Cloud Guard Compliance Updates - August 2020 - October 2021
- 1 October 27 2021
- 2 October 20 2021
- 3 October 06 2021
- 4 October 04 2021
- 5 September 29 2021
- 6 September 13 2021
- 7 September 05 2021
- 8 September 01 2021
- 9 July 14 2021
- 10 July 12 2021
- 11 June 23 2021
- 12 June 13 2021
- 13 June 02 2021
- 14 May 26 2021
- 15 May 19 2021
- 16 May 10 2021
- 17 April 5, 2021
- 18 March 10, 2021
- 19 March 7, 2021
- 20 February 16, 2021
- 21 February 10, 2021
- 22 February 03, 2021
- 23 January 27, 2021
- 24 January 20, 2021
- 25 January 04, 2021
- 26 December 22, 2020
- 27 December 21, 2020
- 28 December 09, 2020
- 29 December 07, 2020
- 30 December 02, 2020
- 31 October 02, 2020
- 31.1 Rules Removed
- 31.2 New Rules
- 31.3 Rule Changes
- 32 August 11, 2020
- 32.1 Rules Removed
- 33 June 29, 2020
- 33.1 New Rules
- 33.2 Rule Changes
- 34 May 19, 2020
- 34.1 New Rules
- 34.2 Rule Changes
- 35 May 12, 2020
- 35.1 New Rules
- 35.2 Rule Changes
- 35.3 Rules Removed
- 36 February 04, 2020
- 36.1 Rule Changes
- 36.2 New Rules
- 37 November 29, 2019
- 37.1 Rule Changes
- 37.2 New Rules
- 38 October 24, 2019
- 38.1 Rule Changes
- 38.2 New Rules
- 39 September 24, 2019
- 39.1 Rule Changes
- 39.2 Rules Removed
- 40 August 28, 2019
- 40.1 Rule Changes
- 41 August 20, 2019
October 27 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
D9.AWS.IAM.17 | Ensure hardware mfa is enabled for the 'root' account | Removal |
|
|
| AWS CloudGuard Best Practices AWS CloudGuard SOC2 based on AICPA TSC 2017 AWS ISO 27001:2013 AWS GDPR Readiness |
Ensure virtual or hardware mfa is enabled for the 'root' account | Modification |
|
|
|
| |
ELB is setup with HTTPS for secure communication | Modification |
|
|
|
| |
Instances outside of Europe region | Modification |
|
|
|
| |
Ensure that an API Key is required on a Method Request | Modification |
|
|
|
| |
Ensure that 'HTTP Version' is the latest, if used to run the web app | Modification |
|
|
|
| |
Ensure that 'Number of methods required to reset' is set to '2' | Removal |
|
|
|
| |
Ensure that there are no guest users | Removal |
|
|
|
| |
Ensure that the --kubelet-https argument is set to true (API Server) | Removal |
|
|
|
| |
Function App should only be accessible over HTTPS | Modification |
|
|
|
| |
Overly Permissive Directory Access (Global Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Application Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Privileged Role Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Cloud Application Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (User Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Helpdesk Administrator) | Removal |
|
|
|
| |
Ensure that auto backup is enabled for your Cloud SQL instance | Modification |
|
|
|
|
October 20 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Modification |
|
|
|
| |
Ensure GCP VM Instances have Labels | Modification |
|
|
|
| |
Default Security Groups - with network policies | Modification |
|
|
|
| |
Insecure Code of Low Severity | New |
|
|
|
| |
Insecure Code of Medium Severity | New |
|
|
|
| |
Insecure Content of Low Severity | New |
|
|
|
| |
Insecure Content of Medium Severity | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible | New |
|
|
|
| |
Web Application should only be accessible over HTTPS | Modification |
|
|
|
| |
Ensure function app is using the latest version of TLS encryption | Modification |
|
|
|
| |
Vulnerable Source Code | New |
|
|
|
| |
Malicious URL of Critical Severity | New |
|
|
|
| |
Malicious URL of High Severity | New |
|
|
|
| |
Malicious IP of Critical Severity | New |
|
|
|
| |
Malicious IP of High Severity | New |
|
|
|
| |
Malicious file of Critical Severity | New |
|
|
|
| |
Malicious file of High Severity | New |
|
|
|
| |
Insecure Code of Critical Severity | New |
|
|
|
| |
Insecure Code of High Severity | New |
|
|
|
| |
Insecure Content of Critical Severity | New |
|
|
|
| |
Insecure Content of High Severity | New |
|
|
|
| |
Package of Critical Severity | New |
|
|
|
| |
Package of High Severity | New |
|
|
|
| |
Package of Medium Severity | New |
|
|
|
| |
Package of Low Severity | New |
|
|
|
| |
Package of Unknown Severity | New |
|
|
|
| |
Insecure Code of Low Severity | New |
|
|
|
| |
Insecure Code of Medium Severity | New |
|
|
|
| |
Insecure Content of Low Severity | New |
|
|
|
| |
Insecure Content of Medium Severity | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' | New |
|
|
|
| |
Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied | New |
|
|
|
| |
Overly permissive NSG Inbound rule to all traffic on ANY protocol | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Network Security Group | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | New |
|
|
|
| |
Ensure that activity log alert exists for the Delete Network Security Group Rule | New |
|
|
|
| |
Ensure that Azure Monitor Logs is configured to export Activity Logs | New |
|
|
|
| |
Ensure that Azure Virtual Machine is assigned to an availability set | New |
|
|
|
| |
Ensure that SQL Database Auditing Retention is greater than 90 days | New |
|
|
|
| |
Ensure that 'Auditing' in SQL Servers is set to 'On' | New |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Auditing Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure that Azure Monitor Logs collects all types of activities | New |
|
|
|
| |
Ensure audit profile captures all the activities | New |
|
|
|
| |
Ensure the log profile captures activity logs for all regions including global | New |
|
|
|
| |
Ensure Cosmos DB account public network access is disabled | New |
|
|
|
| |
Ensure Cosmos DB account access is not allowed from all networks | New |
|
|
|
| |
Ensure Flow-Logs are Enabled on NSG | New |
|
|
|
| |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | New |
|
|
|
| |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | New |
|
|
|
| |
Function App should only be accessible over HTTPS | New |
|
|
|
| |
Ensure that Geo Redundant Backups is enabled on PostgreSQL | New |
|
|
|
| |
Ensure that at least one Network Security Group is attached to all VMs and subnets that are public | New |
|
|
|
| |
Key vault should have purge protection enabled | New |
|
|
|
| |
Ensure function app is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' | New |
|
|
|
| |
Ensure that RDP access is restricted from the internet | New |
|
|
|
| |
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope | New |
|
|
|
| |
Ensure that SSH access is restricted from the internet | New |
|
|
|
| |
VirtualMachine with administrative service: SSH (TCP:22) is exposed to a wide network scope | New |
|
|
|
| |
VirtualMachine with administrative service: SSH (TCP:22) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' | New |
|
|
|
| |
Ensure that Network Watcher is 'Enabled' | New |
|
|
|
| |
Ensure that the Redis Cache accepts only SSL connections | New |
|
|
|
| |
Ensure remote debugging has been disabled for your production Azure Functions | New |
|
|
|
| |
Ensure remote debugging has been disabled for your production Web App | New |
