March 27 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.MON.107 | Ensure that Azure Network Watcher is Enabled | Low | New |
| |||
| D9.AWS.CRY.38 | Ensure to update the Security Policy of the Network Load Balancer | High | Modification |
|
|
|
|
| D9.ALI.CRY.10 | Ensure that Automatic Rotation is Enabled for KMS | High | Modification |
|
|
|
|
| D9.AZU.NET.28 | Ensure that Network Watcher is 'Enabled' | Low | Removal |
|
March 20 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.AS.44 | Ensure Resource Access Manager customer managed permissions should have tags | Informational | New |
| |||
| D9.AWS.DR.17 | Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery | High | Modification |
|
|
|
|
| D9.AWS.DR.19 | Ensure that Lightsail Relational Database has a recent snapshot | High | Modification |
|
|
|
|
| D9.AWS.LOG.58 | Ensure that Access Logging should be enabled for AWS Elemental MediaStore Container | Medium | New |
| |||
| D9.AWS.OPE.152 | Ensure that AWS Elemental MediaStore Container should be ACTIVE | Low | New |
| |||
| D9.GCP.OPE.29 | Ensure that only usable Instance are available in Filestore | Low | New |
| |||
| D9.ALI.CRY.08 | Ensure Apsara File Storage NAS are encrypted | High | New |
| |||
| D9.ALI.CRY.09 | Ensure Apsara File Storage NAS should have Encryption Type selected | High | New |
| |||
| D9.ALI.CRY.10 | Ensure that Automatic Rotation is enabled for KMS | High | New |
| |||
| D9.ALI.CRY.11 | Ensure that Deletion Protection is Enabled for KMS | High | New |
| |||
| D9.ALI.CRY.12 | Ensure only usable Keys are in the KMS | Low | New |
| |||
| D9.ALI.OPE.03 | Ensure that Apsara File Storage NAS should have tags | Low | New |
| |||
| D9.OCI.AS.08 | Ensure that a newly created region subscription's status is ready | Informational | New |
| |||
| D9.K8S.IA.UN.5 | Container Image – ScanSummary | Critical | New |
| |||
| D9.AWS.OPE.131 | Ensure Resource Access Manager customer managed permissions should have tags | Informational | Removal |
|
March 13 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.GCP.CRY.01 | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | Medium | Modification |
|
|
|
|
| D9.AWS.IAM.190 | Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None | High | Modification |
|
|
|
|
| D9.AWS.OPE.142 | Ensure that AppFlow should have tags | Low | New |
| |||
| D9.AWS.OPE.143 | Ensure that MediaStoreContainer should have tags | Low | New |
| |||
| D9.AWS.OPE.144 | Ensure that DataSyncStorage should have tags | Low | New |
| |||
| D9.AWS.OPE.145 | Ensure that CloudTrail should have tags | Low | New |
| |||
| D9.AWS.OPE.148 | Ensure that EksCluster should have tags | Low | New |
| |||
| D9.AWS.OPE.149 | Ensure AWS Verified Access should have FIPS status enabled | High | New |
| |||
| D9.AWS.OPE.150 | Ensure AWS Verified Access should have tags | Low | New |
| |||
| D9.GCP.NET.80 | Cloud Armor Security Policy Default Rule Action should be 'Deny' | High | New |
| |||
| D9.GCP.OPE.21 | Ensure that DnsManagedZone should have tags | Low | New |
| |||
| D9.GCP.OPE.22 | Ensure that PubSubTopic should have tags | Low | New |
| |||
| D9.GCP.OPE.23 | Ensure that VMInstance should have tags | Low | New |
| |||
| D9.GCP.OPE.24 | Ensure that Filestore Instance should have tags | Low | New |
| |||
| D9.GCP.OPE.25 | Ensure that DataprocCluster should have tags | Low | New |
| |||
| D9.GCP.OPE.26 | Ensure that Secret should have tags | Low | New |
| |||
| D9.GCP.OPE.27 | Ensure that Disk should have tags | Low | New |
| |||
| D9.GCP.OPE.28 | Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' policy is enforced for Google Cloud Platform (GCP) organizations | Medium | New |
| |||
| D9.ALI.OPE.01 | Ensure that Auto Scaling Group should have Deletion Protection enabled | Low | New |
| |||
| D9.ALI.OPE.02 | Ensure Auto Scaling group have scaling cooldown higher than a minute | Low | New |
| |||
| D9.OCI.OPE.05 | Ensure that Tenancy should have defined tags | Low | New |
|
March 06 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.LOG.14 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic) | Low | Modification |
|
|
|
|
| D9.AZU.LOG.15 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic) | Low | Modification |
|
|
|
|
| D9.AZU.LOG.16 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic) | Low | Modification |
|
|
|
|
February 28 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.LOG.16 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Low | Modification |
|
|
|
|
| D9.AWS.CRY.38 | Ensure to update the Security Policy of the Network Load Balancer | High | Modification |
|
|
|
|
| D9.AZU.NET.35 | Ensure Application Gateway is using the latest version of TLS encryption | High | Modification |
|
|
|
|
| D9.AWS.IAM.190 | Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None | High | New |
| |||
| D9.AWS.OPE.141 | Ensure that the AWS Kafka Connect Connector is in a Healthy State | Low | New |
| |||
| D9.GCP.CRY.24 | Ensure Vertex AI Notebook Instance Have Integrity Monitoring Enabled | Low | New |
| |||
| D9.GCP.CRY.26 | Ensure That Vertex AI Notebook Instance is encrypted with Customer-Managed Encryption Key (CMEK) | High | New |
| |||
| D9.GCP.NET.77 | Ensure GCP Vertex AI Notebook Instance secure boot feature is Enabled | High | New |
| |||
| D9.GCP.NET.78 | Ensure GCP Vertex AI Notebook Instance vTPM feature is enabled | Low | New |
| |||
| D9.GCP.NET.79 | Ensure Firestore Database delete protection enabled | High | New |
| |||
| D9.GCP.OPE.17 | Ensure that Vertex AI Notebook Instance has tags | Low | New |
| |||
| D9.GCP.OPE.18 | Ensure that Vertex AI Notebook Instance status is healthy | High | New |
| |||
| D9.GCP.OPE.19 | Ensure that Vertex AI Notebook Runtime has tags | Low | New |
| |||
| D9.GCP.OPE.20 | Ensure that Vertex AI Notebook Runtime status is healthy | High | New |
|
February 21 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.127 | Ensure Athena Workgroups should be Encrypted at Rest | High | Modification |
|
|
|
|
| D9.AZU.CRY.18 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | High | Modification |
|
|
|
|
| D9.AZU.CRY.16 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) | Low | Modification |
|
|
|
|
| D9.AZU.CRY.27 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) | Low | Modification |
|
|
|
|
| D9.AZU.CRY.33 | Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server | High | Modification |
|
|
|
|
| D9.AZU.CRY.39 | Ensure that Storage Account Access Keys are Periodically Regenerated | High | Modification |
|
|
|
|
| D9.AZU.IAM.38 | Ensure Security Defaults is enabled on Microsoft Entra ID | High | Modification |
|
|
|
|
| D9.AZU.MON.67 | Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.IAM.47 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
|
| D9.AZU.MON.79 | [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AWS.NET.05 | Ensure no security groups allow unrestricted ingress (from either IPv4 or IPv6 source IP addresses) to commonly used remote server administration ports | Critical | New |
|
February 14 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.NET.66 | Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers | Critical | Modification |
|
|
|
|
| D9.AWS.IAM.175 | Ensure that Multi-Factor Authentication is Enabled for All IAM Users | High | Modification |
|
|
|
|
| D9.AWS.IAM.154 | Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases | High | Modification |
|
|
|
|
| D9.AWS.IAM.157 | Ensure that AWS Lambda function should not have org write access level | High | Modification |
|
|
|
|
| D9.AWS.IAM.158 | Ensure that AWS Lambda function should not have IAM write access level | High | Modification |
|
|
|
|
| D9.AWS.IAM.167 | Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic | High | Modification |
|
|
|
|
| D9.AWS.VLN.16 | Ensure that Shield Advanced is in Use | High | New |
| |||
| D9.AZU.AS.18 | Ensure that a Virtual WAN P2s VPN Gateway has an associated tag | Low | New |
| |||
| D9.AZU.AS.20 | Ensure that VMware Solution has an associated tag | Low | New |
| |||
| D9.AZU.CRY.84 | Ensure that Azure VMware Solution has encryption enabled | Low | New |
| |||
| D9.AZU.IAM.73 | Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts | High | New |
| |||
| D9.AZU.NET.114 | Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations have Internet Security enabled | High | New |
| |||
| D9.AZU.OPE.65 | Ensure that DevTest Lab has Tags | Low | New |
| |||
| D9.AZU.OPE.69 | Ensure that a Virtual WAN P2s VPN Gateway is not in a 'Failed' state | High | New |
| |||
| D9.AZU.OPE.70 | Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations are not in a 'Failed' state | High | New |
| |||
| D9.AZU.OPE.76 | Ensure that VMware Solution's status is not failed | High | New |
| |||
| D9.AZU.OPE.77 | Ensure that Virtual WAN VPN Server has Tags | Low | New |
| |||
| D9.AZU.OPE.78 | Ensure that Provisioning Status of Configuration Policy Group for Virtual WAN VPN Server is not Failed | High | New |
| |||
| D9.AZU.OPE.79 | Ensure that P2S VPN Gateways's Provisioning Status for Virtual WAN VPN Server is not Failed | High | New |
| |||
| D9.AZU.OPE.80 | Ensure that Provisioning Status of P2S Connection Configuration for Virtual WAN VPN Server is not Failed | High | New |
| |||
| D9.AZU.OPE.81 | Ensure that Virtual WAN VPN Server's Status is not Failed | High | New |
|
February 07 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.77 | Ensure rotation for customer-created symmetric CMKs is enabled | High | Modification |
|
|
|
|
| D9.AWS.CRY.12 | ALB secured listener certificate expires in one week | High | Modification |
|
|
|
|
| D9.AWS.LOG.24 | Ensure that Object-level logging for read events is Enabled for S3 bucket | High | Modification |
|
|
|
|
| D9.AWS.LOG.45 | Ensure usage of 'root' account is monitored | High | Modification |
|
|
|
|
| D9.AWS.NET.141 | Ensure no security groups allow ingress from ::/0 to remote server administration ports | Critical | New |
| |||
| D9.AWS.NET.91 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Modification |
|
|
|
|
| D9.AZU.CRY.59 | Ensure Azure Container Instance should use Secure Values for environment variables | Low | Modification |
|
|
|
|
| D9.AWS.CRY.151 | Ensure that Log groups in AWS Cloud Watch are encrypted using Customer Managed Keys | Low | New |
| |||
| D9.AWS.LOG.30 | Ensure CloudWatch Logs is enabled for Prometheus Workspace | Low | New |
| |||
| D9.AWS.OPE.120 | Ensure that Log groups in AWS Cloud Watch should have tags | Informational | New |
| |||
| D9.AWS.OPE.121 | Ensure that Prometheus Workspace should have tags | Low | New |
| |||
| D9.AWS.OPE.123 | Ensure that Grafana Workspace should have tags | Low | New |
| |||
| D9.AZU.AS.19 | Ensure that Azure Virtual Desktop App Group has an associated tag | Low | New |
| |||
| D9.AZU.OPE.73 | Ensure that Azure Virtual Desktop App Group has locks | Low | New |
| |||
| D9.AZU.OPE.74 | Ensure that Azure Private Link Service's status is not failed | High | New |
| |||
| D9.AZU.OPE.75 | Ensure that Azure Private Link Service has tags | Low | New |
| |||
| D9.GCP.NET.75 | Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled | Informational | New |
| |||
| D9.GCP.NET.76 | Ensure Public NAT Gateway should have dynamic port allocation enabled | Informational | New |
| |||
| D9.OCI.CRY.07 | Ensure Encryption in Transit is Enabled for Custom Images in Oracle Cloud | High | New |
| |||
| D9.OCI.DR.01 | Ensure Automated Backups are Enabled for MySQL Database Systems | Low | New |
| |||
| D9.OCI.DR.02 | Ensure that Backup Retention Period is Set for Oracle MySQL Database | Low | New |
| |||
| D9.OCI.NET.29 | Ensure Load Balancer should have Delete Protection Enabled | Low | New |
| |||
| D9.OCI.OPE.04 | Ensure that Custom Images in Oracle Cloud should have Tags | Low | New |
| |||
| D9.OCI.VLN.01 | Ensure Detector Recipe should contain Detector's Rules | Low | New |
| |||
| D9.OCI.VLN.02 | Ensure Responder Recipe should contain Responder's Rules | Low | New |
|
January 31 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.NET.66 | Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts | Critical | Modification |
|
|
|
|
| D9.AWS.CRY.150 | Ensure that Bedrock Custom Model is encrypted using CMK | Low | New |
| |||
| D9.AWS.NET.1028 | Ensure that Bedrock Model Customization Job is using a VPC | Low | New |
| |||
| D9.AWS.OPE.139 | Ensure that Bedrock Custom Model has tags | Low | New |
| |||
| D9.AWS.OPE.140 | Ensure that Bedrock Model Customization Job has tags | Low | New |
| |||
| D9.AZU.AS.17 | Ensure that Azure Confidential Ledger has an associated tag | Low | New |
| |||
| D9.AZU.AS.16 | Ensure that Video Indexer has an associated tag | Low | New |
| |||
| D9.AZU.CRY.83 | Ensure that Azure Confidential Ledger certificate exists and is attached | Low | New |
| |||
| D9.AZU.DR.07 | Ensure Azure Event Hub Namespace is zone redundant | Low | New |
| |||
| D9.AZU.IAM.72 | Ensure Azure cognitive services (AI Service) should use managed identity | Low | New |
| |||
| D9.AZU.NET.118 | Ensure that 'Public network access' is set to 'Disabled' for Event Hubs Namespace | Low | New |
| |||
| D9.AZU.NET.115 | Ensure Azure Route Table does not utilise default route | Low | New |
| |||
| D9.AZU.NET.116 | Ensure that Azure Cognitive Service (AI Service), does not allow public network access | High | New |
| |||
| D9.AZU.OPE.67 | Ensure that the status of Azure Confidential Ledger is healthy | High | New |
| |||
| D9.AZU.OPE.68 | Ensure that Azure Confidential Ledger has locks | Low | New |
| |||
| D9.AZU.OPE.66 | Ensure that Video Indexer Experiment's status is not failed | High | New |
| |||
| D9.AZU.OPE.71 | Ensure that Route Table should have tags | Low | New |
| |||
| D9.AZU.OPE.72 | Ensure that Event Hubs Namespace should have tags | Low | New |
| |||
| D9.K8S.IA.UN.3 | Container Image - Malware | High | Modification |
|
|
|
|
| D9.K8S.IA.UN.4 | Container Image – Insecure Content | Low | Modification |
|
|
|
|
| D9.K8S.IA.UN.5 | Container Image - Insecure Content of Critical Severity | Critical | Removal |
| |||
| D9.K8S.IA.UN.6 | Container Image - Insecure Content of High Severity | High | Removal |
|
January 24 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.NET.62 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | High | Modification |
|
|
|
|
| D9.AZU.AS.14 | Ensure that Azure Cassandra Cluster has an associated tag | Low | New |
| |||
| D9.AZU.AS.15 | Ensure that Azure DDoS Protection Plan has an associated tag | Low | New |
| |||
| D9.AZU.LOG.21 | Ensure that Logs are enabled for Azure Cassandra Cluster | Low | New |
| |||
| D9.AZU.OPE.61 | Ensure that the status of Azure Cassandra Cluster is not failed | High | New |
| |||
| D9.AZU.OPE.62 | Ensure that Azure Cassandra Cluster is authenticated properly | High | New |
| |||
| D9.AZU.OPE.63 | Ensure that Azure DDoS Protection Plan has locks | Low | New |
| |||
| D9.AZU.OPE.64 | Ensure that the status of Azure DDoS Protection Plan is not failed | High | New |
| |||
| D9.GCP.NET.62 | Ensure GCP Private Service Connect Network Attachment only accept allowed connections | High | New |
| |||
| D9.GCP.NET.74 | Ensure that Google Cloud VPN tunnels use IKE version 2 protocol | Low | New |
| |||
| D9.GCP.OPE.16 | Ensure Google Folder is not unused in last 180 days | Low | New |
| |||
| D9.K8S.IA.UN.1 | Container Image - Package of Critical Severity | Critical | New |
| |||
| D9.K8S.IA.UN.2 | Container Image - Package of High Severity | High | New |
| |||
| D9.K8S.IA.UN.3 | Container Image - Malware of Critical Severity | Critical | New |
| |||
| D9.K8S.IA.UN.4 | Container Image - Malware of High Severity | High | New |
| |||
| D9.K8S.IA.UN.5 | Container Image - Insecure Content of Critical Severity | Critical | New |
| |||
| D9.K8S.IA.UN.6 | Container Image - Insecure Content of High Severity | High | New |
|
January 17 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.OCI.IAM.05 | Ensure user API keys rotate within 90 days | High | Modification |
|
|
|
|
| D9.OCI.IAM.06 | Ensure user customer secret keys rotate every 90 days or less | Low | Modification |
|
|
|
|
| D9.OCI.LOG.13 | Ensure a notification is configured for network security group changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.14 | Ensure a notification is configured for changes to network gateways | Low | Modification |
|
|
|
|
| D9.AWS.AS.11 | Identify and remove any unused AWS DynamoDB tables to optimize AWS costs | High | Modification |
|
|
|
|
| D9.AWS.OPE.88 | Ensure that Nimble Studio status is healthy | High | Modification |
|
|
|
|
| D9.AZU.AS.09 | Ensure that Data Migration has an associated tag | Low | New |
| |||
| D9.AZU.AS.10 | Ensure that Data Migration Classic has an associated tag | Low | New |
| |||
| D9.AZU.AS.08 | Ensure that Virtual WAN has an associated tag | Low | New |
| |||
| D9.AZU.AS.11 | Ensure that Static Web App Site has an associated tag | Low | New |
| |||
| D9.AZU.AS.13 | Ensure that a DNS Zone has an associated tag | Low | New |
| |||
| D9.AZU.CRY.81 | Ensure that Virtual WAN should have VPN encryption | High | New |
| |||
| D9.AZU.CRY.82 | Ensure that HPC Cache rotates to latest key version | Medium | New |
| |||
| D9.AZU.IAM.71 | Ensure that Static Web App Site template properties are private | Medium | New |
| |||
| D9.AZU.NET.113 | Ensure that Static Web App Site is limited to use selected networks based on trust instead of all networks | Medium | New |
| |||
| D9.AZU.OPE.46 | Ensure that Data Migration's status is not failed | Low | New |
| |||
| D9.AZU.OPE.47 | Ensure that Data Migration Classic's status is not failed | Low | New |
| |||
| D9.AZU.OPE.44 | Ensure that Virtual WAN Experiment's status is not failed | High | New |
| |||
| D9.AZU.OPE.45 | Ensure that Static Web App Site config file cannot be updated | Low | New |
| |||
| D9.AZU.OPE.48 | Ensure that Static Web App Site private endpoint connections have no errors | High | New |
| |||
| D9.AZU.OPE.49 | Ensure that Static Web App Site Enterprise Grade CDN Status is Enabled | Low | New |
| |||
| D9.AZU.OPE.52 | Ensure that HPC Cache's state is healthy | High | New |
| |||
| D9.AZU.OPE.53 | Ensure that HPC Cache's provisioning state is healthy | High | New |
| |||
| D9.AZU.OPE.54 | Ensure that HPC Cache has tags | Low | New |
| |||
| D9.AZU.OPE.55 | Ensure LoadTest has tags | Low | New |
| |||
| D9.AZU.OPE.57 | Ensure Load Test is in healthy state | High | New |
| |||
| D9.AZU.OPE.58 | Ensure that Azure Email Communication has tags | Low | New |
| |||
| D9.AZU.OPE.59 | Ensure that Azure Email Communication Domain has tags | Low | New |
| |||
| D9.AZU.OPE.60 | Ensure that Azure Virtual Machine Image Template has tags | Low | New |
|
January 10 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.03 | Ensure that S3 Buckets are encrypted with CMK | Medium | Modification |
|
|
|
|
| D9.AWS.CRY.50 | Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | High | Modification |
|
|
|
|
| D9.AZU.NET.62 | Ensure that public network access to Cosmos DB accounts is disabled | High | Modification |
|
|
|
|
| D9.AWS.DR.23 | Ensure Termination Protection feature is enabled for CloudFormation Stack | High | New |
| |||
| D9.AZU.AS.12 | Ensure that Storage Mover has an associated tag | Low | New |
| |||
| D9.AZU.AS.07 | Ensure that Azure Elastic Monitor has an associated tag | Low | New |
| |||
| D9.AZU.AS.06 | Ensure that Elastic SAN has an associated tag | Low | New |
| |||
| D9.AZU.CRY.76 | Ensure that the encryption key for the batch account comes from Microsoft KeyVault | Low | New |
| |||
| D9.AZU.CRY.80 | Ensure that Elastic SAN volume is encrypted with Customer Managed Key (CMK) | Low | New |
| |||
| D9.AZU.IAM.70 | Ensure that the authentication mode for the batch account is set to 'AAD' and no other modes are allowed | Low | New |
| |||
| D9.AZU.NET.111 | Ensure that public network access is disabled for batch account | Medium | New |
| |||
| D9.AZU.NET.112 | Ensure that public IP addresses are not assigned to batch pools | Medium | New |
| |||
| D9.AZU.OPE.34 | Ensure that Azure Batch Account is in a healthy state | Low | New |
| |||
| D9.AZU.OPE.35 | Ensure that Azure Batch Account has tags | Low | New |
| |||
| D9.AZU.OPE.50 | Ensure that the status of Azure Storage Mover is not failed | High | New |
| |||
| D9.AZU.OPE.51 | Ensure that the status of Azure Storage Mover's Endpoint is not failed | High | New |
| |||
| D9.AZU.OPE.42 | Ensure that the status of Azure Elastic Monitor is not failed | High | New |
| |||
| D9.AZU.OPE.43 | Ensure that the monitoring status of Azure Elastic Monitor is not disabled | Low | New |
