| D9.GCP.DR.01 | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | Low | Modification | | - CloudSql should have settings.backupConfiguration.enabled=true
| - CloudSql where instanceType!="READ_REPLICA_INSTANCE" should have settings.backupConfiguration.enabled=true
| - GCP CIS Foundations Benchmark v1.3.0
- GCP NIST SP 800-53 R5
- GCP PCI DSS v4
- GCP CIS Foundations Benchmark v2.0.0
- GCP MITRE ATT&CK Framework v12.1
- CloudGuard GCP All Rules Ruleset
- GCP CIS Critical Security Controls v8
- GCP ISO 27001:2022
- GCP APRA 234
- GCP CSA CCM v4
- GCP ENS 2022 Spain
- GCP RMiT Malaysia
- GCP ACSC ISM
- GCP FedRAMP R5 (moderate)
- GCP ISO 27017:2015
- GCP SOX (Section 404)
- GCP Secure Controls Framework (SCF) v2023.1
- GCP ISO 27002:2022
- GCP ASD Essential Eight
- GCP CMMC 2.0 v1.02
- GCP NIST SP 800-171 R2
- GCP New Zealand ISM v3.6
- GCP CIS Foundations Benchmark v3.0.0
- GCP NIST CSF v1.1
- GCP HIPAA
- GCP CIS Foundations Benchmark v1.1.0
- GCP CIS Foundations Benchmark v1.2.0
- GCP CloudGuard Best Practices
|
| D9.AZU.NET.VirtualMachine.TCPdb | Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports | High | Modification | | - Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]
| - Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-TCP Ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_TCP_Ports) ] ] ]
| - Azure LGPD
- Azure Security Risk Management
- Azure PCI DSS v4
- CloudGuard Azure All Rules Ruleset
- Azure CSA CCM v4
- CloudGuard Azure Default Ruleset
- Azure APRA 234
- Azure ISO 27001:2022
- Azure ENS 2022 Spain
- Azure ACSC ISM
- Azure PCI DSS v3.2.1
- Azure NIST SP 800-53 R4
- Azure SOX (Section 404)
- Azure Secure Controls Framework (SCF) v2023.1
- Azure CSA CCM v3
- Azure ISO 27001:2013
- Azure HIPAA
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard Best Practices
- Azure New Zealand ISM v3.4
|
| D9.AZU.NET.VirtualMachine.UDPdb | Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports | High | Modification | | - Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]
| - Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known DB-UDP Ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_DB_UDP_Ports) ] ] ]
| - Azure LGPD
- Azure Security Risk Management
- Azure PCI DSS v4
- CloudGuard Azure All Rules Ruleset
- Azure CSA CCM v4
- CloudGuard Azure Default Ruleset
- Azure APRA 234
- Azure ISO 27001:2022
- Azure ENS 2022 Spain
- Azure ACSC ISM
- Azure PCI DSS v3.2.1
- Azure NIST SP 800-53 R4
- Azure SOX (Section 404)
- Azure Secure Controls Framework (SCF) v2023.1
- Azure CSA CCM v3
- Azure ISO 27001:2013
- Azure HIPAA
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard Best Practices
- Azure New Zealand ISM v3.4
|
| D9.AZU.NET.VirtualMachine.TCP | Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports | High | Modification | | - Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ]
- Medium
| - Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known TCP Ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('TCP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_TCP_Ports) ] ] ]
- High
| - Azure LGPD
- Azure Security Risk Management
- Azure CIS Foundations Benchmark v1.5.0
- Azure PCI DSS v4
- Azure CIS Foundations Benchmark v2.0.0
- CloudGuard Azure All Rules Ruleset
- Azure CSA CCM v4
- CloudGuard Azure Default Ruleset
- Azure APRA 234
- Azure ISO 27001:2022
- Azure ENS 2022 Spain