|
|
|
| |
Ensure AuditEvent logging for Azure Key Vault is enabled | New |
|
|
|
| |
Ensure that Role Based Access Control (RBAC) is enabled in your AKS Cluster | New |
|
|
|
| |
Ensure that 'Secure transfer required' (HTTPS) is enabled for Storage Accounts | New |
|
|
|
| |
Ensure SQL server's TDE protector is encrypted with Customer-managed key | New |
|
|
|
| |
Ensure default network access rule for Storage Accounts is set to deny | New |
|
|
|
| |
Ensure that Virtual Networks Subnets have Security Groups | New |
|
|
|
| |
Ensure that Azure Virtual Network subnet is configured with a Network Security Group | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' | New |
|
|
|
| |
Ensure Transparent Data Encryption (TDE) is enabled for SQL Databases | New |
|
|
|
| |
Ensure that 'Unattached disks' are encrypted with CMK | New |
|
|
|
| |
Ensure storage for critical data are encrypted with Customer Managed Key | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' | New |
|
|
|
| |
Ensure that 'OS and Data' disks are encrypted with CMK | New |
|
|
|
| |
Ensure ASC Default policy setting 'Storage Encryption Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' | New |
|
|
|
| |
Web Application should only be accessible over HTTPS | New |
|
|
|
| |
Ensure entire Azure infrastructure doesn't have access to Azure SQL Server | New |
|
|
|
| |
Ensure Application Gateway is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure Application Gateway is using Https protocol | New |
|
|
|
| |
Enable Incoming Client Certificates | New |
|
|
|
| |
Ensure that 'Threat Detection' is enabled for Azure SQL Database | New |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Encryption Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'System Configurations Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure that Activity Log Retention is set 365 days or greater | New |
|
|
|
| |
Ensure Azure Application Gateway Web application firewall (WAF) is enabled | New |
|
|
|
| |
Ensure that no SQL Server allows ingress from 0.0.0.0/0 (ANY IP) | New |
|
|
|
| |
Restrict Azure SQL Server accessibility to a minimal address range | New |
|
|
|
| |
Ensure that Key Vault is in use | New |
|
|
|
| |
Ensure expiration date is set for all keys | New |
|
|
|
| |
Ensure that the expiry date is set on all secrets | New |
|
|
|
| |
Ensure the key vault is recoverable - enable 'Soft Delete' setting for a Key Vault | New |
|
|
|
| |
Ensure that Azure SQL Server Admin is configured with AD Authentication | New |
|
|
|
| |
Ensure that Azure Active Directory Admin is configured for SQL Server | New |
|
|
|
| |
Ensure Flow-Logs Retention Policy is greater than 90 days | New |
|
|
|
| |
Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days | New |
|
|
|
| |
Ensure that 'Auditing' Retention on SQL Server is 'greater than 90 days' | New |
|
|
|
| |
Ensure that SQL Server Auditing Retention is greater than 90 days | New |
|
|
|
| |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | New |
|
|
|
| |
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | New |
|
|
|
| |
Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All' | New |
|
|
|
| |
Ensure Cosmos DB account is encrypted with customer-managed keys | New |
|
|
|
| |
Ensure that Cosmos DB Account has an associated tag | New |
|
|
|
|
October 06 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Key Vault is in use | Modification |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) | New |
|
|
|
| |
Ensure that the --rotate-certificates argument is not set to false (Kubelet) | New |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --kubelet-https argument is set to true (API Server) | New |
|
|
|
| |
Ensure that the --token-auth-file parameter is not set (API Server) | New |
|
|
|
| |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --etcd-cafile argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Prefer using secrets as files over secrets as environment variables | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysAdmit is not set (API Server) | New |
|
|
|
| |
Ensure that the --anonymous-auth argument is set to false (Kubelet) | New |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (API Server) | New |
|
|
|
| |
Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin PodSecurityPolicy is set (API Server) | New |
|
|
|
| |
Ensure that the --authorization-mode argument includes RBAC (API Server) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (Scheduler) | New |
|
|
|
| |
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (Controller Manager) | New |
|
|
|
| |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --peer-client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --peer-auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (PSP) | New |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (PSP) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (PSP) | New |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (PSP) | New |
|
|
|
| |
Minimize the admission of privileged containers (PSP) | New |
|
|
|
| |
Ensure that the --anonymous-auth argument is set to false (API Server) | New |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | New |
|
|
|
| |
The default namespace should not be used | New |
|
|
|
| |
Ensure that the cluster-admin role is only used where required (RBAC) | New |
|
|
|
| |
Minimize access to secrets (RBAC) | New |
|
|
|
| |
Minimize wildcard use in Roles and ClusterRoles (RBAC) | New |
|
|
|
| |
Minimize access to create pods (RBAC) | New |
|
|
|
| |
Ensure that default service accounts are not actively used. (RBAC) | New |
|
|
|
| |
Ensure that Service Account Tokens are only mounted where necessary (RBAC) | New |
|
|
|
| |
Ensure that the --authorization-mode argument includes Node (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server) | New |
|
|
|
| |
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC) | New |
|
|
|
| |
Ensure that the --audit-log-path argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --event-qps argument is set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --service-account-lookup argument is set to true (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin ServiceAccount is set (API Server) | New |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (Kubelet) | New |
|
|
|
| |
Ensure that the --read-only-port argument is set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --insecure-bind-address argument is not set (API Server) | New |
|
|
|
| |
Ensure that the --insecure-port argument is set to 0 (API Server) | New |
|
|
|
| |
Ensure that the --secure-port argument is not set to 0 (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysPullImages is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin NamespaceLifecycle is set (API Server) | New |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin NodeRestriction is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin EventRateLimit is set (API Server) | New |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) | New |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) | New |