| |||
| D9.AZU.OPE.39 | Ensure that Elastic SAN is in operational state | High | New |
| |||
| D9.AZU.OPE.40 | Ensure that Elastic SAN volumes do not have failed network ACL rules | High | New |
| |||
| D9.AZU.OPE.41 | Ensure that Elastic SAN volumes are operational | High | New |
|
January 03 2024
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.12 | ALB secured listener certificate expires in one week | High | Modification |
|
|
|
|
| D9.AWS.CRY.93 | Ensure that ECR Registry-level configuration is enabled for image scanning | High | Modification |
|
|
|
|
| D9.AZU.AS.05 | Ensure that Virtual Machine Image has an associated tag | Low | New |
| |||
| D9.AZU.CRY.77 | Ensure that Azure Cognitive Search, or Azure AI Search Service, is enforcing encryption with Customer Managed Key (CMK) | Low | New |
| |||
| D9.AZU.CRY.78 | Ensure that Virtual Machine Image is using hyper-V Generation V2 | Low | New |
| |||
| D9.AZU.CRY.79 | Ensure that Virtual Machine Image OS Disk is encrypted with Customer Managed Key (CMK) | High | New |
| |||
| D9.AZU.DR.06 | Ensure that Virtual Machine Image is zone resilient | Low | New |
| |||
| D9.AZU.NET.110 | Ensure that Cognitive Search, or AI Search Service, does not allow public network access | High | New |
| |||
| D9.AZU.OPE.30 | Ensure that Azure Cognitive Search, or Azure AI Search Service, has tags | Low | New |
| |||
| D9.AZU.OPE.31 | Ensure that Azure Cognitive Search, or Azure AI Search Service, has locks | Low | New |
| |||
| D9.AZU.OPE.32 | Ensure that the status of Azure Cognitive Search, or Azure AI Search Service, is not failed | High | New |
| |||
| D9.AZU.OPE.33 | Ensure statuses for Azure Cognitive Search, or Azure AI Search, Service's privateEndpointConnections and sharedPrivateLinks are not failed | High | New |
| |||
| D9.AZU.OPE.36 | Ensure that Virtual Machine Image is in succeeded state | High | New |
| |||
| D9.AZU.OPE.37 | Ensure that Virtual Machine Image OS Disk caching is enabled | Low | New |
| |||
| D9.AZU.OPE.38 | Ensure that Virtual Machine Image Data Disk caching is enabled | Low | New |
|
December 27 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.100 | Ensure that the AWS region's Amazon Glue Data Catalog objects and connection passwords are encrypted | High | New |
| |||
| D9.AWS.CRY.117 | Ensure HealthLake Datastore has data-at-rest encryption using KMS CMKs | High | New |
| |||
| D9.AWS.CRY.123 | Ensure that Amazon Translate custom terminology is encrypted using KMS CMKs | High | New |
| |||
| D9.AWS.IAM.23 | Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS Cognito User Pool | High | New |
| |||
| D9.AWS.OPE.124 | Ensure that Gateway Load Balancer should have tags | Informational | New |
| |||
| D9.AWS.OPE.125 | Ensure cross-zone load balancing is enabled for Gateway Load Balancer | Medium | New |
| |||
| D9.AWS.OPE.138 | Ensure that the Gateway Load Balancers status is Available | Low | New |
| |||
| D9.AWS.OPE.131 | Ensure Resource Access Manager customer managed permissions should have tags | Informational | New |
| |||
| D9.AWS.OPE.132 | Ensure shared AWS resources under Resource Access Manager should have tags | Informational | New |
| |||
| D9.AWS.OPE.134 | Ensure Amazon Outposts should have tags | Informational | New |
| |||
| D9.AWS.OPE.135 | Serverless Application Repositories should have labels | Low | New |
| |||
| D9.AWS.OPE.136 | Ensure Cognito Identity Pool should have tags | Informational | New |
| |||
| D9.AWS.OPE.137 | Ensure Cognito User Pool should have tags | Informational | New |
| |||
| D9.AWS.OPE.133 | Ensure HealthLake Datastore should have tags | Informational | New |
| |||
| D9.AZU.AS.04 | Ensure that a NetApp Files Account has an associated tag | Low | New |
| |||
| D9.AZU.CRY.67 | Synapse Workspace should have double encryption enabled | High | New |
| |||
| D9.AZU.CRY.68 | Encryption in transit is enabled for HD Insight clusters | High | New |
| |||
| D9.AZU.CRY.69 | Ensure that Enable Infrastructure Encryption is set for Azure Databricks workspace | High | New |
| |||
| D9.AZU.CRY.70 | Ensure that NetApp account active directories are using LDAP signing | High | New |
| |||
| D9.AZU.CRY.71 | Ensure that Azure Log Analytics Cluster has double encryption enabled | Low | New |
| |||
| D9.AZU.CRY.72 | Ensure that Azure Log Analytics Cluster is encrypted using a CMK | Low | New |
| |||
| D9.AZU.CRY.73 | Ensure that in Azure NetApp Files 'AES encryption' is set to 'Enabled' on any active directories | High | New |
| |||
| D9.AZU.CRY.74 | Ensure that in Azure NetApp Files 'encryptDCConnections' is not disabled on any active directories | High | New |
| |||
| D9.AZU.CRY.75 | Ensure that in Azure NetApp Files 'ldapOverTLS' is not disabled on amy active directories | High | New |
| |||
| D9.AZU.NET.103 | SynapseWorkspace should not allow public network access | High | New |
| |||
| D9.AZU.NET.104 | Ensure that Load Balancer should have tags | Low | New |
| |||
| D9.AZU.NET.105 | Ensure that Load Balancer should not have Public IP | High | New |
| |||
| D9.AZU.NET.106 | Ensure that Regional WAF should have Tags | Low | New |
| |||
| D9.AZU.NET.107 | Ensure that Regional Web Application Firewall (WAF) is Enabled | High | New |
| |||
| D9.AZU.NET.108 | Ensure that Global Web Application Firewall (WAF) is Enabled | High | New |
| |||
| D9.AZU.NET.109 | Ensure that Azure SQL Managed Instance public access is disabled | High | New |
| |||
| D9.AZU.OPE.19 | Ensure that Synapse Workspace should have tags | Low | New |
| |||
| D9.AZU.OPE.20 | Ensure that HD Insight should have Tags | Low | New |
| |||
| D9.AZU.OPE.21 | Ensure that Azure SQL Managed Instance should have tags | Low | New |
| |||
| D9.AZU.OPE.22 | Ensure that Azure Databricks workspace should have a name tag | Low | New |
| |||
| D9.AZU.OPE.23 | Ensure that Azure Virtual Network Manager should have tags | Low | New |
| |||
| D9.AZU.OPE.24 | Ensure that Azure Orbital Spacecraft has locks | Low | New |
| |||
| D9.AZU.OPE.25 | Ensure that Azure Orbital Spacecraft has tags | Low | New |
| |||
| D9.AZU.OPE.26 | Ensure that Azure Dedicated Host Group has tags | Low | New |
| |||
| D9.AZU.OPE.27 | Ensure that Azure Orbital Spacecraft's status is not failed | Low | New |
| |||
| D9.AZU.OPE.28 | Ensure that NetApp Account active directories are in an operational state | High | New |
| |||
| D9.AZU.OPE.29 | Ensure that Azure Log Analytics Cluster has tags | Low | New |
|
December 20 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.63 | Ensure that AWS Elastic Container Registry (ECR) image scanning is enabled | High | Modification |
|
|
|
|
| D9.AWS.AS.43 | Ensure that Amazon S3 Glacier should have tags | Low | New |
| |||
| D9.AWS.CRY.106 | Ensure X-Ray Encryption using KMS | Low | New |
| |||
| D9.AWS.CRY.113 | Ensure AWS Code Artifact Domain is using Customer managed key (CMK) KMS encryption | High | New |
| |||
| D9.AWS.CRY.149 | Ensure that CodeStar user profile should have SSH public key | High | New |
| |||
| D9.AWS.OPE.56 | Ensure that your Amazon ECS instances are using the latest ECS container agent version | Medium | Modification |
|
|
|
|
| D9.AWS.OPE.117 | Ensure AWS Transcribe Job has tags | Informational | New |
| |||
| D9.AWS.OPE.118 | Ensure AWS Medical Transcribe Job has tags | Informational | New |
| |||
| D9.AWS.OPE.119 | Ensure AWS X-Ray Group has tags | Low | New |
| |||
| D9.AWS.OPE.122 | Ensure that CodeStar should have tags | Informational | New |
| |||
| D9.AWS.OPE.126 | Endure AWS Code Artifact Repository has tags | Low | New |
| |||
| D9.AWS.OPE.127 | Ensure AWS Code Artifact Domain has tags | Low | New |
| |||
| D9.AWS.OPE.129 | Ensure AWS Global Accelerator has tags | Low | New |
| |||
| D9.AWS.OPE.130 | Ensure AWS Global Custom Accelerator has tags | Low | New |
| |||
| D9.AZU.NET.04 | Ensure Azure Firewall SKU is configured to Premium | High | New |
| |||
| D9.AZU.OPE.10 | Ensure Azure Firewall has tags | Low | New |
| |||
| D9.AZU.OPE.13 | Ensure that Azure Compute Gallery has tags | Low | New |
| |||
| D9.AZU.OPE.14 | Ensure that Azure Compute Gallery has locks | Low | New |
| |||
| D9.AZU.OPE.15 | Ensure that Azure Compute Gallery's status is not failed | Low | New |
| |||
| D9.AZU.OPE.16 | Ensure that Azure Compute Gallery's Image has tags | Low | New |
| |||
| D9.AZU.OPE.17 | Ensure that Azure Compute Gallery Image's status is not failed | Low | New |
| |||
| D9.AZU.OPE.18 | Ensure that Azure Data Share Account has tags | Low | New |
|
December 13 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.AS.42 | Ensure that AWS Firewall Manager Policy has an associated tag | Low | New |
| |||
| D9.AWS.CRY.56 | Ensure Managed Streaming for Apache Kafka (MSK) clusters have in-transit encryption enabled within the cluster and between clients and brokers | Critical | New |
| |||
| D9.AWS.CRY.75 | Ensure AWS MemoryDB for Redis clusters have Customer Managed CMK at-rest encryption | High | New |
| |||
| D9.AWS.CRY.87 | Ensure AWS MemoryDB for Redis manual snapshots have Customer Managed CMK encryption | High | New |
| |||
| D9.AWS.CRY.102 | Ensure AWS MemoryDB for Redis clusters have in-transit encryption enabled | High | New |
| |||
| D9.AWS.DR.15 | Ensure MemoryDB for Redis clusters have automatic snapshots enabled | Low | New |
| |||
| D9.AWS.IAM.21 | Ensure Managed Streaming for Apache Kafka (MSK) clusters have only authenticated access | High | New |
| |||
| D9.AWS.IAM.22 | Ensure Managed Streaming for Apache Kafka (MSK) clusters do not allow public access | High | New |
| |||
| D9.AWS.LOG.11 | Ensure Managed Streaming for Apache Kafka (MSK) clusters have log delivery configured | Low | New |
| |||
| D9.AWS.LOG.26 | Ensure AWS WAFv2 Web ACL logging should be enabled | Low | New |
| |||
| D9.AWS.MON.18 | Ensure Managed Streaming for Apache Kafka (MSK) clusters have enhanced monitoring configured | Low | New |
| |||
| D9.AWS.OPE.18 | Ensure Managed Streaming for Apache Kafka (MSK) clusters have tags | Low | New |
| |||
| D9.AWS.OPE.43 | Ensure that AWS MemoryDB for Redis snapshot has tags | Low | New |
| |||
| D9.AWS.OPE.49 | Ensure MemoryDB for Redis cluster is updated | High | New |
| |||
| D9.AWS.OPE.58 | Ensure that AWS MemoryDB for Redis clusters have tags | Low | New |
| |||
| D9.AWS.OPE.111 | Ensure AWS SimSpace Weaver Simulation have tags | Low | New |
| |||
| D9.AWS.OPE.112 | Ensure AWS WAFv2 Web ACL has tags | Low | New |
| |||
| D9.AWS.OPE.113 | Ensure that the AWS Firewall Manager Policy removes protection from unused resources | Low | New |
| |||
| D9.AWS.OPE.114 | Ensure that the AWS Firewall Manager Account is in a Healthy State | Low | New |
| |||
| D9.AWS.OPE.115 | Ensure that the AWS Firewall Manager Policy automatically remediates non-compliant resources | Low | New |
| |||
| D9.AWS.OPE.116 | Ensure that the AWS Firewall Manager Policy is in a healthy state | High | New |
| |||
| D9.AZU.AS.03 | Ensure that an Event Grid namespace has an associated tag | Low | New |
| |||
| D9.AZU.CRY.02 | Ensure that Event Grid Namespace's minimum TLS version is set to 1.2 | High | New |
| |||
| D9.AZU.NET.101 | Ensure that Event Grid Namespace is not open to public IPs | High | New |
| |||
| D9.AZU.NET.102 | Ensure that Event Grid Namespace does not allow public network access | High | New |
| |||
| D9.AZU.OPE.07 | Ensure that Azure Stream Analytics Cluster has locks | Low | New |
| |||
| D9.AZU.OPE.08 | Ensure that Azure Stream Analytics Cluster has tags | Low | New |
| |||
| D9.AZU.OPE.09 | Ensure that Azure Stream Analytics Cluster's status is not failed | Low | New |
| |||
| D9.AZU.OPE.11 | Ensure that Event Grid Namespace's private endpoint connections are not in a failed state | High | New |
| |||
| D9.AZU.OPE.12 | Ensure Event Grid Namespace is not in Failed state | High | New |
| |||
| D9.AWS.NET.60 | Ensure that NAT gateway is not associated in a private subnet | Medium | Removal |
|
December 06 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.01 | Eliminate use of the 'root' user for administrative and daily tasks | High | Modification |
|
|
|
|
| D9.AWS.IAM.16 | Ensure no 'root' user account access key exists | High | Modification |
|
|
|
|
| D9.AZU.NET.66 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Critical | Modification |
|
|
|
|
| D9.AWS.IAM.149 | Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account | High | Modification |
|
|
|
|
| D9.AWS.CRY.101 | Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement | Critical | Modification |
|
|
|
|
| D9.AWS.CRY.146 | Ensure that FinSpace Environment is encrypted using CMK | Low | New |
| |||
| D9.AWS.DR.22 | Ensure Elastic Disaster Recovery Replication status is not giving any error | Low | New |
| |||
| D9.AWS.IAM.146 | Ensure that root account credentials have not been used recently to access your AWS account | High | Modification |
|
|
|
|
| D9.AWS.MON.47 | Ensure Email Address is added for each Amazon Detective's Member | Low | New |
| |||
| D9.AWS.MON.48 | Ensure Amazon QuickSight has Termination Protection Enabled | Low | New |
| |||
| D9.AWS.NET.140 | Ensure VPN Gateway is Available | Low | New |
| |||
| D9.AWS.OPE.15 | Ensure that AWS Timestream Database has tags | Low | New |
| |||
| D9.AWS.OPE.17 | Ensure that AWS Timestream Table has tags | Low | New |
| |||
| D9.AWS.OPE.110 | Ensure that AWS Personalize has tags | Low | New |
| |||
| D9.AZU.OPE.06 | Ensure that Azure Power BI Embedded Capacity has tags | Low | New |
| |||
| D9.AWS.CRY.73 | Ensure that user Volume Encryption is enabled for AWS Workspace | High | Removal |
| |||
| D9.AWS.CRY.74 | Ensure that root Volume Encryption is enabled for AWS Workspace | High | Removal |
| |||
| D9.AWS.OPE.53 | Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization | Medium | Removal |
| |||
| D9.AWS.OPE.59 | Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices | Low | Removal |
| |||
| D9.AZU.NET.67 | Ensure that Containers and its blobs are not exposed publicly | Critical | Removal |
|
November 29 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.189 | Ensure that Authorization Type in API Gateway is not set to None | High | New |
| |||
| D9.AWS.CRY.103 | Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys | High | Modification |
|
|
|
|
| D9.AWS.OPE.107 | Ensure that DAX Parameter Group doesn't require reboot | High | New |
| |||
| D9.AWS.OPE.108 | Ensure that Compute Optimizer has no high performance risk ratings | Low | New |
| |||
| D9.AWS.OPE.109 | Ensure that AWS Data Exchange Dataset has tags | Low | New |
| |||
| D9.AZU.OPE.05 | Ensure that Chaos Studio Experiment's status is not failed | Low | New |
| |||
| D9.AWS.NET.67 | Ensure that all authorization Type in API Gateway are not set to None | High | Removal |
| |||
| D9.AWS.CRY.146 | Ensure that FinSpace Environment is encrypted using CMK | Low | Removal |
|
November 22 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.LOG.17 | Ensure that Endpoint Protection for all Windows Virtual Machines is installed | High | Modification |
|
|
|
|
| D9.AWS.IAM.185 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Low | New |
| |||
| D9.AWS.NET.90 | Ensure that EC2 Metadata Service only allows IMDSv2 | High | Modification |
|
|
|
|
| D9.AWS.IAM.186 | Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled | High | New |
| |||
| D9.K8S.IAM.93 | Ensure that a limit is set on pod PIDs (Kubelet) | High | New |
| |||
| D9.AWS.CRY.56 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Low | Removal |
|
November 15 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.NET.95 | Ensure API Gateway has WAF | Low | Modification |
|
|
|
|
| D9.AWS.AS.38 | Ensure that FinSpace Environment has an associated tag | Low | New |
| |||
| D9.AWS.AS.39 | Ensure that Comprehend Flywheel has an associated tag | Low | New |
| |||
| D9.AWS.AS.40 | Ensure that Comprehend Endpoint has an associated tag | Low | New |
| |||
| D9.AWS.AS.41 | Ensure that AWS Config Rule has an associated tag | Low | New |
| |||
| D9.AWS.CRY.148 | Ensure that Forecast Predictor is encrypted using CMK | Low | New |
| |||
| D9.AWS.CRY.147 | Ensure that Forecast Dataset is encrypted using CMK | Low | New |
| |||
| D9.AWS.CRY.142 | Ensure that Comprehend Flywheel's model is encrypted with CMK | Low | New |
| |||
| D9.AWS.CRY.143 | Ensure that Comprehend Flywheel's volume is encrypted with CMK | Low | New |
| |||
| D9.AWS.CRY.144 | Ensure that CloudSearch Domain enforces HTTPS | High | New |
| |||
| D9.AWS.CRY.145 | Ensure that your CloudSearch Domain is enforcing a minimum TLS security policy of version 1.2 | High | New |
| |||
| D9.AWS.CRY.146 | Ensure that FinSpace Environment is encrypted using CMK | Low | New |
| |||
| D9.AWS.IAM.184 | Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | New |
| |||
| D9.AWS.NET.139 | Ensure that your Amazon Comprehend Flywheel uses a VPC | Medium | New |
| |||
| D9.AWS.OPE.91 | Ensure that FinSpace Environment status is healthy | High | New |
| |||
| D9.AWS.OPE.104 | Ensure that Forecast Predictor has tags | Low | New |
| |||
| D9.AWS.OPE.105 | Ensure that Forecast Predictor status is healthy | High | New |
| |||
| D9.AWS.OPE.103 | Ensure that Forecast Dataset has tags | Low | New |
| |||
| D9.AWS.OPE.93 | Ensure that Verified Permissions Policy Store has validation enabled | High | New |
| |||
| D9.AWS.OPE.94 | Ensure that Comprehend Flywheel's status is not failed | High | New |
| |||
| D9.AWS.OPE.95 | Ensure that Comprehend Endpoint's status is not failed | High | New |
| |||
| D9.AWS.OPE.96 | Ensure that the status of the CloudSearch Domain is healthy | High | New |
| |||
| D9.AWS.OPE.99 | Ensure that Forecast Monitor has tags | Low | New |
| |||
| D9.AWS.OPE.102 | Ensure that Forecast Monitor status is healthy | High | New |
| |||
| D9.AWS.OPE.97 | Ensure that Forecast Explainability has tags | Low | New |
| |||
| D9.AWS.OPE.98 | Ensure that Forecast has tags | Low | New |
| |||
| D9.AWS.OPE.100 | Ensure that Forecast Explainability status is healthy | High | New |
| |||
| D9.AWS.OPE.101 | Ensure that Forecast status is healthy | High | New |
| |||
| D9.AWS.OPE.106 | Ensure that Forecast Dataset Group has tags | Low | New |
| |||
| D9.K8S.AC.24 | CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or = | Critical | Modification |
|
|
|
|
| D9.K8S.IA.21 | Package of Unknown Severity | Informational | Modification |
|
|
|
|
| D9.AWS.CRY.106 | Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | Removal |
|
November 08 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.NET.01 | Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH (TCP:22) | Critical | New |
| |||
| D9.AWS.NET.02 | Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to RDP (TCP:3389) | Critical | New |
| |||
| D9.AWS.NET.91 | Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports | Critical | Modification |
|
|
|
|
| D9.AWS.AS.30 | Ensure that Lightsail Distribution has an associated tag | Low | New |
| |||
| D9.AWS.AS.32 | Ensure that Nimble Studio has tags | Low | New |
| |||
| D9.AWS.AS.34 | Ensure that Lightsail Relational Database has an associated tag | Low | New |
| |||
| D9.AWS.AS.35 | Ensure that AppRunner Autoscaling Configuration has an associated tag | Low | New |
| |||
| D9.AWS.AS.36 | Ensure that CloudHSM Cluster has an associated tag | Low | New |
| |||
| D9.AWS.AS.37 | Ensure that CloudHSM Backup has an associated tag | Low | New |
| |||
| D9.AWS.CRY.140 | Ensure that Nimble Studio is encrypted | High | New |
| |||
| D9.AWS.CRY.141 | Ensure that Nimble Studio is encrypted using CMK | Low | New |
| |||
| D9.AWS.DR.19 | Ensure that Lightsail Relational Database has a recent snapshot | High | New |
| |||
| D9.AWS.DR.20 | Ensure that Lightsail Relational Database has Backup Retention enabled | High | New |
| |||
| D9.AWS.DR.21 | Ensure that CloudHSM Cluster has a backup retention of at least 30 days | Low | New |
| |||
| D9.AWS.NET.137 | Ensure that Lightsail Distribution doesn't allow unrestricted operations via HTTP requests | Low | New |
| |||
| D9.AWS.NET.138 | Ensure that Lightsail Relational Database is not publicly accessible | High | New |
| |||
| D9.AWS.OPE.86 | Ensure that AWS account's Support Level is 'Business' or 'Enterprise' | Low | New |
| |||
| D9.AWS.OPE.88 | Ensure that Nimble Studio status is healthy | High | New |
| |||
| D9.AWS.OPE.89 | Ensure that Connect Instance status is healthy | High | New |
| |||
| D9.AWS.OPE.90 | Ensure that CloudHSM Cluster is in an operational state | High | New |
| |||
| D9.AWS.OPE.92 | Ensure that the CloudHSM Cluster does not have any Hardware Security Modules (HSMs) in a degraded state | High | New |
