentication is Enabled for All IAM Users	High	Modification	Name	MFA should be Active for All IAM Users	Ensure that Multi-Factor Authentication is Enabled for All IAM Users	AWS Security Risk Management AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) AWS Dashboard System Ruleset
D9.AWS.IAM.154	Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster' ) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster' ) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.157	Ensure that AWS Lambda function should not have org write access level	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_Org_Write_Permissions) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_Org_Write_Permissions) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.158	Ensure that AWS Lambda function should not have IAM write access level	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_IAM_Write_Permissions) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_IAM_Write_Permissions) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.167	Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action ='*' ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action contain ['*'] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.VLN.16	Ensure that Shield Advanced is in Use	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.18	Ensure that a Virtual WAN P2s VPN Gateway has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.20	Ensure that VMware Solution has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.84	Ensure that Azure VMware Solution has encryption enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.73	Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.114	Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations have Internet Security enabled	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.65	Ensure that DevTest Lab has Tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.69	Ensure that a Virtual WAN P2s VPN Gateway is not in a 'Failed' state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.70	Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations are not in a 'Failed' state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.76	Ensure that VMware Solution's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.77	Ensure that Virtual WAN VPN Server has Tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.78	Ensure that Provisioning Status of Configuration Policy Group for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.79	Ensure that P2S VPN Gateways's Provisioning Status for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.80	Ensure that Provisioning Status of P2S Connection Configuration for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.81	Ensure that Virtual WAN VPN Server's Status is not Failed	High	New				CloudGuard Azure All Rules Ruleset

February 07 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.77	Ensure rotation for customer-created symmetric CMKs is enabled	High	Modification	Name	Ensure rotation for customer created symmetric CMKs is enabled	Ensure rotation for customer-created symmetric CMKs is enabled	AWS Health Insurance Portability and Accountability Act (U. S. HIPAA) AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST Special Publication 800-172 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AWS.CRY.12	ALB secured listener certificate expires in one week	High	Modification	Logic	ApplicationLoadBalancer where region unlike 'cn%' should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS MITRE ATT&CK Framework v11.3 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS NIST Special Publication 800-171 (Rev. 2) AWS CSA CCM v.3.0.1 AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS ISO 27001:2013 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS NIST 800-171 AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AWS.LOG.24	Ensure that Object-level logging for read events is Enabled for S3 bucket	High	Modification	Name	Ensure Object-level Logging of Read Events is Enabled for S3 Buckets	Ensure that Object-level logging for read events is Enabled for S3 bucket	AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 AWS CSA CCM v.4.0.1 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS CloudGuard Best Practices AWS CIS Foundations v. 1.3.0 AWS CIS Foundations v. 1.4.0
D9.AWS.LOG.45	Ensure usage of 'root' account is monitored	High	Modification	Name	Ensure Root Account Usage is being monitored using CloudWatch alarms	Ensure usage of 'root' account is monitored	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-172 AWS Secure Controls Framework (SCF) AWS CIS Benchmark 3.0.0
D9.AWS.NET.141	Ensure no security groups allow ingress from ::/0 to remote server administration ports	Critical	New				AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Risk Management in Technology (RMiT) AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AWS.NET.91	Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports	Critical	Modification	Name Logic	Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports SecurityGroup should not have inboundRules with [ (scope='::/0' or scope='0.0.0.0/0') and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]	Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports SecurityGroup should not have inboundRules with [ scope='0.0.0.0/0' and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Risk Management in Technology (RMiT) AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AZU.CRY.59	Ensure Azure Container Instance should use Secure Values for environment variables	Low	Modification	Name	Ensure Azure Container Instance environment variable	Ensure Azure Container Instance should use Secure Values for environment variables	Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 AZURE MLPS 2.0 Azure ENS 2022 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure FedRAMP R5 (moderate) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA)
D9.AWS.CRY.151	Ensure that Log groups in AWS Cloud Watch are encrypted using Customer Managed Keys	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.LOG.30	Ensure CloudWatch Logs is enabled for Prometheus Workspace	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.120	Ensure that Log groups in AWS Cloud Watch should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.121	Ensure that Prometheus Workspace should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.123	Ensure that Grafana Workspace should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.19	Ensure that Azure Virtual Desktop App Group has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.73	Ensure that Azure Virtual Desktop App Group has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.74	Ensure that Azure Private Link Service's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.75	Ensure that Azure Private Link Service has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.GCP.NET.75	Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled	Informational	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.76	Ensure Public NAT Gateway should have dynamic port allocation enabled	Informational	New				CloudGuard GCP All Rules Ruleset
D9.OCI.CRY.07	Ensure Encryption in Transit is Enabled for Custom Images in Oracle Cloud	High	New				CloudGuard OCI All Rules Ruleset
D9.OCI.DR.01	Ensure Automated Backups are Enabled for MySQL Database Systems	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.DR.02	Ensure that Backup Retention Period is Set for Oracle MySQL Database	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.NET.29	Ensure Load Balancer should have Delete Protection Enabled	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.OPE.04	Ensure that Custom Images in Oracle Cloud should have Tags	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.VLN.01	Ensure Detector Recipe should contain Detector's Rules	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.VLN.02	Ensure Responder Recipe should contain Responder's Rules	Low	New				CloudGuard OCI All Rules Ruleset