|
|
|
| |
Ensure that the --protect-kernel-defaults argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --hostname-override argument is not set (Kubelet) | New |
|
|
|
| |
Ensure that the --service-account-key-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Apply Security Context to Your Pods and Containers | New |
|
|
|
|
October 04 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
| |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | Modification |
|
|
|
| |
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String | Modification |
|
|
|
|
September 29 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|
|
|
|
|
|
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ensure AuditEvent logging for Azure Key Vault is enabled | New |
|
|
|
|
|
|
|
|
|
|
| |
Ensure Transparent Data Encryption (TDE) is enabled for SQL Databases | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that logging for Azure KeyVault is 'Enabled' | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that 'Secure transfer required' (HTTPS) is enabled for Storage Accounts | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Blobs | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Files | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure expiration date is set for all keys | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the expiry date is set on all SQL Server keys | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create Policy Assignment | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Network Security Group | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that activity log alert exists for the Delete Network Security Group Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Security Solution | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Security Solution | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Policy Assignment | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that storage account access keys are periodically regenerated | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Policy Assignments | Removal |
|
|
|
|
|
|
|
|
|
|
|
September 13 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
S3 Buckets - without server-side-encryption enabled | Removal |
|
|
|
| |
Accounts - without enforced Password Policy | Removal |
|
|
|
| |
IAM Users - enabled while unused for 90 days or more | Removal |
|
|
|
| |
IAM Users - with console password without MFA enabled | Removal |
|
|
|
| |
IAM Users - with Inline IAM Policies applied | Removal |
|
|
|
| |
S3 Buckets - without CloudTrail access logging | Removal |
|
|
|
| |
S3 Buckets - without logging enabled | Removal |
|
|
|
| |
Instances - are not configured within a VPC | Removal |
|
|
|
| |
Security Groups - with SSH admin port too exposed to the public internet | Removal |
|
|
|
| |
Ensure Key Vault is in use | Modification |
|
|
|
| |
Avoid the use of the 'root' account | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Modification |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled (Scored) | Removal |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
| |
Ensure Cosmos DB account is using Private Endpoints | New |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all privileged users | Removal |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all non-privileged users | Removal |
|
|
|
| |
MFA should be enabled on accounts with read permissions on your subscription | Removal |
|
|
|
| |
MFA should be enabled on accounts with write permissions on your subscription | Removal |
|
|
|
| |
Overly Permissive Scope Access of Role Assignment | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Owner over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Contributor over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (User Access Administrator over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Scope Access of Role Definition | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Authorization over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Full Access over the whole Subscription) | Removal |
|
|
|
| |
Ensure that SQL Server Auditing is Enabled | Removal |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Removal |
|
|
|
| |
Asset is not labeled | Removal |
|
|
|
|
September 05 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Enable App Service Authentication on Azure App Service | Modification |
|
|
|
| |
Ensure Cosmos DB account is encrypted with customer-managed keys | New |
|
|
|
| |
Ensure Cosmos DB account public network access is disabled | New |
|
|
|
| |
Ensure Cosmos DB account access is not allowed from all networks | New |
|
|
|
| |
Enable WebApp Service Authentication | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Removal |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
|
September 01 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Basic Authentication is disabled on Kubernetes Engine Clusters | Removal |
|
|
|
| |
Ensure all S3 buckets employ encryption-at-rest | New |
|
|
|
| |
Ensure that encryption is enabled for RDS Instances | New |
|
|
|
| |
Ensure ELB enforces recommended SSL/TLS protocol version | New |
|
|
|
| |
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted | New |
|
|
|
| |
Ensure that encryption of data at rest is enabled on Elasticsearch domains | New |
|
|
|
| |
Ensure that node-to-node encryption is enabled for Elasticsearch service | New |
|
|
|
| |
Ensure that the KMS key have key rotation enabled | New |
|
|
|
| |
Ensure AWS Kinesis streams are encrypted with KMS customer master keys | New |
|
|
|
| |
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | New |
|
|
|
| |
S3 bucket should not allow all actions from all principals | New |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | New |
|
|
|
| |
S3 bucket should not allow 'get' actions from all principals | New |
|
|
|
| |
S3 bucket should not allow list actions from all principals | New |
|
|
|
| |
S3 bucket should not allow put actions from all principals | New |
|
|
|
| |
S3 bucket should not allow restoring object actions from all principals | New |
|
|
|
| |
Ensure AWS EC2 Instances use IAM Roles to control access | New |
|
|
|
| |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | New |
|
|
|
| |
Ensure CloudTrail is enabled in all regions | New |
|
|
|
| |
Ensure CloudTrail logging is enabled | New |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | New |
|
|
|
| |
Ensure that all authorization Type in API Gateway is not set to None | New |
|
|
|
| |
Ensure that an API Key is required on a Method Request | New |
|
|
|
| |
Ensure that S3 bucket versioning enabled | New |
|
|
|
| |
Amazon EC2 instance must have an associated tag | New |
|
|
|
| |
Ensure AWS Lambda functions have tracing enabled | New |
|
|
|
| |
Lambda Functions must have an associated tag | New |
|
|
|
|
July 14 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Unused IAM role more than 90 days | New |
|
|
|
| |
Lambda Functions must have an associated tag | New |