| |||
| D9.AZU.IAM.59 | Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication. | Low | Modification |
|
|
|
|
| D9.AWS.NET.77 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Removal |
| |||
| D9.AWS.CRY.100 | Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted | High | Removal |
|
November 01 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.175 | MFA should be Active for All IAM Users | High | New |
| |||
| D9.AZU.IAM.46 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
|
| D9.AZU.IAM.47 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
|
| D9.AWS.AS.20 | Ensure AppRunner Service has an associated tag | Low | New |
| |||
| D9.AWS.AS.21 | Ensure that Lightsail Domain has an associated tag | Low | New |
| |||
| D9.AWS.AS.25 | Ensure that MWAA Environment has an associated tag | Low | New |
| |||
| D9.AWS.AS.27 | Ensure that ACM Private Certificate Authority has an associated tag | Low | New |
| |||
| D9.AWS.AS.28 | Ensure that Directory Service Directories have an associated tag | Low | New |
| |||
| D9.AWS.AS.29 | Ensure that AppRunner Connection has an associated tag | Low | New |
| |||
| D9.AWS.AS.31 | Ensure that AppRunner VPC Connector has an associated tag | Low | New |
| |||
| D9.AWS.CRY.136 | Ensure that AppRunner Service is encrypted using CMK | Low | New |
| |||
| D9.AWS.CRY.137 | Ensure that the ACM Private Certificate Authority is not set to expire within the next 7 days | High | New |
| |||
| D9.AWS.CRY.138 | Ensure that AppFabric App Bundle is encrypted using CMK | Low | New |
| |||
| D9.AWS.CRY.139 | Ensure that MWAA Environment is encrypted with CMK | High | New |
| |||
| D9.AWS.IAM.180 | Ensure that Single Sign-On (SSO) is enabled for DS Directory | Low | New |
| |||
| D9.AWS.IAM.182 | Ensure that DS Directory's RADIUS server is configured and in healthy state | High | New |
| |||
| D9.AWS.IAM.183 | Ensure that DS Directory RADIUS authentication protocol is configured and not set to 'PAP' | Low | New |
| |||
| D9.AWS.MON.45 | Ensure that MWAA Environment's status is healthy | High | New |
| |||
| D9.AWS.MON.46 | Ensure that AWS Lightsail Domain's name server update state is not failed | High | New |
| |||
| D9.AWS.NET.134 | Ensure that AppRunner Service not publicly accessible through the internet | High | New |
| |||
| D9.AWS.NET.135 | Ensure that AppRunner Service outgoing traffic is not routed directly to public internet | Medium | New |
| |||
| D9.AWS.NET.136 | Ensure that MWAA Environment webserver access mode is set to private only | Critical | New |
| |||
| D9.AWS.OPE.73 | Ensure AppRunner Service has observability enabled | Low | New |
| |||
| D9.AWS.OPE.74 | Make sure the AppRunner Service was created without any issues. | High | New |
| |||
| D9.AWS.OPE.75 | Ensure that the common name for your ACM Private Certificate Authority is a Fully Qualified Domain Name (FQDN) | Low | New |
| |||
| D9.AWS.OPE.76 | Ensure that AppFabric App Bundle has tags | Low | New |
| |||
| D9.AWS.OPE.77 | Ensure that AppRunner Connection is in healthy state | High | New |
| |||
| D9.AWS.OPE.78 | Ensure that Support Case status is not 'pending-customer-action' | Low | New |
| |||
| D9.AWS.OPE.79 | Ensure AWS MWAA Environment's last-update status is not failed | High | New |
| |||
| D9.AWS.OPE.80 | Ensure that the Private Certificate Authority's status is not expired or failed | High | New |
| |||
| D9.AWS.OPE.81 | Ensure that MWAA Environment DagProcessingLogs are enabled | Low | New |
| |||
| D9.AWS.OPE.82 | Ensure that MWAA Environment SchedulerLogs are enabled | Low | New |
| |||
| D9.AWS.OPE.83 | Ensure that MWAA Environment TaskLogs are enabled | Low | New |
| |||
| D9.AWS.OPE.84 | Ensure that MWAA Environment WebserverLogs are enabled | Low | New |
| |||
| D9.AWS.OPE.85 | Ensure that AWS MWAA Environment WorkerLogs are enabled | Low | New |
| |||
| D9.AWS.OPE.87 | Ensure that the DS Directory is in healthy state | High | New |
| |||
| D9.K8S.IA.21 | Package of Unknown Severity | Informational | Modification |
|
|
|
|
October 25 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.DR.03 | Ensure AWS RDS retention policy is at least 7 days | High | Modification |
|
|
|
|
| D9.AWS.AS.24 | Ensure that AWS MediaTailor Source Location has tags | Low | New |
| |||
| D9.AWS.AS.26 | Ensure Lightsail Disk has an associated tag | Low | New |
| |||
| D9.AWS.IAM.179 | Ensure MediaTailor Source Location has access authentication configured | High | New |
| |||
| D9.AWS.MON.43 | Ensure AWS Lightsail Disk's state is not error or unknown | High | New |
| |||
| D9.AWS.MON.44 | Ensure AWS Lightsail Disk's auto-mount status is not failed | High | New |
| |||
| D9.AWS.NET.127 | Ensure no security group allows inbound access on a range of ports | High | Modification |
|
|
|
|
| D9.AWS.NET.129 | Ensure AWS VPC does not allow unauthorized peering | High | Modification |
|
|
|
|
| D9.AWS.OPE.67 | Ensure that Batch Job Compute Environment has tags | Low | New |
| |||
| D9.AWS.OPE.68 | Ensure that Batch Job Definition has tags | Low | New |
| |||
| D9.AWS.OPE.69 | Ensure that Batch Job Compute Environment's state is not 'INVALID' | Low | New |
| |||
| D9.AWS.OPE.70 | Ensure that Signer Job status is not 'Failed' | High | New |
| |||
| D9.AWS.OPE.71 | Ensure that your AWS AppStream 2.0 Usage Report Subscriptions are healthy | High | New |
| |||
| D9.AWS.OPE.72 | Ensure that your AWS AppStream 2.0 Usage Report was generated in the last 30 days | High | New |
| |||
| D9.AWS.DR.14 | Ensure AWS RDS instances have Automated Backups feature enabled | High | Removal |
|
October 18 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.LOG.24 | Ensure Object-level Logging of Read Events is Enabled for S3 Buckets | High | Modification |
|
|
|
|
| D9.AWS.AS.12 | Ensure Lightsail Load Balancer has an associated tag | Low | New |
| |||
| D9.AWS.AS.13 | Ensure Lightsail Instance has an associated tag | Low | New |
| |||
| D9.AWS.AS.16 | Ensure CodePipeline Webhook has an associated tag | Low | New |
| |||
| D9.AWS.AS.17 | Ensure that AWS MediaTailor Playback Configuration has tags | Low | New |
| |||
| D9.AWS.AS.18 | Ensure that AWS MediaTailor Channel has tags | Low | New |
| |||
| D9.AWS.AS.19 | Ensure KeySpace has an associated tag | Low | New |
| |||
| D9.AWS.AS.22 | Ensure that Signer Profile has tags | Low | New |
| |||
| D9.AWS.AS.23 | Ensure that DAX Cluster has tags | Low | New |
| |||
| D9.AWS.CRY.128 | Ensure that Amazon Lightsail Load Balancer has HTTPS redirection enabled | High | New |
| |||
| D9.AWS.CRY.130 | Ensure Lightsail instances are have a user generated SSH keys in order to have full control over the authentication process | Low | New |
| |||
| D9.AWS.CRY.131 | Ensure that Amazon Lightsail Load Balancer SSL/TLS certificate exists and is attached | High | New |
| |||
| D9.AWS.CRY.132 | Ensure that CodePipeline Webhooks require authentication to be triggered | High | New |
| |||
| D9.AWS.CRY.133 | Ensure DevOps Guru Service Integration is encrypted with CMK | Low | New |
| |||
| D9.AWS.CRY.134 | Ensure that DAX Cluster encryption type should be TLS | High | New |
| |||
| D9.AWS.CRY.135 | Ensure that DAX Cluster has server side encryption enabled | High | New |
| |||
| D9.AWS.IAM.167 | Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic | High | Modification |
|
|
|
|
| D9.AWS.IAM.176 | EC2 with IAM role attached should not have iam:PassRole and ec2:RunInstances permissions | Low | New |
| |||
| D9.AWS.IAM.177 | There should be no AWS role having iam:PassRole and lambda:InvokeFunction permissions attached to an EC2 instance | Low | New |
| |||
| D9.AWS.IAM.178 | There should not be any AWS Lambda having an IAM role with Amazon RDS database SQL query execution permissions | Low | New |
| |||
| D9.AWS.LOG.56 | Ensure that AWS MediaTailor Playback Configuration has 100% logging enabled. | Low | New |
| |||
| D9.AWS.LOG.57 | Ensure DevOps Guru Service Integration has Anomaly Detection logging enabled | Low | New |
| |||
| D9.AWS.NET.1027 | Ensure that Lightsail Instances isn't exposed to the public internet | High | New |
| |||
| D9.AWS.OPE.62 | Ensure that your AWS Lightsail Load Balancers are healthy | High | New |
| |||
| D9.AWS.OPE.63 | Ensure that your AWS Lightsail Load Balanced Instances are healthy | High | New |
| |||
| D9.AWS.OPE.64 | Ensure that Batch Job Queue has tags | Low | New |
| |||
| D9.AWS.OPE.65 | Ensure that Kinesis Analytics Application has tags | Low | New |
| |||
| D9.AWS.OPE.66 | Ensure that DevOps Guru Service Integration has the OpsCenter feature enabled | Low | New |
| |||
| D9.AWS.NET.1014 | Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit | Critical | Removal |
|
October 11 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.CRY.33 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | High | Modification |
|
|
|
|
| D9.AZU.IAM.66 | Ensure Azure groups are Security Enabled | Low | New |
| |||
| D9.AZU.IAM.67 | Ensure App Registration has Expiration Date set for all Client Secrets | Low | New |
| |||
| D9.AWS.CRY.86 | Connections to Amazon Redshift clusters should be encrypted in transit | Medium | Modification |
|
|
|
|
| D9.AWS.AS.15 | ECS Task Definitions should Limit Memory Usage for Containers | High | New |
| |||
| D9.AWS.AS.14 | ECS Task Definitions should Mount the Root File System as Read-only | High | New |
| |||
| D9.AWS.CRY.129 | EKS Cluster should have Secrets Encrypted | Critical | New |
| |||
| D9.AWS.IAM.174 | Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice | Low | New |
| |||
| D9.AWS.NET.1011 | Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets | High | Modification |
|
|
|
|
| D9.AWS.NET.122 | Instances should have Source/Destination Check Enabled when Not Using NAT | High | Modification |
|
|
|
|
| D9.AWS.NET.133 | Ensure that your Amazon RDS database cluster snapshots are not accessible to all AWS accounts | Critical | New |
| |||
| D9.AZU.CRY.66 | Ensure that Private Key Vaults are used for Encryption at Rest in Azure Kubernetes Service (AKS) | High | New |
| |||
| D9.AZU.IAM.68 | Ensure that System-Assigned Managed Identities are used for AKS Clusters | High | New |
| |||
| D9.AZU.IAM.69 | Ensure that the Network Contributor Role is used for managing Azure Network Resources | High | New |
| |||
| D9.AZU.NET.100 | Ensure that the Kubernetes API version for AKS clusters is the latest | High | New |
| |||
| D9.AWS.NET.01 | Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | Critical | Removal |
| |||
| D9.AWS.NET.02 | Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | Critical | Removal |
|
October 04 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.NET.23 | Ensure to filter source IP addresses for Cosmos DB Account | Medium | Modification |
|
|
|
|
| D9.AWS.IAM.173 | API Gateway Routes should Specify an Authorization Type | High | New |
| |||
| D9.GCP.NET.68 | Ensure there are no VPC firewall rules that allow unrestricted inbound access to Cassandra ports (TCP - 7000, 7001, 7199, 8888, 9042, 9160, 61620 and 61621) | High | New |
| |||
| D9.GCP.NET.69 | Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP port 9090 (Ciscosecure websm) | High | New |
| |||
| D9.GCP.NET.70 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP ports 9200 and 9300 (Elasticsearch) | High | New |
| |||
| D9.GCP.NET.71 | Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP ports 636 and 389 and UDP port 389 (LDAP) | High | New |
| |||
| D9.GCP.NET.72 | Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP or UDP on ports 11211, 11214 and 11215 (Memcached) | High | New |
| |||
| D9.GCP.NET.73 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 6379 (Redis) | High | New |
| |||
| D9.AWS.OPE.60 | Ensure that Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates | Medium | New |
| |||
| D9.AWS.OPE.61 | Ensure that all instances in the Auto Scaling Group are Healthy | Medium | New |
| |||
| D9.AWS.VLN.14 | Ensure that EC2 instances do not have critical vulnerabilities | Critical | New |
| |||
| D9.AWS.VLN.15 | Ensure that EC2 instances do not have high-severity vulnerabilities | High | New |
| |||
| D9.AWS.ERM.01 | Exposed workload with critical/high severity vulnerability and elevated privileges (EC2 Instance) | High | New |
| |||
| D9.AWS.ERM.02 | Exposed storage asset with sensitive data (S3 bucket) | High | New |
| |||
| D9.AWS.ERM.03 | Third party with elevated privileges | High | New |
| |||
| D9.AWS.ERM.04 | Exposed workload with elevated privileges (ECS Service) | Medium | New |
| |||
| D9.AWS.ERM.05 | Exposed workload with elevated privileges (EC2 Instance) | Medium | New |
| |||
| D9.AWS.ERM.06 | Exposed workload with elevated privileges (Lambda Function) | Medium | New |
| |||
| D9.AZU.CRY.65 | Ensure that Automation account variables are encrypted | Critical | New |
| |||
| D9.AZU.IAM.65 | Ensure that AKS local accounts are disabled | Low | New |
| |||
| D9.AZU.NET.99 | Ensure that Data Factory public access is disabled | High | New |
| |||
| D9.AZU.VLN.03 | Ensure that VirtualMachines do not have critical vulnerabilities | Critical | New |
| |||
| D9.AZU.VLN.04 | Ensure that VirtualMachines do not have high-severity vulnerabilities | High | New |
| |||
| D9.AZU.ERM.01 | Exposed workload with critical/high severity vulnerability and elevated privileges (Virtual Machine) | High | New |
| |||
| D9.AZU.ERM.02 | Exposed workload with elevated privileges (Virtual Machine) | Medium | New |
| |||
| D9.GCP.IAM.45 | Ensure that IAM permission are not assigned to users | Low | New |
|
September 27 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.LOG.55 | Ensure AppSync should have request-level and field-level logging turned on | Low | New |
| |||
| D9.AWS.NET.60 | Ensure that NAT gateway is not associated in a private subnet | Medium | Modification |
|
|
|
|
| D9.AWS.CRY.127 | Ensure Athena workgroups should be encrypted at rest | High | New |
| |||
| D9.AWS.IAM.151 | Ensure that AWS CloudTrail should not have delete or full permission | High | New |
| |||
| D9.AWS.IAM.172 | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | New |
| |||
| D9.AWS.NET.132 | Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy | High | New |
| |||
| D9.AWS.NET.130 | Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA) | Medium | New |
| |||
| D9.AZU.CRY.64 | Ensure to enable infrastructure double encryption for Data Explorer clusters | Critical | New |
| |||
| D9.GCP.IAM.44 | Ensure the 'cloudsql_iam_authentication' is enabled for your MySQL and PostgreSQL instances | Medium | New |
| |||
| D9.GCP.MON.03 | Ensure GKE Cloud Monitoring is enabled for your clusters | Medium | New |
| |||
| D9.GCP.OPE.14 | Ensure VM instances have secure boot enabled | Low | New |
| |||
| D9.GCP.OPE.15 | Ensure your DataProc clusters don't use outdated images | Low | New |
| |||
| D9.OCI.CRY.06 | Ensure OCI Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Low | New |
| |||
| D9.AWS.LOG.26 | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | Removal |
| |||
| D9.AWS.NET.124 | Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics | High | Removal |
| |||
| D9.GCP.NET.66 | Ensure that your backend services are enforcing HTTPS | High | Removal |
|
September 20 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.NET.04 | Ensure the default security group of every VPC restricts all traffic | Critical | Modification |
|
|
|
|
| D9.AWS.CRY.36 | Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | Modification |
|
|
|
|
| D9.AWS.DR.03 | Ensure AWS RDS retention policy is at least 7 days | Medium | Modification |
|
|
|
|
| D9.AWS.VLN.03 | Amazon GuardDuty service is enabled in the region | Low | Modification |
|
|
|
|
| D9.GCP.IAM.08 | Ensure Kubernetes Cluster is created with Client Certificate disabled | High | Modification |
|
|
|
|
| D9.AWS.CRY.116 | Ensure that Amazon Neptune graph database instances are encrypted | High | New |
| |||
| D9.AWS.CRY.119 | Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process | High | New |
| |||
| D9.AWS.CRY.122 | Ensure IAM SSH public keys used for AWS CodeCommit are rotated on a periodic basis to adhere to AWS security best practices (45 days) | Medium | New |
| |||
| D9.AWS.CRY.124 | Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled | Critical | New |
| |||
| D9.AWS.CRY.125 | Ensure AWS Glue connection has SSL configured | High | New |
| |||
| D9.AWS.CRY.126 | Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices | High | New |
| |||
| D9.AWS.DNS.09 | Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain | Medium | New |
| |||
| D9.AWS.DR.06 | Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion | Critical | Modification |
|
|
|
|
| D9.AWS.IAM.164 | Ensure that your AWS root account is not using access keys as a security best practice | Critical | New |
| |||
| D9.AWS.IAM.165 | Ensure IAM Roles should not have Administrator Access Permissions | High | New |
| |||
| D9.AWS.IAM.166 | Ensure that AWS resources are not publicly accessible through IAM policies. | High | New |
| |||
| D9.AWS.IAM.167 | Ensure that AWS Lambda IAM policy should not overly permissive to all traffic | High | New |
| |||
| D9.AWS.IAM.168 | Ensure that AWS Secrets Manager Secrets are not publicly accessible through IAM policies | High | New |
| |||
| D9.AWS.IAM.169 | Ensure AWS IAM User's SSH public key is rotated every 90 days or less | High | New |
| |||
| D9.AWS.IAM.170 | Detect when a canary token access key has been used | Critical | New |
| |||
| D9.AWS.IAM.171 | Ensure AWS KMS Key should not be publicly accessible through IAM policies | High | New |
| |||
| D9.AWS.LOG.41 | Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level | Medium | New |
| |||
| D9.AWS.LOG.42 | Ensure that at-rest encryption is enabled when writing Amazon Glue logs to CloudWatch Logs | Medium | New |
| |||
| D9.AWS.LOG.43 | Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.44 | Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.45 | Ensure Root Account Usage is being monitored using CloudWatch alarms | High | New |
| |||
| D9.AWS.LOG.46 | Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.47 | Ensure your AWS Console authentication process is being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.48 | Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.49 | Monitor for AWS Console Sign-In Requests Without MFA | Medium | New |
| |||
| D9.AWS.LOG.50 | Ensure ElasticSearch domain Index slow logs should be enabled | Low | New |
| |||
| D9.AWS.LOG.51 | Ensure ElasticSearch domain Search Slow Logs should be enabled | Low | New |
| |||
| D9.AWS.LOG.52 | Ensure Amazon Config log files are delivered as expected | Medium | New |
| |||
| D9.AWS.LOG.53 | Ensure AWS VPC configuration changes are being monitored using CloudWatch alarms | Medium | New |
| |||
| D9.AWS.LOG.54 | Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms | High | New |
| |||
| D9.AWS.MON.31 | Ensure there are no empty AWS Auto Scaling Groups (ASGs) | Medium | Modification |
|
|
|
|
| D9.AWS.MON.33 | Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer | Low | Modification |
|
|
|
|
| D9.AWS.MON.41 | Ensure that a data repository bucket is defined for Amazon Macie within each AWS region | Medium | New |
| |||
| D9.AWS.MON.42 | Ensure AWS AppSync attached WAFv2 ACL configured with AMR to mitigate Log4j Vulnerability | High | New |
| |||
| D9.AWS.NET.1019 | Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS | High | Modification |
|
|
|
|
| D9.AWS.NET.1026 | Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443 | Medium | New |
| |||
| D9.AWS.NET.110 | Ensure no security group allows unrestricted inbound access to TCP port 1521 | High | New |
| |||
| D9.AWS.NET.111 | Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices | High | New |
| |||
| D9.AWS.NET.112 | Ensure that no Amazon EC2 security group allows unrestricted outbound access | Low | New |
| |||
| D9.AWS.NET.113 | Ensure that Amazon Security Hub findings are analyzed and resolved | High | New |
| |||
| D9.AWS.NET.114 | Ensure that Amazon Macie was run in the last 30 days and its security findings are highlighted, analyzed, and resolved | High | New |
| |||
| D9.AWS.NET.115 | Ensure no security group allows unrestricted inbound access to TCP port 5432 | High | New |
| |||
| D9.AWS.NET.117 | Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC) | High | New |
| |||
| D9.AWS.NET.118 | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP) | High | New |
| |||
| D9.AWS.NET.119 | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 | High | New |
| |||
| D9.AWS.NET.122 | Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice | Low | New |