January 31 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.66	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts	Critical	Modification	Name Logic	Ensure that 'Public access level' is disabled for storage accounts with blob containers StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccess like 'Disabled'	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure Risk Management in Technology (RMiT) Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure HIPAA Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.CRY.150	Ensure that Bedrock Custom Model is encrypted using CMK	Low	New				CloudGuard AWS All Rules Ruleset AWS US FedRAMP (moderate) AWS ISO 27017:2015
D9.AWS.NET.1028	Ensure that Bedrock Model Customization Job is using a VPC	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.139	Ensure that Bedrock Custom Model has tags	Low	New				CloudGuard AWS All Rules Ruleset AWS ISO 27017:2015
D9.AWS.OPE.140	Ensure that Bedrock Model Customization Job has tags	Low	New				CloudGuard AWS All Rules Ruleset AWS ISO 27017:2015
D9.AZU.AS.17	Ensure that Azure Confidential Ledger has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.16	Ensure that Video Indexer has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.83	Ensure that Azure Confidential Ledger certificate exists and is attached	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.DR.07	Ensure Azure Event Hub Namespace is zone redundant	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.72	Ensure Azure cognitive services (AI Service) should use managed identity	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.118	Ensure that 'Public network access' is set to 'Disabled' for Event Hubs Namespace	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.115	Ensure Azure Route Table does not utilise default route	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.116	Ensure that Azure Cognitive Service (AI Service), does not allow public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.67	Ensure that the status of Azure Confidential Ledger is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.68	Ensure that Azure Confidential Ledger has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.66	Ensure that Video Indexer Experiment's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.71	Ensure that Route Table should have tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.72	Ensure that Event Hubs Namespace should have tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.K8S.IA.UN.3	Container Image - Malware	High	Modification	Name Logic Severity	Container Image - Malware of Critical Severity Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should not have severity='Critical' Critical	Container Image - Malware Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should fail High	Workload Vulnerability Default 2.0
D9.K8S.IA.UN.4	Container Image – Insecure Content	Low	Modification	Name Logic Severity	Container Image - Malware of High Severity Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should not have severity='High' High	Container Image – Insecure Content InsecureContent where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should fail Low	Workload Vulnerability Default 2.0
D9.K8S.IA.UN.5	Container Image - Insecure Content of Critical Severity	Critical	Removal				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.6	Container Image - Insecure Content of High Severity	High	Removal				Workload Vulnerability Default 2.0

January 24 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.62	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	High	Modification	Name	Ensure that public network access to Cosmos DB accounts is disabled	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure NY - Cybersecurity Requirements for Financial Services Companies Azure Risk Management in Technology (RMiT) Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure HITRUST v9.5.0
D9.AZU.AS.14	Ensure that Azure Cassandra Cluster has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.15	Ensure that Azure DDoS Protection Plan has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.LOG.21	Ensure that Logs are enabled for Azure Cassandra Cluster	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.61	Ensure that the status of Azure Cassandra Cluster is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.62	Ensure that Azure Cassandra Cluster is authenticated properly	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.63	Ensure that Azure DDoS Protection Plan has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.64	Ensure that the status of Azure DDoS Protection Plan is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.GCP.NET.62	Ensure GCP Private Service Connect Network Attachment only accept allowed connections	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.74	Ensure that Google Cloud VPN tunnels use IKE version 2 protocol	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.16	Ensure Google Folder is not unused in last 180 days	Low	New				CloudGuard GCP All Rules Ruleset
D9.K8S.IA.UN.1	Container Image - Package of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.2	Container Image - Package of High Severity	High	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.3	Container Image - Malware of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.4	Container Image - Malware of High Severity	High	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.5	Container Image - Insecure Content of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.6	Container Image - Insecure Content of High Severity	High	New				Workload Vulnerability Default 2.0