|
|
|
| |
Amazon EFS must have an associated tag | New |
|
|
|
| |
Use encrypted storage for instances that might host a database. | New |
|
|
|
| |
ELB is setup with SSL for secure communication | New |
|
|
|
| |
S3 Buckets Server Side Encryption At Rest | New |
|
|
|
| |
S3 Buckets Secure Transport (SSL) | New |
|
|
|
| |
Use Encrypted RDS storage | New |
|
|
|
| |
Remove Weak Ciphers for ELB | New |
|
|
|
| |
ELB - Recommended SSL/TLS protocol version | New |
|
|
|
| |
SSL/TLS certificates expire in one week | New |
|
|
|
| |
SSL/TLS certificates expire in one month | New |
|
|
|
| |
ELB secured listener certificate expires in one week | New |
|
|
|
| |
ELB secured listener certificate expires in one month | New |
|
|
|
| |
ALB secured listener certificate expires in one week | New |
|
|
|
| |
ALB secured listener certificate about to expire in one month | New |
|
|
|
| |
Use encryption for S3 Bucket write actions | New |
|
|
|
| |
Use KMS CMK customer-managed keys for Redshift clusters | New |
|
|
|
| |
Use secure ciphers in CloudFront distribution | New |
|
|
|
| |
Use encrypted connection between CloudFront and origin server | New |
|
|
|
| |
ECS Cluster At-Rest Encryption | New |
|
|
|
| |
AWS Kinesis Streams Keys are rotated | New |
|
|
|
| |
AWS Kinesis streams are encrypted with KMS customer master keys | New |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted | New |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | New |
|
|
|
| |
AWS Kinesis Server data at rest has server side encryption (SSE) | New |
|
|
|
| |
Ensure ACM only has certificates with single domain names, and none with wildcard domain names | New |
|
|
|
| |
Ensure the AWS Certificate Manager (ACM) has no unused certificates | New |
|
|
|
| |
Ensure invalid or failed certificates are removed from ACM | New |
|
|
|
| |
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled | New |
|
|
|
| |
Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled | New |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | New |
|
|
|
| |
Ensure AWS Redshift instances are encrypted | New |
|
|
|
| |
Ensure SageMaker Notebook Instance Data Encryption is enabled | New |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | New |
|
|
|
| |
Ensure that an API Key is required on a Method Request | New |
|
|
|
| |
Ensure to update the Security Policy of the Network Load Balancer | New |
|
|
|
| |
Ensure that all the expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates managed by AWS Certificate Manager are removed in order to adhere to Amazon Security Best Practices. | New |
|
|
|
| |
Ensure that IamGroup does not have Inline policies | New |
|
|
|
| |
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol | New |
|
|
|
| |
Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters | New |
|
|
|
| |
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE) | New |
|
|
|
| |
Ensure that node-to-node encryption is enabled for Elasticsearch service | New |
|
|
|
| |
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE) | New |
|
|
|
| |
Ensure that AWS Secret Manager Secret rotation is enabled | New |
|
|
|
| |
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days | New |
|
|
|
| |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | New |
|
|
|
| |
Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure that sensitive parameters are encrypted | New |
|
|
|
| |
ACM Has a soon to be Expired Certificates | New |
|
|
|
| |
ACM Has a PENDING_VALIDATION Certificates | New |
|
|
|
| |
Expired Route 53 Domain Names | New |
|
|
|
| |
Enable AWS Route 53 Domain Auto Renew | New |
|
|
|
| |
Enable AWS Route 53 Domain Transfer Lock | New |
|
|
|
| |
AWS Route 53 Domain Name Renewal (7 days before expiration) | New |
|
|
|
| |
AWS Route 53 Domain Name Renewal (30 days before expiration) | New |
|
|
|
| |
Ensure AWS RDS instances have Automatic Backup set up | New |
|
|
|
| |
Ensure AWS RDS instances have Multi-Availability Zone enabled | New |
|
|
|
| |
Ensure AWS RDS retention policy is at least 7 days | New |
|
|
|
| |
Ensure Amazon DynamoDB tables have continuous backups enabled | New |
|
|
|
| |
Avoid the use of the 'root' account | New |
|
|
|
| |
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | New |
|
|
|
| |
Credentials (with first activated accessKey) unused for 90 days or more should be disabled | New |
|
|
|
| |
Credentials (with password enabled) unused for 90 days or more should be disabled | New |
|
|
|
| |
Credentials (with second activated accessKey) unused for 90 days or more should be disabled | New |
|
|
|
| |
Ensure first access key is rotated every 90 days or less | New |
|
|
|
| |
Ensure second access key is rotated every 90 days or less | New |
|
|
|
| |
Ensure IAM password policy requires at least one uppercase letter | New |
|
|
|
| |
Ensure IAM password policy require at least one lowercase letter | New |
|
|
|
| |
Ensure IAM password policy require at least one symbol | New |
|
|
|
| |
Password Policy must require at least one number | New |
|
|
|
| |
Ensure IAM password policy requires minimum length of 14 or greater | New |
|
|
|
| |
Ensure IAM password policy prevents password reuse | New |
|
|
|
| |
Ensure IAM password policy expires passwords within 90 days or less | New |
|
|
|
| |
Ensure no root account access key exists | New |
|
|
|
| |
Ensure MFA is enabled for the 'root' account | New |
|
|
|
| |
Ensure HARDWARE MFA is enabled for the 'root' account | New |
|
|
|
| |
Ensure IAM policies are attached only to groups or roles | New |
|
|
|
| |
Ensure IAM policies that allow full '*:*' administrative privileges are not created | New |
|
|
|
| |
S3 bucket should not be world-listable from anonymous users | New |
|
|
|
| |
S3 bucket should not be world-listable | New |
|
|
|
| |
S3 bucket should not be world-writable from anonymous users | New |
|
|
|
| |
S3 bucket should not be world-writable | New |
|
|
|
| |
S3 bucket should not have writable permissions from anonymous users | New |
|
|
|
| |
S3 bucket should not have world-writable permissions | New |
|
|
|
| |
S3 bucket should not have world-readable permissions from anonymous users | New |
|
|
|
| |
S3 bucket should not have world-readable permissions | New |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | New |
|
|
|
| |
S3 bucket should not allow get actions from all principals | New |
|
|
|
| |
S3 bucket should not allow list actions from all principals | New |
|
|
|
| |
S3 bucket should not allow all actions from all principals | New |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals | New |
|
|
|
| |
S3 buckets should not grant any external privileges via ACL | New |
|
|
|
| |
S3 bucket should have versioning MFA delete enabled | New |
|
|
|
| |
Use managed policies instead of inline IAM Policies | New |
|
|
|
| |
Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role | New |
|
|
|
| |
Lambda Functions with Admin Privileges are not created | New |
|
|
|
| |
Ensure there are no inline policies attached to the ECS service | New |
|
|
|