| |||
| D9.AWS.NET.123 | Ensure that AWS route tables with VPC peering are not excessively permissive to all traffic | High | New |
| |||
| D9.AWS.NET.124 | Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics | High | New |
| |||
| D9.AWS.NET.125 | Ensure that your AWS SES identities (domains and/or email addresses) are not exposed to everyone | High | New |
| |||
| D9.AWS.NET.126 | Ensure AWS EMR Cluster's Master Security Group does not allow all traffic to port 8088 | High | New |
| |||
| D9.AWS.NET.127 | Ensure no security group allows inbound access on a range of ports | High | New |
| |||
| D9.AWS.NET.128 | Ensure EC2 instances are launched using the EC2-VPC platform instead of the EC2-Classic outdated platform | High | New |
| |||
| D9.AWS.NET.129 | Ensure AWS VPC does not allow unauthorized peering | High | New |
| |||
| D9.AWS.OPE.27 | Ensure that the latest version of Redis is used for your AWS ElastiCache clusters | Low | Modification |
|
|
|
|
| D9.AWS.OPE.28 | Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters | Low | Modification |
|
|
|
|
| D9.AWS.OPE.55 | Ensure SNS topics do not allow Everyone to publish | Low | New |
| |||
| D9.AWS.OPE.56 | Ensure that your Amazon ECS instances are using the latest ECS container agent version | Medium | New |
| |||
| D9.AWS.OPE.57 | Ensure AWS Elastic IPs are in use. | Informational | New |
| |||
| D9.AWS.OPE.59 | Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices | Low | New |
| |||
| D9.AWS.VLN.10 | Ensure that Amazon GuardDuty detectors are configured (non-empty list of GuardDuty detectors) | Low | Modification |
|
|
|
|
| D9.AWS.VLN.11 | Ensure that Amazon Inspector Findings are analyzed and resolved (EC2) | High | New |
| |||
| D9.AWS.VLN.12 | Ensure that Amazon Inspector Findings are analyzed and resolved (ECR) | High | New |
| |||
| D9.AWS.VLN.13 | Ensure that Amazon Inspector Findings are analyzed and resolved (Lambda) | High | New |
| |||
| D9.AZU.CRY.63 | Ensure there is a sufficient period configured for the SSL certificates auto-renewal | Low | New |
| |||
| D9.AZU.CRY.60 | Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates | Critical | New |
| |||
| D9.AZU.CRY.61 | Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date | High | New |
| |||
| D9.AZU.CRY.62 | Ensure that your Azure Key Vault secrets are renewed prior to their expiration date | High | New |
| |||
| D9.AZU.IAM.64 | Ensure there is more than one owner assigned to your Microsoft Azure subscription | High | New |
| |||
| D9.GCP.CRY.25 | Ensure that Google Cloud backend services enforce HTTPS to handle encrypted web traffic | High | New |
| |||
| D9.GCP.DR.04 | GKE Cluster should have Redundant Zones | High | New |
| |||
| D9.GCP.DR.05 | GKE Clusters with Auto-upgrade Enabled should be Adequately Sized to have at least Three Nodes | High | New |
| |||
| D9.GCP.IAM.39 | Users should not be Granted Write Permissions without a Valid Business Justification | High | New |
| |||
| D9.GCP.IAM.36 | IAM Policies should Restrict Public Access to GCP Resources | Critical | New |
| |||
| D9.GCP.IAM.37 | IAM Users should not have Service Account Privileges | High | New |
| |||
| D9.GCP.IAM.38 | Logs related to storage buckets should not be publicly accessible | High | New |
| |||
| D9.GCP.IAM.40 | Ensure Compute Engine does not have Permissions to Destroy Data | High | New |
| |||
| D9.GCP.IAM.41 | Ensure Compute Engine does not have Write Permissions on Database Management Service | High | New |
| |||
| D9.GCP.IAM.42 | Ensure Compute Engine does not have Permissions to Impersonate Service Accounts | High | New |
| |||
| D9.GCP.IAM.43 | Ensure Compute Engine does not have Write Permissions on any Deny Policy | High | New |
| |||
| D9.GCP.LOG.36 | Google Cloud Kubernetes Engine Clusters should have Logging Enabled | High | New |
| |||
| D9.GCP.LOG.37 | Ensure Logging is enabled for your Kubernetes engine clusters | Low | New |
| |||
| D9.GCP.MON.02 | Google Cloud Kubernetes Engine Clusters should have Monitoring Enabled | High | New |
| |||
| D9.GCP.NET.64 | Google Cloud SQL Instances should not be Configured with Overly Permissive Authorized Networks | High | New |
| |||
| D9.GCP.NET.65 | Ensure IP forwarding is disabled for all instance templates | Medium | New |
| |||
| D9.GCP.NET.66 | Ensure that your backend services are enforcing HTTPS | High | New |
| |||
| D9.GCP.NET.67 | Ensure that no VPC firewall rules allow unrestricted outbound access on TCP or UDP | High | New |
| |||
| D9.GCP.OPE.13 | Redis instances should use Standard Tier for High Availability | Low | New |
| |||
| D9.ALI.DR.02 | Ensure that ECS data disk is not configured with 'release disk with instance feature' | Low | New |
| |||
| D9.ALI.DR.03 | Ensure that Alibaba Cloud disk automatic snapshot policy is Enabled | Low | New |
| |||
| D9.ALI.LOG.28 | Ensure that ActionTrail logging is enabled | Low | Modification |
|
|
|
|
| D9.OCI.MON.01 | Ensure OCI Compute Instances have monitoring enabled | Low | New |
| |||
| D9.OCI.MON.02 | Ensure OCI Object Storage buckets are enabled to emit object events | Low | New |
| |||
| D9.OCI.NET.24 | Ensure OCI VCN has inbound security lists | Low | New |
| |||
| D9.OCI.NET.25 | Ensure OCI VCN Security list has no stateful security rules | Low | New |
| |||
| D9.OCI.NET.26 | Ensure Network Security Groups (NSG) has no stateful security rules | Low | New |
| |||
| D9.OCI.NET.27 | Ensure OCI Kubernetes Engine Cluster pod security policy is enforced | Low | New |
| |||
| D9.OCI.NET.28 | Ensure OCI Kubernetes Engine Cluster endpoint is configured with Network Security Groups | Low | New |
| |||
| D9.OCI.OPE.03 | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | High | New |
| |||
| D9.AWS.NET.1001 | Default Security Groups - with network policies | Medium | Removal |
| |||
| D9.AWS.CRY.104 | Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | Removal |
| |||
| D9.AWS.CRY.107 | Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption | Low | Removal |
| |||
| D9.AWS.CRY.112 | Ensure AWS S3 buckets enforce SSL to secure data in transit | High | Removal |
| |||
| D9.AWS.NET.1009 | Ensure that OpenSearch domains are accessible from a Virtual Private Cloud | Critical | Removal |
| |||
| D9.AWS.OPE.50 | Ensure RDS instances have Multi-AZ enabled | Informational | Removal |
|
September 13 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.GCP.VLN.08 | Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on' | Medium | Modification |
|
|
|
|
| D9.AWS.MON.16 | Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel | Low | Modification |
|
|
|
|
| D9.AWS.CRY.109 | Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs | High | New |
| |||
| D9.AWS.CRY.114 | Ensure that Firehose delivery stream data records are encrypted at destination | Low | New |
| |||
| D9.AWS.CRY.115 | Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs | High | New |
| |||
| D9.AWS.CRY.118 | Ensure AWS Database Migration Service endpoints have SSL configured | Low | New |
| |||
| D9.AWS.CRY.120 | Ensure IAM User does not have more than one active SSH public key | Medium | New |
| |||
| D9.AWS.CRY.121 | Ensure AWS Secrets Manager is in use | Low | New |
| |||
| D9.AWS.IAM.150 | IAM policy overly permissive to Lambda service | Critical | New |
| |||
| D9.AWS.IAM.149 | Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account | High | New |
| |||
| D9.AWS.IAM.152 | Ensure RDS instance has IAM authentication enabled | Low | New |
| |||
| D9.AWS.IAM.153 | Ensure Additional Controls for External AWS Account Role Mapping and Approval for Cross-Account Access | High | New |
| |||
| D9.AWS.IAM.156 | Ensure AWS RDS cluster has IAM authentication enabled | Low | New |
| |||
| D9.AWS.IAM.159 | Ensure there is at least one IAM user currently used to access your AWS account | Medium | New |
| |||
| D9.AWS.IAM.160 | Mapping and Approval of Roles Accessible by External Federated Accounts | High | New |
| |||
| D9.AWS.IAM.161 | Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions for AWS Key Management Service (KMS) | Low | New |
| |||
| D9.AWS.IAM.162 | Restrict IamRole Assume Role Policies with Principal, in Order for Enhanced Security | High | New |
| |||
| D9.AWS.IAM.154 | Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases | High | New |
| |||
| D9.AWS.IAM.157 | Ensure that AWS Lambda function should not have org write access level | High | New |
| |||
| D9.AWS.IAM.158 | Ensure that AWS Lambda function should not have IAM write access level | High | New |
| |||
| D9.AWS.IAM.163 | Ensure no AWS IAM users have been inactive for a long (specified) period of time | High | New |
| |||
| D9.AWS.LOG.39 | Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones | High | New |
| |||
| D9.AWS.LOG.40 | Ensure that your AWS Elasticsearch domains publish slow logs to AWS CloudWatch Logs | Medium | New |
| |||
| D9.AWS.MON.39 | AWS RDS event subscription should be enabled for DB instance | Low | New |
| |||
| D9.AWS.MON.40 | Ensure SNS topics do not allow Everyone to subscribe | High | New |
| |||
| D9.AWS.NET.1020 | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 (CIFS) | High | New |
| |||
| D9.AWS.NET.1021 | Ensure that Amazon ALBs are using the latest predefined security policy for their SSL/TLS negotiation configuration | Low | New |
| |||
| D9.AWS.NET.1022 | Ensure that Classic Load Balancers are using one of the latest predefined security policies | Low | New |
| |||
| D9.AWS.NET.1023 | Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 | High | New |
| |||
| D9.AWS.NET.1024 | Ensure that the access to your REST APIs is allowed to trusted IP addresses only | Low | New |
| |||
| D9.AWS.NET.1025 | Ensure that no security group allows unrestricted inbound access on TCP port 6379 | High | New |
| |||
| D9.AWS.NET.98 | Ensure ELB listener uses a secure HTTPS or SSL protocol | High | New |
| |||
| D9.AWS.NET.99 | Ensure no security group contains RFC 1918 CIDRs | High | New |
| |||
| D9.AWS.NET.100 | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53 | High | New |
| |||
| D9.AWS.NET.107 | Ensure no security group allows unrestricted inbound access to TCP port 1433 and 3306 (MSSQL) | High | New |
| |||
| D9.AWS.NET.101 | Ensure no security group allows unrestricted inbound access to TCP port 9200 | High | New |
| |||
| D9.AWS.NET.102 | Make certain that unrestricted inbound access to TCP ports 20 and 21 is disallowed for all EC2 security groups | High | New |
| |||
| D9.AWS.NET.103 | Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP) | High | New |
| |||
| D9.AWS.NET.105 | Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS) | High | New |
| |||
| D9.AWS.NET.106 | Ensure no security group allows unrestricted inbound access to ICMP | High | New |
| |||
| D9.AWS.NET.108 | Ensure that AWS Lambda function should not communicating with ports known to mine Monero | Low | New |
| |||
| D9.AWS.NET.109 | Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137, 138 | High | New |
| |||
| D9.AWS.OPE.42 | Ensure that your Amazon WorkSpaces instances are healthy | High | Modification |
|
|
|
|
| D9.AWS.OPE.47 | Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled | Medium | New |
| |||
| D9.AWS.OPE.46 | Ensure RDS event subscriptions are enabled for DB security groups | Low | New |
| |||
| D9.AWS.OPE.52 | Ensure that AWS Neptune cluster deletion protection is enabled | High | New |
| |||
| D9.AWS.OPE.48 | Ensure that RDS cluster delete protection is enabled | Medium | New |
| |||
| D9.AWS.OPE.50 | Ensure RDS instances have Multi-AZ enabled | Informational | New |
| |||
| D9.AWS.OPE.51 | Ensure that DocumentDB delete protection is enabled | Low | New |
| |||
| D9.AWS.OPE.53 | Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization | Medium | New |
| |||
| D9.AWS.OPE.54 | Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services | Low | New |
| |||
| D9.AWS.VLN.10 | Ensure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats | Medium | New |
| |||
| D9.AZU.CRY.59 | Ensure Azure Container Instance environment variable | Low | New |
| |||
| D9.AZU.DR.05 | Ensure to activate geo-redundant backup for MariaDB | Low | New |
| |||
| D9.AZU.IAM.62 | Ensure to audit role assignments that have risky permissions | High | New |
| |||
| D9.AZU.IAM.63 | Ensure there are no Microsoft Azure Active Directory guest users if they are not needed | High | New |
| |||
| D9.AZU.NET.90 | Ensure Azure Container registries do not have Public access to All networks enabled | High | New |
| |||
| D9.AZU.NET.97 | Ensure that MariaDB is not publicly accessible | High | New |
| |||
| D9.AZU.NET.98 | Ensure Host-Level Encryption is Enabled for VMSS Instances | Medium | New |
| |||
| D9.GCP.CRY.21 | Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration | Low | New |
| |||
| D9.GCP.CRY.22 | Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs) | Low | New |
| |||
| D9.GCP.CRY.23 | Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account | Critical | New |
| |||
| D9.GCP.IAM.33 | Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects | Medium | New |
| |||
| D9.GCP.IAM.35 | Ensure that your API key usage is restricted to trusted hosts and applications only | High | New |
| |||
| D9.GCP.LOG.35 | Ensure that data access audit logs are enabled for all critical service APIs within your GCP project | Low | New |
| |||
| D9.GCP.OPE.10 | Ensure Kubernetes Cluster has No Client Certificate Issued | High | New |
| |||
| D9.GCP.OPE.11 | Ensure that there is at least one sink configuration that has no inclusions or exclusion filters. | High | New |
| |||
| D9.GCP.OPE.12 | Ensure that critical service APIs are enabled for your GCP projects | High | New |
| |||
| D9.OCI.NET.18 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3306 | High | New |
| |||
| D9.OCI.NET.19 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1521 | High | New |
| |||
| D9.OCI.NET.20 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5432 | High | New |
| |||
| D9.OCI.NET.21 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5900 | High | New |
| |||
| D9.OCI.NET.22 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 25 | High | New |
| |||
| D9.OCI.NET.23 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 7001 | High | New |
| |||
| D9.AWS.CRY.91 | Ensure that node-to-node encryption is enabled for your OpenSearch clusters | High | Removal |
| |||
| D9.AWS.CRY.95 | To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted | Low | Removal |
|
September 06 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.GCP.NET.20 | Ensure that the default VPC network is not being used within your GCP projects | Medium | Modification |
|
|
|
|
| D9.AWS.NET.73 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | High | Modification |
|
|
|
|
| D9.AWS.CRY.110 | Ensure that encryption at rest is enabled for Amazon Glue job bookmarks | High | New |
| |||
| D9.AWS.CRY.101 | Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement | Critical | New |
| |||
| D9.AWS.CRY.103 | Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys | High | New |
| |||
| D9.AWS.CRY.104 | Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | New |
| |||
| D9.AWS.CRY.105 | Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data | Critical | New |
| |||
| D9.AWS.CRY.106 | Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | New |
| |||
| D9.AWS.CRY.107 | Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption | Low | New |
| |||
| D9.AWS.CRY.108 | Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs | High | New |
| |||
| D9.AWS.CRY.111 | Ensure rotation for customer created CMKs is enabled | High | New |
| |||
| D9.AWS.CRY.112 | Ensure AWS S3 buckets enforce SSL to secure data in transit | High | New |
| |||
| D9.AWS.DR.16 | Ensure that Amazon Aurora MySQL database clusters have backtracking enabled | Informational | New |
| |||
| D9.AWS.DR.17 | Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery | High | New |
| |||
| D9.AWS.DR.18 | Ensure on-demand backup and restore functionality is in use for AWS DynamoDB tables | High | New |
| |||
| D9.AWS.IAM.119 | Ensure IAM User is Restrained from Wildcard Access to All Resources | Low | New |
| |||
| D9.AWS.IAM.120 | Ensure AWS EC2 Instance Lacks IAM Write Access Level | Medium | New |
| |||
| D9.AWS.IAM.125 | Ensure IAM policy does not allow privilege escalation via Codestar create project and associate team member permissions | Medium | New |
| |||
| D9.AWS.IAM.126 | Ensure AWS IAM policy does not allow privilege escalation via EC2 Instance Connect permissions | Medium | New |
| |||
| D9.AWS.IAM.127 | Ensure AWS IAM policy prevents privilege escalation via EC2 and SSM permissions. | Medium | New |
| |||
| D9.AWS.IAM.128 | Ensure AWS IAM policy prevents escalation via EC2 describe and SSM session permissions | Medium | New |
| |||
| D9.AWS.IAM.129 | Ensure AWS IAM policy prevents escalation via Glue Dev Endpoint permissions | Medium | New |
| |||
| D9.AWS.IAM.130 | Ensure AWS IAM policy prevents escalation via PassRole & CodeBuild permissions | Medium | New |
| |||
| D9.AWS.IAM.131 | Ensure AWS IAM policy prevents escalation via PassRole & CreateProject permissions | Medium | New |
| |||
| D9.AWS.IAM.132 | Ensure AWS IAM policy prevents escalation via PassRole & Data Pipeline permissions | Medium | New |
| |||
| D9.AWS.IAM.133 | Ensure AWS IAM policy prevents escalation via PassRole & EC2 permissions | Medium | New |
| |||
| D9.AWS.IAM.134 | Ensure AWS IAM policy prevents escalation via PassRole & Glue create job permissions | Medium | New |
| |||
| D9.AWS.IAM.135 | Ensure AWS IAM policy prevents escalation via PassRole & Glue development endpoint permissions | Medium | New |
| |||
| D9.AWS.IAM.136 | Ensure AWS IAM policy prevents escalation via PassRole & Glue update job permissions | Medium | New |
| |||
| D9.AWS.IAM.137 | Ensure AWS IAM policy prevents escalation via PassRole & Lambda create and invoke function permissions | Medium | New |
| |||
| D9.AWS.IAM.138 | Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and event source mapping permissions | Medium | New |
| |||
| D9.AWS.IAM.139 | Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and add permissions | Medium | New |
| |||
| D9.AWS.IAM.140 | Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create notebook permissions | Medium | New |
| |||
| D9.AWS.IAM.141 | Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create processing job permissions | Medium | New |
| |||
| D9.AWS.IAM.142 | Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create training job permissions | Medium | New |
| |||
| D9.AWS.IAM.144 | Ensure there are no Lambda functions with admin privileges within your AWS account | High | New |
| |||
| D9.AWS.IAM.145 | Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice | Low | New |
| |||
| D9.AWS.IAM.146 | Ensure that root account credentials have not been used recently to access your AWS account | High | New |
| |||
| D9.AWS.LOG.28 | Ensure cloud trail capturing management events | Low | New |
| |||
| D9.AWS.LOG.29 | Ensure AWS ACM Certificates Have Valid Logging and Status | Low | New |
| |||
| D9.AWS.LOG.37 | Enable user activity logging for your Amazon Redshift clusters to track who has accessed your clusters and what activities they have performed. | Low | New |
| |||
| D9.AWS.LOG.38 | Ensure that AWS CloudWatch logging is enabled for Amazon Transfer for SFTP user activity | Low | New |
| |||
| D9.AWS.MON.37 | Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly | Low | New |
| |||
| D9.AWS.MON.38 | Ensure that Amazon MQ brokers are using the network of brokers configuration | High | New |
| |||
| D9.AWS.NET.1014 | Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit | Critical | New |
| |||
| D9.AWS.NET.1015 | Ensure that EKS cluster's Kubernetes API endpoints are not publicly accessible | Critical | New |
| |||
| D9.AWS.NET.1016 | Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts | Critical | New |
| |||
| D9.AWS.NET.1017 | Ensure that Amazon Transfer for SFTP servers are using AWS PrivateLink for their endpoints | High | New |
| |||
| D9.AWS.NET.1018 | Ensure that Drop Invalid Header Fields feature is enabled for your Application Load Balancers to remove non-standard headers | High | New |
| |||
| D9.AWS.NET.1019 | Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS | High | New |
| |||
| D9.AWS.OPE.25 | Ensure EKS cluster version is up to date | Informational | Modification |
|
|
|
|
| D9.AWS.OPE.36 | Ensure RDS event subscriptions are enabled for instance level events | Low | New |
| |||
| D9.AWS.OPE.37 | Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account | Low | New |