January 17 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.OCI.IAM.05	Ensure user API keys rotate within 90 days	High	Modification	Name	Ensure user API keys rotate within 90 days or less	Ensure user API keys rotate within 90 days	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.IAM.06	Ensure user customer secret keys rotate every 90 days or less	Low	Modification	Name	Ensure user customer secret keys rotate within 90 days or less	Ensure user customer secret keys rotate every 90 days or less	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.LOG.13	Ensure a notification is configured for network security group changes	Low	Modification	Name	Ensure a notification is configured for network security group changes	Ensure a notification is configured for network security group changes	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.LOG.14	Ensure a notification is configured for changes to network gateways	Low	Modification	Name	Ensure a notification is configured for changes to network gateways	Ensure a notification is configured for changes to network gateways	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.AWS.AS.11	Identify and remove any unused AWS DynamoDB tables to optimize AWS costs	High	Modification	Logic	DynamoDBTable should not have itemCount=0	DynamoDbTable should not have itemCount=0	CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.88	Ensure that Nimble Studio status is healthy	High	Modification	Logic	NimbleStudio should not have status code in ('DELETE_FAILED','CREATE_FAILED','UPDATE_FAILED')	NimbleStudio should not have statusCode in ('DELETE_FAILED','CREATE_FAILED','UPDATE_FAILED')	CloudGuard AWS All Rules Ruleset
D9.AZU.AS.09	Ensure that Data Migration has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.10	Ensure that Data Migration Classic has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.08	Ensure that Virtual WAN has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.11	Ensure that Static Web App Site has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.13	Ensure that a DNS Zone has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.81	Ensure that Virtual WAN should have VPN encryption	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.82	Ensure that HPC Cache rotates to latest key version	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.71	Ensure that Static Web App Site template properties are private	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.113	Ensure that Static Web App Site is limited to use selected networks based on trust instead of all networks	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.46	Ensure that Data Migration's status is not failed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.47	Ensure that Data Migration Classic's status is not failed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.44	Ensure that Virtual WAN Experiment's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.45	Ensure that Static Web App Site config file cannot be updated	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.48	Ensure that Static Web App Site private endpoint connections have no errors	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.49	Ensure that Static Web App Site Enterprise Grade CDN Status is Enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.52	Ensure that HPC Cache's state is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.53	Ensure that HPC Cache's provisioning state is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.54	Ensure that HPC Cache has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.55	Ensure LoadTest has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.57	Ensure Load Test is in healthy state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.58	Ensure that Azure Email Communication has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.59	Ensure that Azure Email Communication Domain has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.60	Ensure that Azure Virtual Machine Image Template has tags	Low	New				CloudGuard Azure All Rules Ruleset