| |
Prefer using IAM roles for tasks rather than using IAM roles for an instance | New |
|
|
|
| |
ECS Service with Admin Roles | New |
|
|
|
| |
Ensure AWS IAM users have no more than one active Access Key | New |
|
|
|
| |
Ensure AWS IAM policies allow only the required privileges for each role | New |
|
|
|
| |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | New |
|
|
|
| |
Ensure AWS EC2 Instances use IAM Roles to control access | New |
|
|
|
| |
Ensure that Lambda Functions with overly permissive policies are not created | New |
|
|
|
| |
Ensure that SQS policy won't allow all actions from all principals | New |
|
|
|
| |
Ensure SNS Topics aren't publicly accessible | New |
|
|
|
| |
Ensure SNS Topics administrative actions aren’t publicly executable | New |
|
|
|
| |
Ensure that VPC Endpoint policy won't allow all actions | New |
|
|
|
| |
Ensure that Role do not have Administrator Access | New |
|
|
|
| |
Ensure IAM policies are attached only to groups or roles | New |
|
|
|
| |
IAM Users - enabled while unused for 90 days or more | New |
|
|
|
| |
IAM Users - with Inline IAM Policies applied | New |
|
|
|
| |
IamUser with Admin or wide permissions without MFA enabled | New |
|
|
|
| |
Ensure multi-regions trail exists for each AWS CloudTrail | New |
|
|
|
| |
Ensure CloudTrail log file validation is enabled | New |
|
|
|
| |
Ensure CloudTrail trails are integrated with CloudWatch | New |
|
|
|
| |
Ensure AWS Config is enabled in all regions | New |
|
|
|
| |
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | New |
|
|
|
| |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | New |
|
|
|
| |
Ensure CloudTrail is enabled in all regions | New |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | New |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled | New |
|
|
|
| |
S3 bucket CloudTrail logs ACL should not allow public access | New |
|
|
|
| |
S3 bucket should have server access logging enabled | New |
|
|
|
| |
ELB is created with Access logs enabled | New |
|
|
|
| |
Ensure VPC Flow Logging is Enabled in all Applicable Regions | New |
|
|
|
| |
Enable ALB Elastic Load Balancer v2 (ELBv2) access log | New |
|
|
|
| |
Ensure that your AWS CloudTrail logging bucket has MFA enabled | New |
|
|
|
| |
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3 | New |
|
|
|
| |
Ensure that AWS EKS Cluster control plane logging is enabled | New |
|
|
|
| |
Ensure that object-level logging is enabled for S3 buckets | New |
|
|
|
| |
Ensure Network firewall flow logging is enabled | New |
|
|
|
| |
Ensure Network firewall alerts logging is enabled | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for unauthorized API calls | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for usage of 'root' account | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for IAM policy changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for CloudTrail configuration changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Config configuration changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for security group changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to network gateways | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for route table changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for VPC changes | New |
|
|
|
| |
Ensure appropriate subscribers to each SNS topic | New |
|
|
|
| |
Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel | New |
|
|
|
| |
Ensure NAT gateway state is available | New |
|
|
|
| |
Ensure SNS topic have active subscriptions | New |
|
|
|
| |
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure the default security group of every VPC restricts all traffic | New |
|
|
|
| |
Ensure S3 buckets are not publicly accessible | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols | New |
|
|
|
| |
Restrict outbound traffic to that which is necessary, and specifically deny all other traffic | New |
|
|
|
| |
Instances are Configured under Virtual Private Cloud | New |
|
|
|
| |
Security Groups must be defined under a Virtual Private Cloud | New |
|
|
|
| |
Remove Unused Security Groups | New |
|
|
|
| |
RDS should not have Public Interface | New |
|
|
|
| |
RDS should not have Public Interface open to a public scope | New |
|
|
|
| |
RDS should not have be open to a large scope | New |
|
|
|
| |
S3 bucket should have versioning enabled | New |
|
|
|
| |
Ensure that Static website hosting is disabled on your S3 bucket | New |
|
|
|
| |
Security Groups - with admin ports too exposed to the public internet | New |
|
|
|
| |
Instances with Direct Connect virtual interface should not have public interfaces | New |
|
|
|
| |
RDS Databases with Direct Connect virtual interface should not have public interfaces | New |
|
|
|
| |
Public AMI | New |
|
|
|
| |
ECS Cluster should not have running container instances with unconnected agents | New |
|
|
|
| |
Ensure that at least one instance is registered with an ECS Cluster | New |
|
|
|
| |
Make sure that ALB is protected by a WAF | New |
|
|
|
| |
AWS Cloud Front - WAF Integration | New |
|
|
|
| |
Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols | New |
|
|
|
| |
Ensure that at least one Load Balancer is attached to the service | New |
|
|
|
| |
Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP | New |
|
|
|
| |
Ensure AWS CloudFront distribution with access logging is enabled | New |
|
|
|
| |
Ensure AWS CloudFront web distribution with geo restriction is enabled | New |
|
|
|
| |
Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates | New |
|
|
|
| |
Ensure that AWS Elastic Load Balancers (ELB) have no outbound rules in their security groups | New |
|
|
|
| |
Ensure AWS NAT Gateways are being utilized instead of the default route | New |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | New |
|
|
|
| |
Ensure that SageMaker Notebook does not have direct internet access | New |
|
|
|
| |
Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups | New |
|
|
|
| |
Ensure AWS Redshift clusters are not publicly accessible | New |
|
|
|
| |
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet | New |
|
|
|
| |
Ensure that AWS EKS Cluster endpoint access is not public | New |
|
|
|
| |
Ensure that the VPC Endpoint status is Available state | New |
|
|
|
| |
Ensure that Security Groups are not open to all | New |
|
|
|
| |
Remove Unused Security Groups that are open to all | New |
|
|
|
| |
Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level | New |
|
|
|
| |
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway | New |
|
|
|
| |
Ensure that NAT gateway is not associated in a private subnet | New |
|
|
|
| |
Ensure Auto Scaling group being used with multiple Availability zones | New |
|
|
|
| |
Ensure Network firewall delete protection enabled | New |
|
|
|
| |
Ensure Network firewall have subnet change protection enabled | New |
|
|
|
| |
Ensure Network firewall have policy change protection enabled | New |
|
|
|
| |
Ensure Network firewall status is not FAILED | New |
|
|
|
| |