| |||
| D9.AWS.OPE.38 | Ensure that REST APIs created with Amazon API Gateway have response caching enabled | Low | New |
| |||
| D9.AWS.OPE.41 | Ensure EC2 instances are not too old | Medium | New |
| |||
| D9.AWS.OPE.39 | Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements | Medium | New |
| |||
| D9.AWS.OPE.40 | Ensure that AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime | Low | New |
| |||
| D9.AWS.OPE.42 | Ensure that your Amazon WorkSpaces instances are healthy | High | New |
| |||
| D9.AWS.OPE.44 | Ensure all Elastic Network Interfaces are in use | Low | New |
| |||
| D9.AWS.OPE.45 | Ensure EC2 Instances are Protected against Termination Actions | High | New |
| |||
| D9.AZU.CRY.56 | Ensure no Azure Data Explorer cluster is configured without disk encryption | Low | New |
| |||
| D9.AZU.CRY.57 | Ensure Azure Function App use HTTP 2.0 | High | New |
| |||
| D9.AZU.CRY.58 | Ensure Service Fabric cluster is configured with cluster protection level security | Low | New |
| |||
| D9.AZU.IAM.56 | Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | High | Modification |
|
|
|
|
| D9.AZU.IAM.60 | Ensure that Azure Recovery Services vault is configured with managed identity | Low | New |
| |||
| D9.AZU.IAM.61 | Ensure that a resource locking administrator role is available for each Azure subscription | High | New |
| |||
| D9.AZU.MON.88 | Ensure that an activity log alert is created for Delete PostgreSQL Database events | High | Modification |
|
|
|
|
| D9.AZU.MON.90 | Ensure that the health of your Microsoft Azure scale set instances is being monitored | Low | New |
| |||
| D9.AZU.MON.91 | Ensure that an activity log alert is created for Delete MySQL Database events | Low | New |
| |||
| D9.AZU.MON.92 | Ensure that an activity log alert is created for Create/Update PostgreSQL Database events | Low | New |
| |||
| D9.AZU.MON.93 | Ensure that an activity log alert is created for Create/Update MySQL Database events | Low | New |
| |||
| D9.AZU.MON.94 | Ensure that an activity log alert is created for Update Key Vault MicrosoftKeyVault/vaults events | Low | New |
| |||
| D9.AZU.MON.95 | Ensure that an activity log alert exists for Power Off Virtual Machine events | Low | New |
| |||
| D9.AZU.MON.96 | Ensure that an activity log alert exists for Delete Virtual Machine events | Low | New |
| |||
| D9.AZU.MON.97 | Ensure that an activity log alert exists for Delete Storage Account events | Low | New |
| |||
| D9.AZU.MON.98 | Ensure there is an Azure activity log alert created for Delete Load Balancer events | Low | New |
| |||
| D9.AZU.MON.99 | Ensure there is an activity log alert created for the Delete Key Vault events | Low | New |
| |||
| D9.AZU.MON.100 | Ensure that an activity log alert is created for Delete Azure SQL Database (MicrosoftSql/servers/databases) events | Low | New |
| |||
| D9.AZU.MON.101 | Ensure that an activity log alert is created for the Deallocate Virtual Machine (MicrosoftCompute/virtualMachines) events | Low | New |
| |||
| D9.AZU.MON.102 | Ensure there is an activity log alert created for the Create/Update Storage Account events | Low | New |
| |||
| D9.AZU.MON.103 | Ensure that an activity log alert is created for Create/Update Azure SQL Database events | Low | New |
| |||
| D9.AZU.MON.104 | Ensure that an activity log alert is created for Create or Update Virtual Machine (MicrosoftCompute/virtualMachines) events | Low | New |
| |||
| D9.AZU.MON.105 | Ensure that an activity log alert is created for Rename Azure SQL Database events | Low | New |
| |||
| D9.AZU.MON.106 | Ensure that Microsoft Defender for Cloud plans are subscribed for all resources | High | New |
| |||
| D9.AZU.NET.87 | Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive | Medium | Modification |
|
|
|
|
| D9.AZU.NET.88 | Identify and remove empty virtual machine scale sets from your Azure cloud account | Low | New |
| |||
| D9.AZU.NET.89 | Ensure Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is enabled | Low | New |
| |||
| D9.AZU.NET.91 | Ensure Azure Virtual Machine (Windows) secure boot feature is Enabled | Low | New |
| |||
| D9.AZU.NET.92 | Ensure Azure Virtual Machine vTPM feature is enabled | Low | New |
| |||
| D9.AZU.NET.93 | Ensure Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is enabled | Low | New |
| |||
| D9.AZU.NET.94 | Ensure Azure Front Door Web application firewall (WAF) is enabled | High | New |
| |||
| D9.AZU.NET.95 | Ensure that FTP-Control (TCP:21) is restricted from the Internet | Critical | New |
| |||
| D9.AZU.NET.96 | Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution | Medium | New |
| |||
| D9.AZU.OPE.04 | Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets | High | New |
| |||
| D9.GCP.AS.16 | Ensure that MySQL database servers are using the latest major version of MySQL database | Low | New |
| |||
| D9.GCP.AS.17 | Ensure that your production Google Cloud virtual machine instances are not preemptible | Low | New |
| |||
| D9.GCP.CRY.17 | SSL Policy Profile should be Restricted for HTTPS Load Balancer | High | New |
| |||
| D9.GCP.CRY.18 | TLS Version should be v1.2 or Later for SSL Policy on HTTPS Load Balancer | High | New |
| |||
| D9.GCP.CRY.19 | Default SSL Policy should be Replaced by a Stricter Policy for HTTPS Load Balancer Target Proxy | High | New |
| |||
| D9.GCP.CRY.20 | SQL Instances should have Valid SSL Configurations | High | New |
| |||
| D9.GCP.LOG.34 | Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules | Low | New |
| |||
| D9.GCP.NET.51 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database) | Critical | Modification |
|
|
|
|
| D9.GCP.NET.52 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server) | Critical | Modification |
|
|
|
|
| D9.GCP.NET.53 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server) | Critical | Modification |
|
|
|
|
| D9.GCP.NET.54 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS) | High | Modification |
|
|
|
|
| D9.GCP.NET.55 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP) | High | Modification |
|
|
|
|
| D9.GCP.NET.56 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP) | High | Modification |
|
|
|
|
| D9.GCP.NET.57 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH) | High | Modification |
|
|
|
|
| D9.GCP.NET.58 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database) | High | Modification |
|
|
|
|
| D9.GCP.NET.59 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call) | High | New |
| |||
| D9.GCP.NET.60 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP ports 20 or 21 (File Transfer Protocol FTP) | High | New |
| |||
| D9.GCP.NET.61 | Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP) | High | New |
| |||
| D9.GCP.NET.63 | HTTPS Load Balancer should have QUIC Enabled | Low | New |
| |||
| D9.GCP.OPE.09 | Ensure VM instance has custom metadata | Low | New |
| |||
| D9.ALI.DR.01 | Ensure that ECS data disk is configured with delete automatic snapshots feature | Low | New |
| |||
| D9.ALI.IAM.20 | Ensure RAM password policy won't allow login after the password expires | Low | New |
| |||
| D9.ALI.IAM.21 | Ensure ECS Instances release protection is enabled | Low | New |
| |||
| D9.ALI.NET.32 | Ensure SLB delete protection is enabled | Low | New |
| |||
| D9.OCI.NET.09 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 53 | High | New |
| |||
| D9.OCI.NET.10 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 2483 | High | New |
| |||
| D9.OCI.NET.11 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 27017 | High | New |
| |||
| D9.OCI.NET.12 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 6379 | High | New |
| |||
| D9.OCI.NET.13 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 80 | High | New |
| |||
| D9.OCI.NET.14 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 20 | High | New |
| |||
| D9.OCI.NET.15 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 21 | High | New |
| |||
| D9.OCI.NET.16 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1434 | High | New |
| |||
| D9.OCI.NET.17 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1433 | High | New |
|
August 30 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.IAM.57 | Ensure that admin user is disabled for Container Registry | Low | New |
| |||
| D9.AZU.OPE.01 | Ensure Container Registry has locks | Low | New |
| |||
| D9.AZU.IAM.58 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Low | New |
| |||
| D9.AWS.OPE.21 | Ensure Auto Scaling group have scaling cooldown higher than a minute | Low | Modification |
|
|
|
|
| D9.AWS.CRY.91 | Ensure that node-to-node encryption is enabled for your OpenSearch clusters | High | New |
| |||
| D9.AWS.CRY.92 | Ensure that at-rest encryption is enabled when writing AWS Glue data to Amazon S3 | Low | New |
| |||
| D9.AWS.CRY.93 | Ensure that ECR Registry-level configuration is enabled for image scanning | High | New |
| |||
| D9.AWS.CRY.94 | Ensure that your OpenSearch domains are encrypted using KMS Customer Master Keys | Low | New |
| |||
| D9.AWS.CRY.95 | To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted | Low | New |
| |||
| D9.AWS.CRY.96 | Ensure ElastiCache AUTH feature enabled | Low | New |
| |||
| D9.AWS.CRY.97 | Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains | Critical | New |
| |||
| D9.AWS.CRY.98 | Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (7 Days) | High | New |
| |||
| D9.AWS.CRY.99 | Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (45 Days) | Low | New |
| |||
| D9.AWS.CRY.100 | Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted | High | New |
| |||
| D9.AWS.DR.12 | Ensure high availability for your OpenSearch clusters by enabling the Zone Awareness feature | Low | New |
| |||
| D9.AWS.DR.13 | Ensure that OpenSearch clusters are using dedicated master nodes to increase the production environment stability | Low | New |
| |||
| D9.AWS.DR.14 | Ensure AWS RDS instances have Automated Backups feature enabled | High | New |
| |||
| D9.AWS.IAM.116 | Follow proper naming conventions for Virtual Private Clouds | Low | New |
| |||
| D9.AWS.IAM.118 | Ensure IAM User Write Access is Prohibited | Low | New |
| |||
| D9.AWS.IAM.117 | Ensure IAM User Organization Write Access is Prohibited | High | New |
| |||
| D9.AWS.IAM.121 | Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions | High | New |
| |||
| D9.AWS.IAM.122 | Ensure AWS EC2 Instance is Devoid of Database Management Write Access Permissions | Low | New |
| |||
| D9.AWS.IAM.123 | Ensure EC2 Instances do not have S3 Access | Low | New |
| |||
| D9.AWS.IAM.124 | Ensure AWS EC2 instance does not have the permission to create a new Group with an attached policy | High | New |
| |||
| D9.AWS.LOG.31 | Ensure CloudTrail trails are configured to log Data events | Low | New |
| |||
| D9.AWS.LOG.32 | Ensure alert notifications for important events within your Amazon Elastic Beanstalk environment | Low | New |
| |||
| D9.AWS.LOG.33 | Ensure that access logging is enabled for your Elastic Beanstalk environment load balancer | Medium | New |
| |||
| D9.AWS.LOG.34 | Ensure persistent logs are enabled for your Amazon Elastic Beanstalk environments | High | New |
| |||
| D9.AWS.LOG.35 | Ensure AWS RDS utilizes secure and unique master usernames for database security | High | New |
| |||
| D9.AWS.LOG.36 | Ensure that CloudTrail trails record API calls for global services such as IAM, STS, and CloudFront | Medium | New |
| |||
| D9.AWS.MON.30 | Check for any AMIs older than 180 days available within your AWS account | Low | New |
| |||
| D9.AWS.MON.31 | Ensure there are no empty AWS Auto Scaling Groups (ASGs) | Medium | New |
| |||
| D9.AWS.MON.33 | Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer | Low | New |
| |||
| D9.AWS.MON.32 | Ensure Amazon CloudTrail trail log files are delivered as expected | Low | New |
| |||
| D9.AWS.MON.34 | Ensure that X-Ray tracing is enabled for your Amazon Elastic Beanstalk environments | Low | New |
| |||
| D9.AWS.MON.35 | Ensure Enhanced Health Reporting is enabled for your AWS Elastic Beanstalk environments | Low | New |
| |||
| D9.AWS.MON.36 | Ensure your AWS CloudFormation stacks are integrated with Simple Notification Service (SNS) | Medium | New |
| |||
| D9.AWS.NET.1006 | Ensure unused Virtual Private Gateways are removed | Critical | New |
| |||
| D9.AWS.NET.1007 | Ensure that only approved IP addresses can access your Amazon OpenSearch domains | Critical | New |
| |||
| D9.AWS.NET.1008 | Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud | Informational | New |
| |||
| D9.AWS.NET.1009 | Ensure that OpenSearch domains are accessible from a Virtual Private Cloud | Critical | New |
| |||
| D9.AWS.NET.1010 | Enforce HTTPS for Amazon Elastic Beanstalk environment load balancers | High | New |
| |||
| D9.AWS.NET.1011 | Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets | High | New |
| |||
| D9.AWS.NET.1012 | Instance should not have a public IP address | High | New |
| |||
| D9.AWS.NET.1013 | Ensure that security groups are using proper naming conventions. | Low | New |
| |||
| D9.AWS.OPE.29 | Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics | High | New |
| |||
| D9.AWS.OPE.30 | Ensure Amazon Auto Scaling Groups have cooldown periods enabled | High | New |
| |||
| D9.AWS.OPE.31 | Ensure that your OpenSearch domains are using the latest version of the TLS security policy | Low | New |
| |||
| D9.AWS.OPE.32 | Verify that Redshift clusters are utilizing the most up-to-date node generations to enhance performance | Low | New |
| |||
| D9.AWS.OPE.33 | Ensure managed platform updates are enabled for your AWS Elastic Beanstalk environments | Low | New |
| |||
| D9.AWS.OPE.34 | Ensure that AWS Cloudfront web distributions are configured to compress objects (files) automatically | Low | New |
| |||
| D9.AWS.OPE.35 | Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains | Low | New |
| |||
| D9.AZU.NET.84 | Ensure that a network policy is in place to secure traffic between pods | Low | New |
| |||
| D9.AZU.NET.83 | Ensure that Azure CNI Networking is enabled | Low | New |
| |||
| D9.AZU.CRY.52 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Azure MariaDB database Server | High | New |
| |||
| D9.AZU.CRY.53 | Ensure Azure AKS cluster HTTP application routing is disabled | Low | New |
| |||
| D9.AZU.CRY.54 | Ensure no Azure AKS cluster is configured without disk encryption | Low | New |
| |||
| D9.AZU.CRY.55 | Ensure Azure MySQL Database Server is using a secure TLS version | High | New |
| |||
| D9.AZU.IAM.55 | Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults | High | New |
| |||
| D9.AZU.IAM.56 | Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | High | New |
| |||
| D9.AZU.IAM.59 | Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication. | Critical | New |
| |||
| D9.AZU.LOG.19 | Ensure that Diagnostic Logs are enabled for the supported Azure cloud resources | High | New |
| |||
| D9.AZU.LOG.20 | Ensure Azure AKS cluster monitoring is enabled | Low | New |
| |||
| D9.AZU.MON.89 | Ensure that a security contact phone number is provided in the Microsoft Defender for Cloud settings | Low | New |
| |||
| D9.AZU.NET.78 | Ensure that default network access rule is set to 'Deny' within your Azure Key Vaults configuration | High | New |
| |||
| D9.AZU.NET.79 | Ensure that Private Endpoints are Used for Azure MariaDb database Server | Medium | New |
| |||
| D9.AZU.NET.80 | Ensure that Azure Storage account access is limited only to specific IP addresses | Low | New |
| |||
| D9.AZU.NET.81 | Ensure that MariaDB database servers are using the latest version of the TLS protocol | Critical | New |
| |||
| D9.AZU.NET.82 | Ensure Azure Database for MySQL server is configured with private endpoint | Medium | New |
| |||
| D9.AZU.NET.85 | Ensure PostgreSQL database server is not allowed public network access | High | New |
| |||
| D9.AZU.NET.86 | Ensure that Private Endpoints are Used for Azure PostgreSQL database Server | Medium | New |
| |||
| D9.AZU.NET.87 | Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive | Low | New |
| |||
| D9.AZU.OPE.02 | Ensure that your Cluster Pool contains at least 3 Nodes | Low | New |
| |||
| D9.AZU.OPE.03 | Ensure to not use the deprecated Classic registry | Low | New |
| |||
| D9.GCP.AS.12 | Ensure that PostgreSQL database instances have the appropriate configuration set for the 'max_connections' flag | Low | New |
| |||
| D9.GCP.AS.13 | Ensure that automatic storage increase is enabled for your Cloud SQL database instances | High | New |
| |||
| D9.GCP.AS.14 | Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database | Low | New |
| |||
| D9.GCP.AS.15 | Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances | High | New |
| |||
| D9.GCP.DR.03 | Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region | Critical | New |
| |||
| D9.GCP.IAM.31 | Ensure Compute Engine does not have predefined Admin roles | Critical | New |
| |||
| D9.GCP.IAM.32 | Ensure Compute Engine does not have IAM Write access level | High | New |
| |||
| D9.GCP.LOG.31 | Ensure that logging is enabled for Google Cloud load balancing backend services | Low | New |
| |||
| D9.GCP.LOG.32 | Ensure that MySQL database instances have the 'slow_query_log' flag set to On (enabled) | Low | New |
| |||
| D9.GCP.LOG.33 | Ensure storage bucket does not send logs to itself | Low | New |
| |||
| D9.GCP.NET.39 | Ensure Firewall default rules are not overly permissive | High | New |
| |||
| D9.GCP.NET.40 | Ensure Firewall rule does not allow all traffic on port 21 - FTP | High | New |
| |||
| D9.GCP.NET.41 | Ensure Firewall rule does not allow all traffic on port 80 - HTTP | High | New |
| |||
| D9.GCP.NET.42 | Ensure Firewall rule does not allow all traffic on port 445 - Microsoft-DS | Critical | New |
| |||
| D9.GCP.NET.43 | Ensure Firewall rule does not allow all traffic on port 27017 - MongoDB | High | New |
| |||
| D9.GCP.NET.44 | Ensure Firewall rule does not allow all traffic on port 139 - NetBIOS-SSN | High | New |
| |||
| D9.GCP.NET.45 | Ensure Firewall rule does not allow all traffic on port 1521 - Oracle DB | High | New |
| |||
| D9.GCP.NET.46 | Ensure Firewall rule does not allow all traffic on port 110 - POP3 | High | New |
| |||
| D9.GCP.NET.47 | Ensure Firewall rule does not allow all traffic on port 23 - Telnet | High | New |
| |||
| D9.GCP.NET.48 | Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10250 | High | New |
| |||
| D9.GCP.NET.49 | Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10255 | High | New |
| |||
| D9.GCP.NET.50 | Ensure no inbound rule exists that is overly permissive to allow all traffic from Internet | High | New |
| |||
| D9.GCP.NET.51 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database) | Critical | New |
| |||
| D9.GCP.NET.52 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server) | Critical | New |
| |||
| D9.GCP.NET.53 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server) | Critical | New |
| |||
| D9.GCP.NET.54 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS) | High | New |
| |||
| D9.GCP.NET.55 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP) | High | New |
| |||
| D9.GCP.NET.56 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP) | High | New |
| |||
| D9.GCP.NET.57 | Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH) | High | New |
| |||
| D9.GCP.NET.58 | Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database) | High | New |
| |||
| D9.GCP.OPE.06 | Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances | High | New |
| |||
| D9.GCP.OPE.07 | Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances | High | New |
| |||
| D9.GCP.OPE.08 | Ensure that 'On Host Maintenance' configuration setting is set to 'Migrate' for all VM instances | High | New |
| |||
| D9.ALI.LOG.28 | Ensure that ActionTrail logging is enabled | Low | New |
| |||
| D9.OCI.IAM.11 | Ensure IAM password policy require at least one lowercase letter | Low | New |
| |||
| D9.OCI.IAM.12 | Ensure IAM password policy require at least one uppercase letter | Low | New |
| |||
| D9.AZU.AKS.01 | Ensure that admin user is disabled for Container Registry | Low | Removal |
| |||
| D9.AZU.AKS.02 | Ensure Container Registry has locks | Low | Removal |
| |||
| D9.AZU.AKS.08 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Low | Removal |
| |||
| D9.AZU.AKS.05 | Ensure that a network policy is in place to secure traffic between pods | Low | Removal |
| |||
| D9.AZU.AKS.06 | Ensure that Azure CNI Networking is enabled | Low | Removal |
| |||
| D9.AZU.AKS.07 | Ensure that your Cluster Pool contains at least 3 Nodes | Low | Removal |