- Azure RMiT Malaysia
- Azure ACSC ISM
- Azure CIS Critical Security Controls v8
- Azure PCI DSS v3.2.1
- Azure NIST SP 800-53 R4
- Azure SOX (Section 404)
- Azure Secure Controls Framework (SCF) v2023.1
- Azure CIS Foundations Benchmark v2.1.0
- Azure CSA CCM v3
- Azure ISO 27001:2013
- Azure SOC 2 (AICPA TSC 2017 Controls)
- Azure HIPAA
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard Best Practices
- Azure New Zealand ISM v3.4
|
| D9.AZU.NET.VirtualMachine.UDP | Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports | High | Modification | | - Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All')] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ]
- Medium
| - Ensure no Virtual Machine Allows Incoming Traffic from 0.0.0.0/0 to Known UDP Ports
- VirtualMachine where isPublic=true should not have nics contain [ networkSecurityGroup.inboundSecurityRules contain [protocol in ('UDP','All') and action like '%allow%'] and networkSecurityGroup.inboundSecurityRules contain [ sourceAddressPrefixes contain [ '0.0.0.0/0' ] and destinationAddressPrefixes contain [ '0.0.0.0/0' ]] and networkSecurityGroup.inboundSecurityRules contain [ destinationPortRanges contain [destinationPort in($CloudGuard_Known_UDP_Ports) ] ] ]
- High
| - Azure LGPD
- Azure Security Risk Management
- Azure CIS Foundations Benchmark v1.5.0
- Azure PCI DSS v4
- Azure CIS Foundations Benchmark v2.0.0
- CloudGuard Azure All Rules Ruleset
- Azure CSA CCM v4
- CloudGuard Azure Default Ruleset
- Azure APRA 234
- Azure ISO 27001:2022
- Azure ENS 2022 Spain
- Azure RMiT Malaysia
- Azure ACSC ISM
- Azure CIS Critical Security Controls v8
- Azure PCI DSS v3.2.1
- Azure NIST SP 800-53 R4
- Azure SOX (Section 404)
- Azure Secure Controls Framework (SCF) v2023.1
- Azure CIS Foundations Benchmark v2.1.0
- Azure CSA CCM v3
- Azure ISO 27001:2013
- Azure SOC 2 (AICPA TSC 2017 Controls)
- Azure HIPAA
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard Best Practices
- Azure New Zealand ISM v3.4
|
| D9.AWS.LOG.04 | Ensure that AWS Config is Enabled in All Regions | High | New | | | | - AWS NIST SP 800-53 R5
- AWS PCI DSS v4
- AWS CSA CCM v4
- CloudGuard AWS All Rules Ruleset
- AWS ASD Essential Eight
- AWS NIST SP 800-171 R2
- AWS New Zealand ISM v3.6
- AWS ACSC ISM
- AWS FedRAMP R5 (moderate)
- AWS SWIFT Customer Security Programme CSCF
- AWS Secure Controls Framework (SCF) v2023.1
- AWS NIST CSF v1.1
- AWS SOC 2 (AICPA TSC 2017 Controls)
|
| D9.AWS.LOG.39 | Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones | High | Modification | | - Route53HostedZone should have queryLoggingConfigs
| - Route53HostedZone where metadata.type like 'public' should have queryLoggingConfigs
| - AWS NIST SP 800-53 R5
- CloudGuard AWS All Rules Ruleset
- AWS Foundational Security Best Practices (FSBP)
- AWS APRA 234
- AWS SOX (Section 404)
- AWS Secure Controls Framework (SCF) v2023.1
|
| D9.AWS.IAM.186 | Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled | High | Removal | | | | - AWS NIST SP 800-53 R5
- AWS PCI DSS v4
- CloudGuard AWS All Rules Ruleset
- AWS CMMC 2.0 v1.02
- AWS NIST SP 800-171 R2
- AWS New Zealand ISM v3.6
- AWS ACSC ISM
- AWS FedRAMP R5 (moderate)
- AWS ISO 27017:2015
- AWS SWIFT Customer Security Programme CSCF
- AWS FFIEC Cybersecurity Assessment Tool (CAT)
- AWS SOX (Section 404)
- AWS Secure Controls Framework (SCF) v2023.1
- AWS ISO 27002:2022
- AWS NIST CSF v1.1
|