Ensure that all authorization Type in API Gateway are not set to None | New |
|
|
|
| |
Ensure that all requestValidatorId in API Gateway are not null | New |
|
|
|
| |
EksCluster should not have more then one security groups | New |
|
|
|
| |
EksCluster should not be publicly access | New |
|
|
|
| |
Invalid CPU or Memory Value Specified | New |
|
|
|
| |
Container metadata | New |
|
|
|
| |
Enable container's health checks | New |
|
|
|
| |
Ensure AWS EBS Volumes are attached to instances | New |
|
|
|
| |
Ensure only usable Customer Managed Keys are in the AWS KMS | New |
|
|
|
| |
Ensure AWS Lambda functions have tracing enabled | New |
|
|
|
| |
Ensure AWS RDS automatic minor upgrades are enabled | New |
|
|
|
| |
Identifies unused AWS VPCs | New |
|
|
|
| |
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | New |
|
|
|
| |
Ensure NAT gateway has a name tag | New |
|
|
|
| |
Ensure Transit gateway have a name tag | New |
|
|
|
| |
Ensure VPC Endpoint has a name tag | New |
|
|
|
| |
Ensure SQS Dead-letter queue is not configured to send messages to the source queue | New |
|
|
|
| |
Ensure Auto Scaling group does not have suspended processes | New |
|
|
|
| |
Ensure Auto Scaling group have scaling cooldown configured | New |
|
|
|
| |
Credentials report was generated in the last 24 hours | New |
|
|
|
| |
Enforce Password Policy | New |
|
|
|
| |
EC2 Instance - there shouldn't be any High level findings in Inspector Scans | New |
|
|
|
| |
Instances without Inspector runs in the last 30 days | New |
|
|
|
| |
Amazon GuardDuty service is enabled | New |
|
|
|
| |
Amazon System Manager Document should not be publicly available | New |
|
|
|
| |
Ensure that public System Manager Documents include parameters | New |
|
|
|
| |
Ensure that encryption of data at rest is enabled on Elasticsearch domains | New |
|
|
|
| |
Ensure VIRTUAL MFA is enabled for the 'root' account | New |
|
|
|
| |
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String | New |
|
|
|
| |
Determine if CloudFront CDN is in use | New |
|
|
|
| |
Ensure that SageMaker is placed in VPC | New |
|
|
|
| |
Enforce creation of ElasticSearch domains within your VPCs | New |
|
|
|
|
July 12 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet | New |
|
|
|
| |
VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet | New |
|
|
|
| |
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | New |
|
|
|
| |
VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope | New |
|
|
|
| |
VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope | New |
|
|
|
| |
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | New |
|
|
|
| |
VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet | Removal |
|
|
|
| |
VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet | Removal |
|
|
|
| |
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | Removal |
|
|
|
| |
VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet | New |
|
|
|
| |
VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet | Removal |
|
|
|
| |
VMInstance with service POP3(TCP:110) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(TCP:11214) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(UDP:11214) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(TCP:11215) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(UDP:11215) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Session Service(TCP:139) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Session Service(UDP:139) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Server(TCP:1433) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SNMP(UDP:161) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Telnet(TCP:23) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SMTP(TCP:25) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service MySQL(TCP:3306) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Microsoft-DS(TCP:445) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SaltStack Master(TCP:4505) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service SaltStack Master(TCP:4506) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service DNS(UDP:53) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Postgres SQL(TCP:5432) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Postgres SQL(UDP:5432) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service VNC Listener(TCP:5500) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service VNC Server(TCP:5900) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service LDAP SSL(TCP:636) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Cassandra(TCP:7001) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Known internal web port(TCP:8000) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Known internal web port(TCP:8080) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Puppet Master(TCP:8140) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (TCP:389) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (UDP:389) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Redis (TCP:6379) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a large network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (TCP:389) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted LDAP (UDP:389) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Redis (TCP:6379) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a small network scope | Removal |
|
|
|
| |
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a small network scope | Removal |
|
|
|
| |
Public VMInstance with service POP3(TCP:110) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SNMP(UDP:161) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Telnet(TCP:23) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SMTP(TCP:25) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service MySQL(TCP:3306) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service DNS(UDP:53) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service VNC Listener(TCP:5500) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service VNC Server(TCP:5900) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service LDAP SSL(TCP:636) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Cassandra(TCP:7001) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8000) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8080) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Puppet Master(TCP:8140) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to the entire internet | Removal |
|
|
|
| |
Public VMInstance with service POP3(TCP:110) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SNMP(UDP:161) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Telnet(TCP:23) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service MySQL(TCP:3306) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service DNS(UDP:53) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service VNC Server(TCP:5900) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Cassandra(TCP:7001) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide public network | Removal |
|
|
|
| |