| |||
| D9.AZU.AKS.09 | Ensure to not use the deprecated Classic registry | Low | Removal |
|
August 23 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.NET.67 | Ensure that all authorization Type in API Gateway are not set to None | High | Modification |
|
|
|
|
| D9.ALI.NET.03 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 - SSH | High | Modification |
|
|
|
|
| D9.ALI.NET.04 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 - RDP | High | Modification |
|
|
|
|
| D9.AWS.AS.11 | Identify and remove any unused AWS DynamoDB tables to optimize AWS costs | High | New |
| |||
| D9.AWS.CRY.88 | Ensure that Amazon DocumentDB clusters data is encrypted at rest | High | New |
| |||
| D9.AWS.CRY.89 | Ensure API Gateway endpoints has client certificate authentication | Low | New |
| |||
| D9.AWS.CRY.90 | Ensure that Amazon DocumentDB clusters are encrypted with KMS Customer Master Keys (CMKs) | High | New |
| |||
| D9.AWS.DNS.08 | Ensure AWS SES identities (email addresses and/or domains) are verified | Low | New |
| |||
| D9.AWS.DR.06 | Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion | Critical | New |
| |||
| D9.AWS.DR.07 | Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled | Informational | New |
| |||
| D9.AWS.DR.09 | Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless) | Medium | New |
| |||
| D9.AWS.DR.10 | Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs | High | New |
| |||
| D9.AWS.DR.11 | Ensure AWS DocumentDB clusters have a sufficient backup retention period set for compliance purposes | Low | New |
| |||
| D9.AWS.IAM.1020 | Ensure IAM Database Authentication feature is enabled for Amazon Neptune clusters | High | New |
| |||
| D9.AWS.IAM.115 | Ensure that Amazon Lambda functions are referencing active execution roles | Low | New |
| |||
| D9.AWS.LOG.25 | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days) | Low | New |
| |||
| D9.AWS.LOG.26 | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | New |
| |||
| D9.AWS.LOG.27 | Ensure CloudTrail Logging is Enabled | Low | New |
| |||
| D9.AWS.MON.28 | Ensure DKIM signing is enabled in AWS SES to protect email senders and receivers against phishing. | Low | New |
| |||
| D9.AWS.MON.29 | Enable AWS DocumentDB Log Exports | Low | New |
| |||
| D9.AWS.NET.1003 | Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC). | Low | New |
| |||
| D9.AWS.NET.1004 | Ensure that your Amazon Lambda functions have access to VPC-only resources. | Low | New |
| |||
| D9.AWS.NET.1005 | Ensure Amazon MQ brokers are not publicly accessible and prone to security risks | High | New |
| |||
| D9.AWS.NET.96 | Ensure AppSync has WAF | Low | New |
| |||
| D9.AWS.NET.97 | Ensure IMDS Response Hop Limit is Set to One | Low | New |
| |||
| D9.AWS.OPE.26 | Make certain your AWS MQ brokers are running on the most up-to-date version of the Apache ActiveMQ engine. | Low | New |
| |||
| D9.AWS.OPE.27 | Ensure that the latest version of Redis is used for your AWS ElastiCache clusters | Low | New |
| |||
| D9.AWS.OPE.28 | Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters | Low | New |
| |||
| D9.AWS.VLN.09 | Ensure Aurora PostgreSQL is not exposed to local file read vulnerability | Critical | New |
| |||
| D9.AZU.MON.88 | Ensure that an activity log alert is created for Delete PostgreSQL Database events | High | New |
| |||
| D9.AZU.NET.74 | Ensure that HTTP protocol (TCP:80) is restricted from the Internet | High | New |
| |||
| D9.AZU.NET.75 | Ensure that HTTPS protocol (TCP:443) is restricted from the Internet | High | New |
| |||
| D9.AZU.NET.76 | Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database | High | New |
| |||
| D9.AZU.NET.77 | Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol | Critical | New |
| |||
| D9.GCP.AS.10 | Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances | Low | New |
| |||
| D9.GCP.AS.11 | Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag | High | New |
| |||
| D9.GCP.IAM.30 | Ensure GCP IAM user does not have permissions to deploy all resources | High | New |
| |||
| D9.GCP.NET.38 | Ensure Google Cloud Function is configured with a VPC connector | High | New |
| |||
| D9.ALI.NET.17 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 53 - DNS | High | New |
| |||
| D9.ALI.NET.18 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 2483 - unencrypted Oracle DB | High | New |
| |||
| D9.ALI.NET.19 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 27017 - unencrypted Mongo DB | High | New |
| |||
| D9.ALI.NET.20 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 6379 - unencrypted Redis | High | New |
| |||
| D9.ALI.NET.21 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 80 - HTTP | High | New |
| |||
| D9.ALI.NET.22 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 20 - FTP-Data | High | New |
| |||
| D9.ALI.NET.23 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 21 - FTP | High | New |
| |||
| D9.ALI.NET.24 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 1434 - MSSQL Admin | High | New |
| |||
| D9.ALI.NET.25 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 1433 - MSSQL Server | High | New |
| |||
| D9.ALI.NET.26 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3306 - MySQL | High | New |
| |||
| D9.ALI.NET.27 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 1521 - unencrypted Oracle DB | High | New |
| |||
| D9.ALI.NET.28 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 5432 - Postgres SQL | High | New |
| |||
| D9.ALI.NET.29 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 5900 - VNC Server | High | New |
| |||
| D9.ALI.NET.30 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 25 - SMTP | High | New |
| |||
| D9.ALI.NET.31 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 7001 - Cassandra | High | New |
|
August 16 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.K8S.CRY.19 | Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.CRY.20 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.21 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.24 | Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.26 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.28 | Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.CRY.29 | Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.CRY.31 | Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift) | Informational | Modification |
|
|
|
|
| D9.K8S.CRY.34 | Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.37 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift) | Medium | Modification |
|
|
|
|
| D9.K8S.CRY.41 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.CRY.45 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.55 | Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.61 | Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.63 | Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.65 | Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.67 | Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.68 | Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.IAM.69 | Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.IAM.72 | Minimize the admission of containers with the NET_RAW capability (SCC) (Openshift) | High | Modification |
|
|
|
|
| D9.K8S.LOG.07 | Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.LOG.08 | Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
|
| D9.K8S.NET.28 | Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift) | High | Modification |
|
|
|
|
| D9.AWS.AS.09 | Ensure that your Amazon MQ brokers are using the active/standby deployment mode | Low | New |
| |||
| D9.AWS.AS.10 | Ensure AWS MQ brokers have the Auto Minor Version Upgrade feature enabled | Low | New |
| |||
| D9.AWS.DR.05 | Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled | Low | New |
| |||
| D9.AWS.DR.08 | Ensure AWS Neptune clusters have a sufficient backup retention period set | High | New |
| |||
| D9.AWS.NET.1002 | Ensure CloudFront origins don't use insecure SSL protocols | High | New |
| |||
| D9.AZU.NET.72 | Ensure that Oracle Database (TCP:1521) is restricted from the Internet | High | New |
| |||
| D9.AZU.NET.73 | Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019 | High | New |
| |||
| D9.K8S.CRY.47 | Ensure that the healthz endpoints for the scheduler are protected by RBAC (OpenShift) | High | New |
| |||
| D9.K8S.CRY.48 | Verify that the scheduler API service is protected by RBAC (OpenShift) | High | New |
| |||
| D9.K8S.IAM.28 | Use https for kubelet connections (OpenShift) | Critical | New |
| |||
| D9.K8S.IAM.87 | Ensure that the kubelet uses certificates to authenticate (OpenShift) | Critical | New |
| |||
| D9.K8S.IAM.88 | Ensure that the --request-timeout argument is set (OpenShift) | High | New |
| |||
| D9.K8S.IAM.89 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers (OpenShift) | Critical | New |
| |||
| D9.K8S.IAM.90 | Ensure that encryption providers are appropriately configured (OpenShift) | High | New |
| |||
| D9.K8S.IAM.91 | Ensure unsupported configuration overrides are not used (OpenShift) | Critical | New |
| |||
| D9.K8S.IAM.92 | Ensure that the admission control plugin SecurityContextConstraint is set (SCC)(Openshift) | High | New |
| |||
| D9.K8S.LOG.10 | Ensure that a minimal audit policy is created | High | New |
| |||
| D9.K8S.NET.13 | Ensure that the --insecure-port argument is set to 0 (OpenShift) | Critical | New |
| |||
| D9.K8S.NET.16 | Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)(OpenShift) | Critical | New |
| |||
| D9.K8S.AC.25 | Limit binding of Anonymous User | Critical | New |
|
August 09 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.18 | Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account | Critical | Modification |
|
|
|
|
| D9.AWS.IAM.101 | Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions) | High | Modification |
|
|
|
|
| D9.AWS.NET.78 | Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port | Medium | Modification |
|
|
|
|
| D9.AWS.NET.79 | Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port | Medium | Modification |
|
|
|
|
| D9.AWS.NET.80 | Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port | High | Modification |
|
|
|
|
| D9.AWS.NET.81 | Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port | High | Modification |
|
|
|
|
| D9.AWS.NET.75 | Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports | High | Modification |
|
|
|
|
| D9.AZU.IAM.46 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
|
| D9.AZU.IAM.47 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
|
| D9.AWS.IAM.19 | Ensure hardware MFA is enabled for the 'root' user account | Critical | Removal |
|
August 02 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.GCP.CRY.01 | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | High | Modification |
|
|
|
|
| D9.GCP.CRY.03 | Ensure Oslogin Is Enabled for a Project | Medium | Modification |
|
|
|
|
| D9.GCP.IAM.02 | Ensure that Corporate Login Credentials are Used | High | Modification |
|
|
|
|
| D9.GCP.IAM.04 | Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | High | Modification |
|
|
|
|
| D9.GCP.IAM.05 | Ensure That Service Account Has No Admin Privileges | High | Modification |
|
|
|
|
| D9.GCP.IAM.09 | Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | Critical | Modification |
|
|
|
|
| D9.GCP.NET.11 | Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance | High | Modification |
|
|
|
|
| D9.GCP.NET.20 | Ensure That the Default Network Does Not Exist in a Project | Medium | Modification |
|
|
|
|
| D9.GCP.CRY.02 | Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances | High | Modification |
|
|
|
|
| D9.GCP.CRY.07 | Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | High | Modification |
|
|
|
|
| D9.GCP.CRY.08 | Ensure Compute Instances Are Launched With Shielded VM Enabled | High | Modification |
|
|
|
|
| D9.GCP.CRY.09 | Ensure That Compute Instances Have Confidential Computing Enabled | High | Modification |
|
|
|
|
| D9.GCP.CRY.10 | Ensure That Compute Instances Do Not Have Public IP Addresses | High | Modification |
|
|
|
|
| D9.GCP.CRY.11 | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | High | Modification |
|
|
|
|
| D9.GCP.CRY.12 | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | High | Modification |
|
|
|
|
| D9.GCP.CRY.13 | Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | High | Modification |
|
|
|
|
| D9.GCP.CRY.14 | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | High | Modification |
|
|
|
|
| D9.GCP.DR.01 | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | Low | Modification |
|
|
|
|
| D9.GCP.IAM.01 | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | High | Modification |
|
|
|
|
| D9.GCP.IAM.03 | Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | High | Modification |
|
|
|
|
| D9.GCP.IAM.18 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | High | Modification |
|
|
|
|
| D9.GCP.IAM.21 | Ensure That Instances Are Not Configured To Use the Default Service Account | High | Modification |
|
|
|
|
| D9.GCP.IAM.22 | Ensure API Keys Are Rotated Every 90 Days | High | Modification |
|
|
|
|
| D9.GCP.IAM.23 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | High | Modification |
|
|
|
|
| D9.GCP.IAM.24 | Ensure API Keys Only Exist for Active Services | High | Modification |
|
|
|
|
| D9.GCP.IAM.25 | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | High | Modification |
|
|
|
|
| D9.GCP.IAM.26 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | High | Modification |
|
|
|
|
| D9.GCP.IAM.27 | Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | Low | Modification |
|
|
|
|
| D9.GCP.IAM.28 | Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | High | Modification |
|
|
|
|
| D9.GCP.LOG.03 | Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Low | Modification |
|
|
|
|
| D9.GCP.LOG.06 | Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | Low | Modification |
|
|
|
|
| D9.GCP.LOG.12 | Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Low | Modification |
|
|
|
|
| D9.GCP.LOG.13 | Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | Low | Modification |
|
|
|
|
| D9.GCP.LOG.14 | Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | Low | Modification |
|
|
|
|
| D9.GCP.LOG.16 | Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | Low | Modification |
|
|
|
|
| D9.GCP.LOG.17 | Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | Low | Modification |
|
|
|
|
| D9.GCP.LOG.18 | Ensure That Cloud Audit Logging Is Configured Properly | Low | Modification |
|
|
|
|
| D9.GCP.LOG.19 | Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.20 | Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.21 | Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.22 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.23 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.24 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.25 | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.26 | Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | Low | Modification |
|
|
|
|
| D9.GCP.LOG.27 | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | Low | Modification |
|
|
|
|
| D9.GCP.LOG.28 | Ensure That Sinks Are Configured for All Log Entries | Low | Modification |
|
|
|
|
| D9.GCP.NET.08 | Ensure That IP Forwarding Is Not Enabled on Instances | High | Modification |
|
|
|
|
| D9.GCP.NET.12 | Ensure That SSH Access Is Restricted From the Internet | High | Modification |
|
|
|
|
| D9.GCP.NET.13 | Ensure That RDP Access Is Restricted From the Internet | High | Modification |
|
|
|
|
| D9.GCP.NET.16 | Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | Medium | Modification |
|
|
|
|
| D9.GCP.NET.24 | Ensure That Cloud SQL Database Instances Do Not Have Public IPs | High | Modification |
|
|
|
|
| D9.GCP.NET.26 | Ensure That DNSSEC Is Enabled for Cloud DNS | High | Modification |
|
|
|
|
| D9.GCP.NET.27 | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | High | Modification |
|
|
|
|
| D9.GCP.NET.28 | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | High | Modification |
|
|
|
|
| D9.GCP.NET.29 | Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | High | Modification |
|
|
|
|
| D9.GCP.NET.31 | Ensure Legacy Networks Do Not Exist for Older Projects | High | Modification |
|
|
|
|
| D9.GCP.VLN.02 | Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' | Medium | Modification |
|
|
|
|
| D9.GCP.VLN.05 | Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' | Medium | Modification |
|
|
|
|
| D9.ALI.CRY.04 | Ensure that 'Virtual Machine's disk' are encrypted | High | Modification |
|
|
|
|
| D9.ALI.CRY.05 | Ensure server-side encryption is set to 'Encrypt with BYOK' | High | Modification |
|
|
|
|
| D9.ALI.CRY.06 | Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key) | High | Modification |
|
|
|
|
| D9.ALI.CRY.07 | Ensure that 'TDE' is set to 'Enabled' on for applicable database instance | High | Modification |
|
|
|
|
| D9.ALI.IAM.01 | Ensure no root account access key exists | High | Modification |
|
|
|
|
| D9.ALI.IAM.04 | Ensure users not logged on for 90 days or longer are disabled for console logon | High | Modification |
|
|
|
|
| D9.ALI.IAM.08 | Ensure RAM policies that allow full '*:*' administrative privileges are not created | High | Modification |
|
|
|
|
| D9.ALI.IAM.09 | Ensure RAM password policy prevents password reuse | High | Modification |
|
|
|
|
| D9.ALI.IAM.10 | Ensure RAM password policy requires at least one uppercase letter | Low | Modification |
|
|
|
|
| D9.ALI.IAM.11 | Ensure RAM password policy requires at least one lowercase letter | Low | Modification |
|
|
|
|
| D9.ALI.IAM.12 | Ensure RAM password policy require at least one symbol | Low | Modification |
|
|
|
|
| D9.ALI.IAM.13 | Ensure RAM password policy require at least one number | Low | Modification |
|
|
|
|
| D9.ALI.IAM.14 | Ensure RAM password policy expires passwords within 90 days or less | Low | Modification |
|
|
|
|
| D9.ALI.IAM.15 | Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour | High | Modification |
|
|
|
|
| D9.ALI.LOG.10 | Ensure Security Center Network, Host and Security log analysis is enabled | High | Modification |
|
|
|
|
| D9.ALI.MON.02 | Ensure that 'Auditing' Retention is 'greater than 6 months' | Low | Modification |
|
|
|
|
| D9.ALI.NET.02 | Ensure legacy networks does not exist | High | Modification |
|
|
|
|
| D9.ALI.NET.16 | Ensure VPC flow logging is enabled in all VPCs | High | Modification |
|
|
|
|
| D9.ALI.VLN.01 | Ensure that Security Center is Advanced or Enterprise Edition | High | Modification |
|
|
|
|
| D9.ALI.VLN.02 | Ensure that all assets are installed with security agent | High | Modification |
|
|
|
|
| D9.ALI.VLN.03 | Ensure that Automatic Quarantine is enabled | High | Modification |
|
|
|
|
| D9.ALI.VLN.04 | Ensure that Webshell detection is enabled on all web servers | High | Modification |
|
|
|
|
| D9.ALI.VLN.05 | Ensure that notification is enabled on all high risk items | Low | Modification |
|
|
|
|
| D9.ALI.VLN.06 | Ensure that Config Assessment is granted with privilege | Low | Modification |
|
|
|
|
| D9.ALI.VLN.07 | Ensure that scheduled vulnerability scan is enabled on all servers | High | Modification |
|
|
|
|
| D9.ALI.VLN.09 | Ensure that the latest OS Patches for all Virtual Machines are applied | High | Modification |
|
|
|
|
| D9.OCI.AS.01 | Create at least one compartment in your tenancy to store cloud resources | Low | Modification |
|
|
|
|
| D9.OCI.AS.02 | Ensure no VCNs are created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.AS.03 | Ensure no instances created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.AS.04 | Ensure no volumes are created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.AS.05 | Ensure no filesystems are created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.AS.06 | Ensure no buckets are created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.AS.07 | Ensure no autonomousdatabases are created in the root compartment | Low | Modification |
|
|
|
|
| D9.OCI.CRY.04 | Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) | High | Modification |
|
|
|
|
| D9.OCI.IAM.02 | Ensure IAM password policy requires minimum length of 14 or greater | High | Modification |
|
|
|
|
| D9.OCI.IAM.03 | Ensure MFA is enabled for all users with a console password | Low | Modification |
|
|
|
|
| D9.OCI.IAM.04 | Ensure all OCI IAM user accounts have a valid and current email address | Low | Modification |
|
|
|
|
| D9.OCI.IAM.05 | Ensure user API keys rotate within 90 days or less | High | Modification |
|
|
|
|