January 10 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.03	Ensure that S3 Buckets are encrypted with CMK	Medium	Modification	Severity	High	Medium	CloudGuard AWS Dashboards AWS LGPD regulation AWS CloudGuard S3 Bucket Security AWS NIST 800-53 Rev 5 AWS CIS Foundations v. 1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS GDPR Readiness AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS CSA CCM v.3.0.1 AWS ISO 27001:2013 AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS Dashboard System Ruleset AWS CCPA Framework AWS MAS TRM Framework AWS NIST 800-171 AWS CIS Foundations v. 1.3.0 AWS HITRUST AWS ITSG-33 AWS CIS Foundations v. 1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.50	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs	High	Modification	Logic	SecretManager should not have kmsKeyId isEmpty()	SecretManager should have encryptionKey.isCustomerManaged=true	AWS NIST 800-53 Rev 5 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS CIS Controls V 8 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Cybersecurity Framework v1.1 AWS CloudGuard Best Practices AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AZU.NET.62	Ensure that public network access to Cosmos DB accounts is disabled	High	Modification	Name	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	Ensure that public network access to Cosmos DB accounts is disabled	Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure NY - Cybersecurity Requirements for Financial Services Companies Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure HITRUST v9.5.0
D9.AWS.DR.23	Ensure Termination Protection feature is enabled for CloudFormation Stack	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.12	Ensure that Storage Mover has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.07	Ensure that Azure Elastic Monitor has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.06	Ensure that Elastic SAN has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.76	Ensure that the encryption key for the batch account comes from Microsoft KeyVault	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.80	Ensure that Elastic SAN volume is encrypted with Customer Managed Key (CMK)	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.70	Ensure that the authentication mode for the batch account is set to 'AAD' and no other modes are allowed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.111	Ensure that public network access is disabled for batch account	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.112	Ensure that public IP addresses are not assigned to batch pools	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.34	Ensure that Azure Batch Account is in a healthy state	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.35	Ensure that Azure Batch Account has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.50	Ensure that the status of Azure Storage Mover is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.51	Ensure that the status of Azure Storage Mover's Endpoint is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.42	Ensure that the status of Azure Elastic Monitor is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.43	Ensure that the monitoring status of Azure Elastic Monitor is not disabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.39	Ensure that Elastic SAN is in operational state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.40	Ensure that Elastic SAN volumes do not have failed network ACL rules	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.41	Ensure that Elastic SAN volumes are operational	High	New				CloudGuard Azure All Rules Ruleset

January 03 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.12	ALB secured listener certificate expires in one week	High	Modification	Logic	ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	ApplicationLoadBalancer where region unlike 'cn%' should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	AWS NIST 800-53 Rev 5 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS CSA CCM v.3.0.1 AWS ISO 27001:2013 AWS CloudGuard SOC2 based on AICPA TSC 2017 AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS NIST 800-171 AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.93	Ensure that ECR Registry-level configuration is enabled for image scanning	High	Modification	Logic	EcrRegistryScanningConfig should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	EcrRegistryScanningConfig where scanningConfiguration.rules should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	CloudGuard AWS All Rules Ruleset AWS APRA 234
D9.AZU.AS.05	Ensure that Virtual Machine Image has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.77	Ensure that Azure Cognitive Search, or Azure AI Search Service, is enforcing encryption with Customer Managed Key (CMK)	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.78	Ensure that Virtual Machine Image is using hyper-V Generation V2	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.79	Ensure that Virtual Machine Image OS Disk is encrypted with Customer Managed Key (CMK)	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.DR.06	Ensure that Virtual Machine Image is zone resilient	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.110	Ensure that Cognitive Search, or AI Search Service, does not allow public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.30	Ensure that Azure Cognitive Search, or Azure AI Search Service, has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.31	Ensure that Azure Cognitive Search, or Azure AI Search Service, has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.32	Ensure that the status of Azure Cognitive Search, or Azure AI Search Service, is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.33	Ensure statuses for Azure Cognitive Search, or Azure AI Search, Service's privateEndpointConnections and sharedPrivateLinks are not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.36	Ensure that Virtual Machine Image is in succeeded state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.37	Ensure that Virtual Machine Image OS Disk caching is enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.38	Ensure that Virtual Machine Image Data Disk caching is enabled	Low	New				CloudGuard Azure All Rules Ruleset

CloudGuard Compliance Updates

November 27 2024

November 20 2024

November 13 2024

November 06 2024

October 30 2024

October 23 2024

October 16 2024

October 09 2024

October 01 2024

September 25 2024

September 18 2024

September 11 2024

September 04 2024

August 28 2024

August 21 2024

August 14 2024

August 07 2024

July 31 2024

July 24 2024

July 17 2024

July 10 2024

July 03 2024

June 26 2024

June 19 2024

June 13 2024

June 12 2024

June 05 2024

May 29 2024

May 22 2024

May 15 2024

May 08 2024

May 01 2024

April 24 2024

April 17 2024

April 10 2024

April 04 2024

April 03 2024

March 27 2024

March 20 2024

March 13 2024

March 06 2024

February 28 2024

February 21 2024

February 14 2024

February 07 2024

January 31 2024

January 24 2024

January 17 2024

January 10 2024

January 03 2024