Public VMInstance with service POP3(TCP:110) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SNMP(UDP:161) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Telnet(TCP:23) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SMTP(TCP:25) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service MySQL(TCP:3306) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service DNS(UDP:53) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service VNC Server(TCP:5900) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Cassandra(TCP:7001) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a small public network | Removal |
|
|
|
| |
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small public network | Removal |
|
|
|
| |
VMInstance with service POP3(TCP:110) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SNMP(UDP:161) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Telnet(TCP:23) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SMTP(TCP:25) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service MySQL(TCP:3306) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service DNS(UDP:53) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service VNC Listener(TCP:5500) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service VNC Server(TCP:5900) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service LDAP SSL(TCP:636) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Cassandra(TCP:7001) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Known internal web port(TCP:8000) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Known internal web port(TCP:8080) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Puppet Master(TCP:8140) is exposed to a wide network scope | Removal |
|
|
|
| |
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide network scope | Removal |
|
|
|
| |
Deprecated ruleset | New |
|
|
|
|
June 23 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure rotation for customer created CMKs is enabled (Scored) | New |
|
|
|
| |
Ensure Amazon DynamoDB tables have continuous backups enabled | New |
|
|
|
| |
Ensure that Lambda Functions with overly permissive policies are not created | New |
|
|
|
| |
Ensure Network firewall flow logging is enabled | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure Network firewall status is not FAILED | New |
|
|
|
| |
IamUser with Admin or wide permissions without MFA enabled | Removal |
|
|
|
| |
Ensure IAM Role does not allow '*' in trusted entities | Removal |
|
|
|
| |
Ensure that storage account access keys are periodically regenerated | New |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all privileged users | New |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all non-privileged users | New |
|
|
|
| |
MFA should be enabled on accounts with read permissions on your subscription | New |
|
|
|
| |
MFA should be enabled on accounts with write permissions on your subscription | New |
|
|
|
| |
Ensure that Activity Log Retention is set 365 days or greater | New |
|
|
|
| |
Ensure that a Log Profile exists | New |
|
|
|
| |
Ensure audit profile captures all the activities | New |
|
|
|
| |
Change Control for Network Security Group Configuration | New |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | New |
|
|
|
| |
Ensure Virtual Network Gateway is configured with Cryptographic Algorithm | Removal |
|
|
|
| |
Asset is not labeled | New |
|
|
|
| |
Ensure Cloud SQL - PostgreSQL server has log_checkpoints database flag set to on | New |
|
|
|
| |
Ensure Cloud SQL - PostgreSQL server has log_connections and log_disconnections database flags set to on | New |
|
|
|
| |
Ensure Cloud SQL - PostgreSQL server has log_lock_waits database flag set to on | New |
|
|
|
| |
Ensure Cloud SQL - PostgreSQL server has log_temp_files database flag set to '0' - (on) | New |
|
|
|
| |
Ensure Cloud SQL - PostgreSQL server has log_min_duration_statement database flag set to '-1' - (off) | New |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | New |
|
|
|
| |
Ensure Cloud SQL - SQL Server instance has 'cross db ownership chaining' database flag set to off | New |
|
|
|
| |
Ensure Cloud SQL - SQL Server instance has 'contained database authentication' database flag set to off | New |
|
|
|
| |
Ensure that 'Secure transfer required' is Enabled | New |
|
|
|
| |
Ensure that OSS bucket server side encryption using KMS is enabled | New |
|
|
|
| |
Ensure that ECS Disks are encrypted | New |
|
|
|
| |
Ensure that ECS Virtual Machine's Disks are encrypted | New |
|
|
|
| |
Ensure no root account access key exists | New |
|
|
|
| |
Ensure MFA is enabled for the 'root' account | New |
|
|
|
| |
Avoid the use of the 'root' account | New |
|
|
|
| |
Ensure users not logged on for 90 days or longer are disabled for console logon | New |
|
|
|
| |
Ensure RAM users have no more than one active Access Key | New |
|
|
|
| |
Ensure RAM policies are attached only to groups or roles | New |
|
|
|
| |
Ensure ECS Instances use RAM roles to control access | New |
|
|
|
| |
Ensure RAM policies that allow full access administrative privileges are not created | New |
|
|
|
| |
Ensure RAM password policy prevents password reuse | New |
|
|
|
| |
Ensure RAM password policy requires at least one uppercase letter | New |
|
|
|
| |
Ensure RAM password policy requires at least one lowercase letter | New |
|
|
|
| |
Ensure RAM password policy require at least one symbol | New |
|
|
|
| |
Ensure RAM password policy require at least one number | New |
|
|
|
| |
Ensure RAM password policy expires passwords within 90 days or less | New |
|
|
|
| |
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour | New |
|
|
|
| |
Ensure RAM password policy requires minimum length of at least 14 | New |
|
|
|
| |
Ensure that OSS bucket is not anonymously or publicly accessible | New |
|
|
|
| |
Ensure that logging is enabled for OSS buckets | New |
|
|
|
| |
Instances are Configured under Virtual Private Cloud | New |
|
|
|
| |
Ensure legacy networks does not exist | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols | New |
|
|
|
| |
Restrict outbound traffic to that which is necessary, and specifically deny all other traffic | New |
|
|
|
|
June 13 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Use Encrypted RDS storage | Modification |
|
|
|
|
June 02 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Use Encrypted RDS storage | Modification |
|
|
|
| |
ELB - Recommended SSL/TLS protocol version | Modification |
|
|
|
| |
Ensure GCP VM Instances have Labels | New |
|
|
|
| |
Asset is not labeled | Removal |
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Security Solution | Modification |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Modification |
|
|
|
| |
Enable Function App Service Authentication | Modification |
|
|
|
| |
Overly Permissive Scope Access of Role Assignment | Modification |
|
|
|
| |
Overly Permissive Scope Access of Role Definition | Modification |
|
|
|
| |
Enable WebApp Service Authentication | Modification |
|
|
|
| |