| D9.OCI.IAM.06 | Ensure user customer secret keys rotate within 90 days or less | Low | Modification |
|
|
|
|
| D9.OCI.IAM.07 | Ensure user auth tokens rotate within 90 days or less | Low | Modification |
|
|
|
|
| D9.OCI.IAM.08 | Ensure permissions on all resources are given only to the tenancy administrator group | High | Modification |
|
|
|
|
| D9.OCI.IAM.09 | Ensure IAM administrators cannot update tenancy Administrators group | High | Modification |
|
|
|
|
| D9.OCI.IAM.10 | Ensure API keys are not created for tenancy administrator users | High | Modification |
|
|
|
|
| D9.OCI.LOG.01 | Ensure default tags are used on resources | Low | Modification |
|
|
|
|
| D9.OCI.LOG.02 | Ensure VCN flow logging is enabled for all subnets | Low | Modification |
|
|
|
|
| D9.OCI.LOG.03 | Ensure write level Object Storage logging is enabled for all buckets | Low | Modification |
|
|
|
|
| D9.OCI.LOG.04 | Create at least one notification topic and subscription to receive monitoring alerts | Low | Modification |
|
|
|
|
| D9.OCI.LOG.05 | Ensure a notification is configured for Identity Provider changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.06 | Ensure a notification is configured for IdP group mapping changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.07 | Ensure a notification is configured for IAM group changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.09 | Ensure a notification is configured for user changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.10 | Ensure a notification is configured for VCN changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.11 | Ensure a notification is configured for changes to route tables | Low | Modification |
|
|
|
|
| D9.OCI.LOG.12 | Ensure a notification is configured for security list changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.13 | Ensure a notification is configured for network security group changes | Low | Modification |
|
|
|
|
| D9.OCI.LOG.14 | Ensure a notification is configured for changes to network gateways | Low | Modification |
|
|
|
|
| D9.OCI.NET.01 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 | Critical | Modification |
|
|
|
|
| D9.OCI.NET.02 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 | Critical | Modification |
|
|
|
|
| D9.OCI.NET.03 | Ensure the default security list of every VCN restricts all traffic except ICMP | High | Modification |
|
|
|
|
| D9.OCI.NET.04 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 | Critical | Modification |
|
|
|
|
| D9.OCI.NET.05 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 | Critical | Modification |
|
|
|
|
| D9.OCI.NET.07 | Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network | High | Modification |
|
|
|
|
| D9.OCI.OPE.01 | Ensure Versioning is Enabled for Object Storage Buckets | Low | Modification |
|
|
|
|
| D9.OCI.OPE.02 | Ensure Cloud Guard is enabled in the root compartment of the tenancy | Low | Modification |
|
|
|
|
July 26 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.CRY.35 | Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | High | Modification |
|
|
|
|
| D9.AZU.CRY.45 | Ensure FTP deployments are Disabled | Low | Modification |
|
|
|
|
| D9.AZU.IAM.50 | Ensure that an exclusionary Geographic Access Policy is considered | Low | Modification |
|
|
|
|
| D9.AWS.VLN.07 | Ensure AWS Security Hub is enabled | Low | Modification |
|
|
|
|
| D9.OCI.NET.04 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22. | Critical | Modification |
|
|
|
|
| D9.OCI.NET.05 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389. | Critical | Modification |
|
|
|
|
| D9.AZU.NET.38 | Ensure FTP deployments are disabled | High | Removal |
|
July 19 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.08 | SSL/TLS certificates expire in one week | High | Modification |
|
|
|
|
| D9.AWS.CRY.10 | ELB secured listener certificate expires in one week | High | Modification |
|
|
|
|
| D9.AWS.CRY.12 | ALB secured listener certificate expires in one week | High | Modification |
|
|
|
|
| D9.AWS.IAM.18 | Ensure MFA is enabled for the 'root' user account | Critical | Modification |
|
|
|
|
| D9.AZU.CRY.18 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | High | Modification |
|
|
|
|
| D9.AZU.LOG.12 | Ensure that logging for Azure Key Vault is 'Enabled' | Low | Modification |
|
|
|
|
| D9.AZU.NET.01 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | High | Modification |
|
|
|
|
| D9.AZU.NET.18 | Ensure Azure Application Gateway Web application firewall (WAF) is enabled | High | Modification |
|
|
|
|
| D9.AZU.NET.20 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | Low | Modification |
|
|
|
|
| D9.AZU.NET.26 | Ensure that RDP access from the Internet is evaluated and restricted | High | Modification |
|
|
|
|
| D9.AZU.NET.27 | Ensure that SSH access from the Internet is evaluated and restricted | High | Modification |
|
|
|
|
| D9.AZU.CRY.01 | Ensure Azure Key Vaults are Used to Store Secrets | High | Modification |
|
|
|
|
| D9.AZU.CRY.12 | Ensure that the Expiration Date is set for all Keys in Key Vaults | Low | Modification |
|
|
|
|
| D9.AZU.CRY.13 | Ensure that the Expiration Date is set for all Secrets in Key Vaults | Low | Modification |
|
|
|
|
| D9.AZU.CRY.14 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Low | Modification |
|
|
|
|
| D9.AZU.CRY.16 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Low | Modification |
|
|
|
|
| D9.AZU.CRY.21 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | High | Modification |
|
|
|
|
| D9.AZU.CRY.24 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | High | Modification |
|
|
|
|
| D9.AZU.CRY.26 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Low | Modification |
|
|
|
|
| D9.AZU.CRY.27 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Low | Modification |
|
|
|
|
| D9.AZU.CRY.35 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | High | Modification |
|
|
|
|
| D9.AZU.CRY.37 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | High | Modification |
|
|
|
|
| D9.AZU.CRY.39 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | High | Modification |
|
|
|
|
| D9.AZU.CRY.40 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | Low | Modification |
|
|
|
|
| D9.AZU.CRY.41 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | Low | Modification |
|
|
|
|
| D9.AZU.CRY.42 | Ensure that 'Java version' is the latest, if used to run the Web App | Low | Modification |
|
|
|
|
| D9.AZU.IAM.08 | Ensure App Service Authentication is set up for apps in Azure App Service - Webapp | High | Modification |
|
|
|
|
| D9.AZU.IAM.14 | Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp | High | Modification |
|
|
|
|
| D9.AZU.IAM.41 | Ensure Guest Users Are Reviewed on a Regular Basis | Low | Modification |
|
|
|
|
| D9.AZU.IAM.45 | Ensure That 'Number of methods required to reset' is set to '2' | Low | Modification |
|
|
|
|
| D9.AZU.LOG.06 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Low | Modification |
|
|
|
|
| D9.AZU.LOG.10 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Low | Modification |
|
|
|
|
| D9.AZU.LOG.13 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | High | Modification |
|
|
|
|
| D9.AZU.LOG.16 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Low | Modification |
|
|
|
|
| D9.AZU.LOG.17 | Ensure that Endpoint Protection for all Virtual Machines is installed | High | Modification |
|
|
|
|
| D9.AZU.MON.21 | Ensure that 'Auditing' is set to 'On' | Low | Modification |
|
|
|
|
| D9.AZU.MON.22 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Low | Modification |
|
|
|
|
| D9.AZU.MON.25 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Low | Modification |
|
|
|
|
| D9.AZU.MON.47 | Ensure that a 'Diagnostic Setting' exists | Low | Modification |
|
|
|
|
| D9.AZU.MON.58 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Low | Modification |
|
|
|
|
| D9.AZU.MON.63 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Low | Modification |
|
|
|
|
| D9.AZU.MON.64 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Low | Modification |
|
|
|
|
| D9.AZU.MON.65 | Ensure That Microsoft Defender for Servers Is Set to 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.66 | Ensure That Microsoft Defender for App Services Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.67 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.68 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.69 | Ensure That Microsoft Defender for Storage Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.71 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | High | Modification |
|
|
|
|
| D9.AZU.MON.72 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | High | Modification |
|
|
|
|
| D9.AZU.MON.73 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | High | Modification |
|
|
|
|
| D9.AZU.MON.74 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | High | Modification |
|
|
|
|
| D9.AZU.VLN.01 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Low | Modification |
|
|
|
|
| D9.AZU.NET.24 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | High | Modification |
|
|
|
|
| D9.AZU.NET.25 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Low | Modification |
|
|
|
|
| D9.AZU.NET.66 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Critical | Modification |
|
|
|
|
| D9.AWS.LOG.19 | Ensure that Object-level logging for write events is enabled for S3 bucket | Low | Modification |
|
|
|
|
| D9.AZU.IAM.03 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Low | Modification |
|
|
|
|
| D9.AWS.IAM.53 | Ensure AWS IAM policies do not grant 'assume role' permission across all services | High | Modification |
|
|
|
|
| D9.AZU.IAM.46 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
|
| D9.AZU.IAM.47 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
|
| D9.AZU.IAM.51 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | Low | New |
| |||
| D9.AZU.IAM.52 | Ensure that A Multi-factor Authentication Policy Exists for All Users | Low | New |
| |||
| D9.AZU.IAM.53 | Ensure Multi-factor Authentication is Required for Risky Sign-ins | Low | New |
| |||
| D9.AZU.IAM.54 | Ensure Multi-factor Authentication is Required for Azure Management | Low | New |
| |||
| D9.AZU.NET.62 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | High | Modification |
|
|
|
|
| D9.AZU.NET.64 | Ensure That Private Endpoints Are Used Where Possible | Medium | Modification |
|
|
|
|
| D9.AWS.IAM.19 | Ensure hardware MFA is enabled for the 'root' user account | Critical | New |
|
July 12 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.CRY.46 | Ensure FTP deployments are Disabled for FunctionApp | Low | Modification |
|
|
|
|
| D9.AWS.IAM.102 | Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. | Critical | Modification |
|
|
|
|
| D9.AWS.CRY.84 | CodeBuild S3 logs should be encrypted | High | Modification |
|
|
|
|
| D9.AZU.IAM.49 | Ensure Trusted Locations Are Defined | Low | New |
| |||
| D9.AZU.IAM.50 | Ensure that an exclusionary Geographic Access Policy is considered. | Low | New |
| |||
| D9.AZU.MON.81 | Ensure that Storage Account has Microsoft Defender for Cloud enabled | Low | New |
|
July 05 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.05 | Ensure that encryption-at-rest is enabled for RDS Instances | High | Modification |
|
|
|
|
| D9.AWS.CRY.22 | Ensure that encryption is enabled for EFS file systems | High | Modification |
|
|
|
|
| D9.AWS.IAM.01 | Eliminate use of the 'root' user for administrative and daily tasks | High | Modification |
|
|
|
|
| D9.AWS.IAM.16 | Ensure no 'root' user account access key exists | High | Modification |
|
|
|
|
| D9.AWS.IAM.27 | Ensure IAM policies that allow full '*:*' administrative privileges are not attached | High | Modification |
|
|
|
|
| D9.AWS.IAM.43 | Ensure MFA Delete is enabled on S3 buckets | Low | Modification |
|
|
|
|
| D9.AWS.LOG.03 | Ensure CloudTrail trails are integrated with CloudWatch Logs | Low | Modification |
|
|
|
|
| D9.AWS.MON.01 | Ensure unauthorized API calls are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.02 | Ensure management console sign-in without MFA is monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.04 | Ensure IAM policy changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.05 | Ensure CloudTrail configuration changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.07 | Ensure disabling or scheduled deletion of customer created CMKs is monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.08 | Ensure S3 bucket policy changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.09 | Ensure AWS Config configuration changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.11 | Ensure Network Access Control Lists (NACL) changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.12 | Ensure changes to network gateways are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.13 | Ensure route table changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.14 | Ensure VPC changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.NET.17 | Ensure that public access is not given to RDS Instance | Critical | Modification |
|
|
|
|
| D9.AWS.MON.06 | Ensure AWS Management Console authentication failures are monitored | Low | Modification |
|
|
|
|
| D9.AWS.MON.10 | Ensure security group changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.LOG.19 | Ensure that object-level logging is enabled for S3 buckets | Low | Modification |
|
|
|
|
| D9.AWS.IAM.51 | Ensure there is only one active access key available for any single IAM user | High | Modification |
|
|
|
|
| D9.AWS.NET.72 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Critical | Modification |
|
|
|
|
| D9.AWS.NET.90 | Ensure that EC2 Metadata Service only allows IMDSv2 | Medium | Modification |
|
|
|
|
| D9.AWS.CRY.53 | Ensure that sensitive parameters are encrypted | High | Modification |
|
|
|
|
| D9.AWS.CRY.61 | Ensure EBS Volume Encryption is Enabled in all Regions | High | Modification |
|
|
|
|
| D9.AWS.CRY.83 | Attached EBS volumes should be encrypted at-rest | Medium | New |
| |||
| D9.AWS.CRY.84 | CodeBuild S3 logs should be encrypted | Low | New |
| |||
| D9.AWS.CRY.85 | DynamoDB Accelerator (DAX) clusters should be encrypted at rest | Medium | New |
| |||
| D9.AWS.CRY.86 | Connections to Amazon Redshift clusters should be encrypted in transit | Medium | New |
| |||
| D9.AWS.IAM.66 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | Low | Modification |
|
|
|
|
| D9.AWS.MON.24 | Ensure AWS Organizations changes are monitored | Low | Modification |
|
|
|
|
| D9.AWS.OPE.08 | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | Low | Modification |
|
|
|
|
| D9.AZU.IAM.48 | Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' | Low | New |
| |||
| D9.AWS.CRY.77 | Ensure rotation for customer created symmetric CMKs is enabled | High | Modification |
|
|
|
|
| D9.AZU.MON.87 | Ensure Application Insights are Configured | Low | New |
| |||
| D9.AWS.AS.01 | Instances outside of Europe region | Low | Modification |
|
|
|
|
| D9.AWS.AS.02 | S3 Buckets outside of Europe | Low | Modification |
|
|
|
|
| D9.GCP.CRY.16 | Enable 2FA for VM Instances using OS Login | Medium | New |
| |||
| D9.AWS.CRY.82 | S3 buckets should have server-side encryption enabled | Medium | Removal |
| |||
| D9.GCP.IAM.30 | Ensure Essential Contacts are defined for your Google Cloud organization | High | Removal |
| |||
| D9.AWS.CRY.71 | Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot | High | Removal |
| |||
| D9.AWS.CRY.72 | Ensure that encryption is enabled for AWS RDS DB Snapshot | High | Removal |
|
June 28 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.04 | Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
|
| D9.AWS.LOG.23 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | High | Modification |
|
|
|
|
| D9.K8S.IAM.38 | Minimize the admission of containers with added capabilities (PSP) | High | Modification |
|
|
|
|
| D9.AWS.CRY.82 | S3 buckets should have server-side encryption enabled | Medium | New |
| |||
| D9.AWS.NET.36 | AWS Cloud Front - WAF Integration | Medium | Modification |
|
|
|
|
| D9.AZU.CRY.49 | Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | Low | New |
| |||
| D9.AZU.CRY.50 | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | High | New |
| |||
| D9.AZU.CRY.51 | Enable Role Based Access Control for Azure Key Vault | High | New |
| |||
| D9.AZU.LOG.18 | Ensure that logging for Azure AppService 'HTTP logs' is enabled | Low | New |
| |||
| D9.AZU.MON.85 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | Low | New |
| |||
| D9.AZU.MON.86 | Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts | Low | New |
| |||
| D9.ALI.CRY.05 | Ensure server-side encryption is set to 'Encrypt with BYOK'. | High | New |
| |||
| D9.ALI.CRY.06 | Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key). | High | New |
| |||
| D9.ALI.CRY.07 | Ensure that 'TDE' is set to 'Enabled' on for applicable database instance. | High | New |
| |||
| D9.ALI.IAM.18 | Ensure that multi-factor authentication is enabled for all RAM users that have a console password | High | New |
| |||
| D9.ALI.IAM.19 | Ensure access keys are rotated every 90 days or less | High | New |
| |||
| D9.ALI.LOG.02 | Ensure that ActionTrail are configured to export copies of all Log entries | High | New |
| |||
| D9.ALI.LOG.03 | Ensure the OSS used to store ActionTrail logs is not publicly accessible | High | New |
| |||
| D9.ALI.LOG.10 | Ensure Security Center Network, Host and Security log analysis is enabled. | High | New |
| |||
| D9.ALI.LOG.25 | Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database | Low | New |
| |||
| D9.ALI.LOG.26 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Low | New |
| |||
| D9.ALI.LOG.27 | Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server | Low | New |
| |||
| D9.ALI.MON.01 | Ensure that 'Auditing' is set to 'On' for applicable database instances | Low | New |
| |||
| D9.ALI.MON.02 | Ensure that 'Auditing' Retention is 'greater than 6 months'. | Low | New |
| |||
| D9.ALI.NET.11 | Ensure network access rule for storage bucket is not set to publicly accessible | High | New |
| |||
| D9.ALI.NET.12 | Ensure that RDS instance requires all incoming connections to use SSL | High | New |
| |||
| D9.ALI.NET.13 | Ensure that RDS Instances are not open to the world | High | New |
| |||
| D9.ALI.NET.15 | Ensure that SSH access is restricted from the internet | High | New |
| |||
| D9.ALI.NET.16 | Ensure VPC flow logging is enabled in all VPCs. | High | New |
| |||
| D9.ALI.VLN.01 | Ensure that Security Center is Advanced or Enterprise Edition. | High | New |
| |||
| D9.ALI.VLN.02 | Ensure that all assets are installed with security agent. | High | New |
| |||
| D9.ALI.VLN.03 | Ensure that Automatic Quarantine is enabled. | High | New |
| |||
| D9.ALI.VLN.04 | Ensure that Webshell detection is enabled on all web servers. | High | New |
| |||
| D9.ALI.VLN.05 | Ensure that notification is enabled on all high risk items. | Low | New |
| |||
| D9.ALI.VLN.06 | Ensure that Config Assessment is granted with privilege. | Low | New |
| |||
| D9.ALI.VLN.07 | Ensure that scheduled vulnerability scan is enabled on all servers. | High | New |
| |||
| D9.ALI.VLN.09 | Ensure that the latest OS Patches for all Virtual Machines are applied. | High | New |
| |||
| D9.AZU.LOG.07 | Ensure that a Log Profile exists | Low | Removal |
|
June 21 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.78 | CloudFront distributions should require encryption in transit | Medium | New |
| |||
| D9.AWS.CRY.79 | CloudFront distributions should encrypt traffic to custom origins | Medium | New |
| |||
| D9.AWS.CRY.80 | RDS cluster snapshots should be encrypted at rest | Medium | New |
| |||
| D9.AWS.CRY.81 | RDS database snapshots should be encrypted at rest | Medium | New |
|
June 14 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.IAM.46 | Ensure that multi-factor authentication is enabled for all privileged users | High | New |
| |||
| D9.AZU.IAM.47 | Ensure that multi-factor authentication is enabled for all non-privileged users | High | New |
| |||
| D9.AWS.CRY.77 | Ensure KMS CMK have key rotation enabled | High | Modification |
|
|
|
|
| D9.AWS.LOG.09 | Ensure rotation for customer created CMKs is enabled | Low | Removal |
| |||
| D9.AZU.MON.03 | Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled | Low | Removal |
|
June 07 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.K8S.IAM.02 | Ensure that the --anonymous-auth argument is set to false (Kubelet) | High | Modification |
|
|
|
|
| D9.K8S.MON.01 | Ensure that the --event-qps argument is set to 0 (Kubelet) | Low | Modification |
|
|
|
|
| D9.K8S.NET.01 | Ensure that the --client-ca-file argument is set as appropriate (Kubelet) | High | Modification |
|
|
|
|
| D9.K8S.NET.03 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet) | High | Modification |
|
|
|
|
| D9.K8S.NET.04 | Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | Medium | Modification |
|
|
|
|
| D9.K8S.OPE.01 | Ensure that the --protect-kernel-defaults argument is set to true (Kubelet) | High | Modification |
|
|
|
|
| D9.GCP.CRY.14 | Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) | High | Modification |
|
|
|
|
| D9.K8S.CRY.01 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) | High | Modification |
|
|
|
|
| D9.K8S.CRY.02 | Ensure that the --rotate-certificates argument is not set to false (Kubelet) | High | Modification |
|
|
|
|
| D9.K8S.CRY.03 | Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet) | High | Modification |
|
|
|
|
| D9.AWS.CRY.77 | Ensure KMS CMK have key rotation enabled | High | Modification |
|
|
|
|
| D9.AWS.IAM.114 | Ensure API gateway policy limits public access | High | New |
| |||
| D9.AWS.NET.95 | Ensure API gateway has WAF | Low | New |
|
May 31 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.59 | Ensure that VPC Endpoint policy does not provide excessive permissions | High | Modification |
|
|
|
|
| D9.GCP.IAM.29 | Ensure unrestricted API keys are not available within your GCP projects | High | New |
| |||
| D9.GCP.IAM.30 | Ensure Essential Contacts are defined for your Google Cloud organization | High | New |
|
May 24 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.68 | Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK) | Low | Modification |
|
|
|
|
| D9.AWS.NET.94 | Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0 | Medium | New |
| |||
| D9.AWS.OPE.25 | Ensure EKS cluster version is up-to-date | Informational | New |
| |||
| D9.AWS.IAM.70 | Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version | Critical | Removal |
| |||
| D9.AWS.IAM.42 | S3 buckets should not grant any external privileges via ACL | High | Removal |
|
May 17 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.03 | Ensure that S3 Buckets are encrypted with CMK | High | Modification |
|
|
|
|
| D9.AZU.NET.24 | Ensure default network access rule for Storage Accounts is set to deny | High | Modification |
|
|
|
|
| D9.AWS.IAM.52 | Ensure AWS IAM policies allow only the required privileges for each role | Low | Modification |
|
|
|
|
| D9.AZU.MON.82 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Low | New |
| |||
| D9.AZU.MON.83 | Ensure that Activity Log Alert exists for Delete Public IP Address rule | Low | New |
| |||
| D9.AZU.MON.84 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Low | New |
| |||
| D9.AZU.NET.68 | Ensure Private Endpoints are used to access Storage Accounts | Medium | New |
| |||
| D9.AZU.NET.69 | Ensure that Private Endpoints are Used for Azure Key Vault | Medium | New |
| |||
| D9.AZU.NET.70 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Low | New |
| |||
| D9.AWS.VLN.07 | Ensure AWS Security Hub is enabled. | Low | New |
| |||
| D9.AZU.NET.71 | Ensure an Azure Bastion Host Exists | Medium | New |
| |||
| D9.AWS.VLN.08 | Ensure Lambda functions are not using deprecated runtimes | High | New |
| |||
| D9.ALI.IAM.01 | Ensure no root account access key exists. | High | Modification |
|
|
|
|
May 10 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.77 | Ensure KMS CMK have key rotation enabled | High | New |
| |||
| D9.AWS.IAM.113 | Amazon EBS snapshots should not be publicly accessible | High | New |
| |||
| D9.AWS.VLN.01 | EC2 Instance - there shouldn't be any High level findings in Inspector Scans | High | Removal |
| |||
| D9.AWS.VLN.07 | Ensure that enhance scanning is enabled for all repositories | High | Removal |
|
May 03 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AZU.IAM.45 | Ensure that 'Number of methods required to reset' is set to '2' | Low | New |
| |||
| D9.AZU.MON.75 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | High | New |
| |||
| D9.AZU.MON.76 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | High | New |
| |||
| D9.AZU.MON.78 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | High | New |
| |||
| D9.AZU.MON.79 | Ensure That Microsoft Defender for DNS Is Set To 'On' | High | New |
| |||
| D9.AZU.MON.80 | Ensure That Microsoft Defender for Databases Is Set To 'On' | High | New |
| |||
| D9.AZU.MON.77 | Ensure That Microsoft Defender for Containers Is Set To 'On' | High | New |
| |||
| D9.AWS.CRY.71 | Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot | High | New |
| |||
| D9.AWS.CRY.72 | Ensure that encryption is enabled for AWS RDS DB Snapshot | High | New |
| |||
| D9.AWS.CRY.70 | Ensure that encryption is enabled for AWS RDSDBCluster Storage | High | New |
| |||
| D9.AWS.CRY.73 | Ensure that user Volume Encryption is enabled for AWS Workspace | High | New |
| |||
| D9.AWS.CRY.74 | Ensure that root Volume Encryption is enabled for AWS Workspace | High | New |
| |||
| D9.AWS.CRY.76 | Ensure that encryption is enabled for AWS EBS Snapshot | High | New |
| |||
| D9.ALI.CRY.02 | Ensure server-side encryption is set to 'Encrypt with Service Key' | High | Modification |
|
|
|
|
| D9.ALI.CRY.03 | Ensure that 'Unattached disks' are encrypted | High | Modification |
|
|
|
|
| D9.ALI.CRY.04 | Ensure that Virtual Machine's Disks are encrypted | High | Modification |
|
|
|
|
| D9.ALI.LOG.01 | Ensure that logging is enabled for OSS buckets | Low | Modification |
|
|
|
|
| D9.ALI.NET.03 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | High | Modification |
|
|
|
|
| D9.ALI.NET.04 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | High | Modification |
|
|
|
|
April 24 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.OCI.LOG.06 | Ensure a notification is configured for IdP group mapping changes. | Low | Modification |
|
|
|
|
April 19 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.IAM.112 | Enforce Password Policy | High | New |
| |||
| D9.AWS.MON.26 | Ensure a log metric filter and alarm exist for EC2 instance changes | Medium | New |
| |||
| D9.AWS.MON.27 | Ensure a log metric filter and alarm exist for EC2 Large instance changes | Medium | New |
| |||
| D9.AWS.NET.93 | Ensure EMR clusters nodes should not have public IP | High | New |
| |||
| D9.AWS.IAM.111 | Credentials report was generated in the last 24 hours | Low | New |
| |||
| D9.OCI.CRY.05 | Ensure customer created Customer Managed Key (CMK) is rotated at least annually | High | New |
| |||
| D9.AWS.OPE.23 | Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images. | Low | New |
| |||
| D9.AWS.OPE.24 | Ensure that Amazon ECR image repositories are using lifecycle policies. | Low | New |
| |||
| D9.AWS.VLN.07 | Ensure that enhance scanning is enabled for all repositories | High | New |
| |||
| D9.ALI.CRY.01 | Ensure that 'Secure transfer required' is set to 'Enabled' | High | Modification |
|
|
|
|
| D9.ALI.IAM.04 | Ensure users not logged on for 90 days or longer are disabled for console logon. | High | Modification |
|
|
|
|
| D9.ALI.IAM.08 | Ensure RAM policies that allow full "*:*" administrative privileges are not created | High | Modification |
|
|
|
|
| D9.ALI.IAM.09 | Ensure RAM password policy prevents password reuse. | High | Modification |
|
|
|
|
| D9.ALI.IAM.10 | Ensure RAM password policy requires at least one uppercase letter. | Low | Modification |
|
|
|
|
| D9.ALI.IAM.11 | Ensure RAM password policy requires at least one lowercase letter. | Low | Modification |
|
|
|
|
| D9.ALI.IAM.12 | Ensure RAM password policy require at least one symbol. | Low | Modification |
|
|
|
|
| D9.ALI.IAM.13 | Ensure RAM password policy require at least one number. | Low | Modification |
|
|
|
|
| D9.ALI.IAM.14 | Ensure RAM password policy expires passwords within 90 days or less. | Low | Modification |
|
|
|
|
| D9.ALI.IAM.15 | Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour. | High | Modification |
|
|
|
|
| D9.ALI.IAM.16 | Ensure RAM password policy requires minimum length of 14 or greater | Low | Modification |
|
|
|
|
| D9.ALI.NET.02 | Ensure legacy networks does not exist. | High | Modification |
|
|
|
|
| D9.AWS.PRE.02 | Enforce Password Policy | High | Removal |
| |||
| D9.AWS.PRE.01 | Credentials report was generated in the last 24 hours | Low | Removal |
|
March 29 2023
| Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
| D9.AWS.CRY.59 | Ensure ACM certificate was not issued before the Heartbleed security bug fix | Critical | Modification |
|
|
|
|
| D9.OCI.AS.01 | Create at least one compartment in your tenancy to store cloud resources. | Low | New |
| |||
| D9.OCI.AS.02 | Ensure no VCNs are created in the root compartment. | Low | New |
| |||
| D9.OCI.AS.03 | Ensure no instances created in the root compartment. | Low | New |
| |||
| D9.OCI.AS.04 | Ensure no volumes are created in the root compartment. | Low | New |
| |||
| D9.OCI.AS.05 | Ensure no filesystems are created in the root compartment. | Low | New |
| |||
| D9.OCI.AS.06 | Ensure no buckets are created in the root compartment. | Low | New |
| |||
| D9.OCI.AS.07 | Ensure no autonomousdatabases are created in the root compartment. | Low | New |
| |||
| D9.OCI.CRY.01 | Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). | High | New |
| |||
| D9.OCI.CRY.02 | Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). | High | New |
| |||
| D9.OCI.CRY.03 | Ensure boot volumes are encrypted with Customer Managed Key (CMK). | High | New |
| |||
| D9.OCI.CRY.04 | Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK). | High | New |
| |||
| D9.OCI.IAM.01 | Ensure no Object Storage buckets are publicly visible. | High | New |
| |||
| D9.OCI.IAM.02 | Ensure IAM password policy requires minimum length of 14 or greater. | High | New |
| |||
| D9.OCI.IAM.03 | Ensure MFA is enabled for all users with a console password. | Low | New |
| |||
| D9.OCI.IAM.04 | Ensure all OCI IAM user accounts have a valid and current email address. | Low | New |
| |||
| D9.OCI.IAM.05 | Ensure user API keys rotate within 90 days or less. | High | New |
| |||
| D9.OCI.IAM.06 | Ensure user customer secret keys rotate within 90 days or less. | Low | New |
| |||
| D9.OCI.IAM.07 | Ensure user auth tokens rotate within 90 days or less. | Low | New |
| |||
| D9.OCI.IAM.08 | Ensure permissions on all resources are given only to the tenancy administrator group. | High | New |
| |||
| D9.OCI.IAM.09 | Ensure IAM administrators cannot update tenancy Administrators group. | High | New |
| |||
| D9.OCI.IAM.10 | Ensure API keys are not created for tenancy administrator users. | High | New |
| |||
| D9.OCI.LOG.01 | Ensure default tags are used on resources. | Low | New |
| |||
| D9.OCI.LOG.02 | Ensure VCN flow logging is enabled for all subnets. | Low | New |
| |||
| D9.OCI.LOG.03 | Ensure write level Object Storage logging is enabled for all buckets. | Low | New |
| |||
| D9.OCI.LOG.04 | Create at least one notification topic and subscription to receive monitoring alerts. | Low | New |
| |||
| D9.OCI.LOG.05 | Ensure a notification is configured for Identity Provider changes. | Low | New |
| |||
| D9.OCI.LOG.06 | Ensure a notification is configured for IdP group mapping changes. | Low | New |
| |||
| D9.OCI.LOG.07 | Ensure a notification is configured for IAM group changes. | Low | New |
| |||
| D9.OCI.LOG.08 | Ensure a notification is configured for IAM policy changes | Low | New |
| |||
| D9.OCI.LOG.09 | Ensure a notification is configured for user changes. | Low | New |
| |||
| D9.OCI.LOG.10 | Ensure a notification is configured for VCN changes. | Low | New |
| |||
| D9.OCI.LOG.11 | Ensure a notification is configured for changes to route tables. | Low | New |
| |||
| D9.OCI.LOG.12 | Ensure a notification is configured for security list changes. | Low | New |
| |||
| D9.OCI.LOG.13 | Ensure a notification is configured for network security group changes. | Low | New |
| |||
| D9.OCI.LOG.14 | Ensure a notification is configured for changes to network gateways. | Low | New |
| |||
| D9.OCI.NET.01 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 22. | Critical | New |
| |||
| D9.OCI.NET.02 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389. | Critical | New |
| |||
| D9.OCI.NET.03 | Ensure the default security list of every VCN restricts all traffic except ICMP. | High | New |
| |||
| D9.OCI.NET.04 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22. | Critical | New |
| |||
| D9.OCI.NET.05 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389. | Critical | New |
| |||
| D9.OCI.NET.06 | Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. | High | New |
| |||
| D9.OCI.NET.07 | Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud. | High | New |
| |||
| D9.OCI.NET.08 | Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. | High | New |
| |||
| D9.OCI.OPE.01 | Ensure Versioning is Enabled for Object Storage Buckets. | Low | New |
| |||
| D9.OCI.OPE.02 | Ensure Cloud Guard is enabled in the root compartment of the tenancy. | Low | New |
|
March 15 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | Critical | Modification |
|
|
|
| |
Ensure the default security group of every VPC restricts all traffic | Critical | Modification |
|
|
|
| |
RDS should not have Public Interface | Critical | Modification |
|
|
|
| |
RDS should not have Public Interface open to a public scope | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols | Critical | Modification |
|
|
|
| |
Ensure that EC2 AMIs are not publicly accessible | Critical | Modification |
|
|
|
| |
Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380 | High | Modification |
|
|
|
| |
Ensure that EC2 instance's custom AMI is encrypted at rest | High | Modification |
|
|
|
| |
IamUser with Admin or wide permissions without MFA enabled | Critical | Modification |
|
|
|
| |
Ensure that EC2 instance's custom AMI is not publicly shared | Critical | Modification |
|
|
|
| |
Ensure that S3 Buckets are configured with Block public access (bucket/account settings) | Critical | Modification |
|
|
|
| |
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate | High | Modification |
|
|
|
| |
Ensure SNS Topics aren't publicly accessible | Critical | Modification |
|
|
|
| |
Instances with Direct Connect virtual interface should not have public interfaces | Critical | Modification |
|
|
|
| |
RDS Databases with Direct Connect virtual interface should not have public interfaces | Critical | Modification |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | Critical | Modification |
|
|
|
| |
Ensure AWS Redshift clusters are not publicly accessible | Critical | Modification |
|
|
|
| |
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet | Critical | Modification |
|
|
|
| |
Ensure that Security Groups are not open to all | Critical | Modification |
|
|
|
| |
EksCluster should not be publicly accessed | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure that public System Manager Documents include parameters | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. | Critical | Modification |
|
|
|
| |
Ensure that RDS database instance enforces SSL/TLS for all connections | High | New |
| ||||
Ensure that RDS database instance doesn't use its default endpoint port | Low | New |
| ||||
Ensure Inspector Instances have continuous scanning active | Low | New |
|
March 01 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Redis is updated regularly with security and operational updates. | Low | Modification |
|
|
|
|
February 22 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that logging for Azure KeyVault is 'Enabled' | Low | Modification |
|
|
|
|
February 15 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Instances without Inspector runs in the last 30 days | Low | Removal |
|
February 08 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
RDS should not have been open to a large scope | High | Modification |
|
|
|
| |
EksCluster should not have more than one security group | Medium | Modification |
|
|
|
| |
EksCluster should not be publicly accessed | High | Modification |
|
|
|
| |
Ensure that a unique Certificate Authority is used for etcd | High | New |
|
February 01 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
| |
Ensure storage for critical data is encrypted with Customer Managed Key | Low | Modification |
|
|
|
| |
Ensure guest users are reviewed on a monthly basis | Low | New |
| ||||
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Low | New |
| ||||
Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Low | New |
| ||||
Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server | High | Modification |
|
|
|
| |
Ensure Function App is using the latest version of TLS encryption | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | High | New |
| ||||
Ensure that a minimal audit policy is created (API Server) | Low | New |
| ||||
Ensure that encryption providers are appropriately configured (API Server) | High | New |
| ||||
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) | High | New |
| ||||
Ensure that you are using authorized IP address ranges to secure access to the API server | High | Modification |
|
|
|
| |
Ensure VM Instance should not have public IP | High | Removal |
|
January 25 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure AWS Kinesis Streams Keys are rotated | Low | Modification |
|
|
|
| |
AWS Kinesis streams are encrypted with customer managed CMK | Low | Modification |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | Low | Modification |
|
|
|
| |
Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters | Medium | Modification |
|
|
|
| |
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | High | Modification |
|
|
|
| |
Suspended user account unused for more than 6 months | High | Modification |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Low | Modification |
|
|
|
| |
Ensure SageMaker Notebook Instance Data Encryption is enabled | High | Modification |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | Low | Modification |
|
|
|
| |
Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes | High | Modification |
|
|
|
| |
Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled | Low | Modification |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible | High | Removal |
| ||||
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible | High | Removal |
| ||||
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible | High | Removal |
|
January 18 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure Security Defaults is enabled on Azure Active Directory | High | New |
| ||||
Ensure That 'Users Can Register Applications' Is Set to 'No' | High | New |
| ||||
Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | High | New |
| ||||
Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols | High | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | High | Modification |
|
|
|
| |
Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups | Low | Modification |
|
|
|
| |
Ensure that S3 buckets are not publicly accessible | High | Removal |
| ||||
Ensure that S3 buckets are not publicly accessible without a condition | High | Removal |
|
January 11 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
| |
Ensure AWS Kinesis Streams Keys are rotated | Low | Modification |
|
|
|
| |
AWS Kinesis streams are encrypted with customer managed CMK | Low | Modification |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | Low | Modification |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | High | Modification |
|
|
|
| |
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | Medium | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | High | Modification |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Low | Modification |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | Low | Modification |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | Low | New |
| ||||
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) | High | New |
| ||||
Ensure that the --service-account-lookup argument is set to true (API Server) | High | Modification |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) | Low | Modification |
|
|
|
| |
Ensure that the pod security policy is enabled in your AKS cluster | Low | Removal |
|
January 04 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that logging for Azure KeyVault is 'Enabled' | Low | Modification |
|
|
|
| |
Ensure audit profile captures all the activities | Low | Modification |
|
|
|
|