Ensure RAM policies that allow full access administrative privileges are not created | Modification |
|
|
|
|
May 26 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that ECS Disks are encrypted | New |
|
|
|
| |
Ensure that ECS Virtual Machine's Disks are encrypted | New |
|
|
|
|
May 19 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Inctance that have public image details | Removal |
|
|
|
| |
Ensure that 'Secure transfer required' is Enabled | New |
|
|
|
| |
Ensure that OSS bucket server side encryption using KMS is enabled | New |
|
|
|
| |
Ensure that OSS bucket is not anonymously or publicly accessible | New |
|
|
|
| |
Ensure that logging is enabled for OSS buckets | New |
|
|
|
|
May 10 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that 'Number of methods required to reset' is set to '2' | Modification |
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Policy Assignment | New |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated SQL Servers Firewall Rules | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Network Security Groups | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Network Security Group Rules | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Security Solutions | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for Deleted SQL Servers Firewall Rules | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for Deleted Network Security Groups | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for Deleted Network Security Group Rules | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for Deleted Security Solutions | Removal |
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Security Plicies | Removal |
|
|
|
|
April 5, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure remote debugging has been disabled for your production Azure Functions | New |
|
|
| Azure CloudGuard Best Practices | |
Enable App Service Authentication | New |
|
|
| Azure CloudGuard Best Practices | |
Enable Incoming Client Certificates | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Scope Access | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Subscription Access (Owner over the whole Subscription) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Subscription Access (Contributor over the whole Subscription) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Subscription Access (User Access Administrator over the whole Subscription) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (Global Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (Application Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (Privileged Role Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (Cloud Application Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (User Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Directory Access (Helpdesk Administrator) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Scope Access | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Subscription Access (Authorization over the whole Subscription) | New |
|
|
| Azure CloudGuard Best Practices | |
Overly Permissive Subscription Access (Full Access over the whole Subscription) | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that Application Service Logs are Enabled for Containerized Function Apps | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that Health Check is enabled for your Function App | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that RDP access is restricted from the internet | Modification | Logic | azurerm_network_security_group where security_rule with [ direction='Inbound' ] should not have ( security_rule with [ (destination_port_ranges contain ['3389']) and (protocol in ('Tcp','*')) and (access='Allow') and (source_port_range in('*', '0.0.0.0/0')) ] ) | azurerm_network_security_group where security_rule with [ direction='Inbound' ] should not have ( security_rule with [ (destination_port_ranges contain ['3389'] or destination_port_range contain ['3389']) and (protocol in ('Tcp','*')) and (access='Allow') and (source_port_range in('*', '0.0.0.0/0')) ] ) | Terraform Azure CIS Foundations | |
Ensure that SSH access is restricted from the internet | Modification | Logic | azurerm_network_security_group where security_rule with [ direction='Inbound' ] should not have ( security_rule with [ (destination_port_ranges contain ['22']) and (protocol in ('Tcp','*')) and (access='Allow') and (source_port_range in('*', '0.0.0.0/0')) ] ) | azurerm_network_security_group where security_rule with [ direction='Inbound' ] should not have ( security_rule with [ (destination_port_ranges contain ['22'] or destination_port_range contain ['22']) and (protocol in ('Tcp','*')) and (access='Allow') and (source_port_range in('*', '0.0.0.0/0')) ] ) | Terraform Azure CIS Foundations | |
Ensure that corporate login credentials are used instead of Gmail accounts | Modification | Name, Description, Remediation, References | GCP PCI-DSS 3.2 | |||
Ensure that multi-factor authentication is enabled for all non-service accounts | Modification | Description, Remediation |
| GCP HIPAA | ||
Ensure that multi-factor authentication is enabled for admin users | New |
|
|
| GCP CloudGuard Best Practices | |
Avoid using pre-IAM basic (primitive) roles |
|
|
|
| GCP CloudGuard Best Practices | |
Ensure permissions to impersonate a service account are not granted at project level | Modification | Name, Description, Remediation, References, Logic | GcpIamUser should not have roleNames contain [ $ in ('roles/iam.serviceAccountActor', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ] | GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.workloadIdentityUser', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ] | GCP CloudGuard Best Practices | |
Ensure that Separation of duties is enforced while assigning service account related roles to users | New |
|
|
| GCP CloudGuard Best Practices | |
User did not log in the past 90 days | New |
|
|
| GCP CloudGuard Best Practices | |
Suspended user account unused more then 6 months | New |
|
|
| GCP CloudGuard Best Practices | |
March 10, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Activity Log Alert exists for Create Policy Assignment | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Delete Policy Assignment | New |
|
|
| Azure CIS Foundations v. 1.3.0 | |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Delete Network Security Group | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that activity log alert exists for the Delete Network Security Group Rule | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Create or Update Security Solution | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Create or Update Security Solution | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | New |
|
|
| Azure CIS Foundations v. 1.1.0 | |
Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible | Modification | Remediation, reference |
| GCP PCI-DSS 3.2 | ||
Storage bucket access control should be with uniform bucket-level access | New |
|
|
| GCP CloudGuard Best Practices | |
Storage Bucket default ACL / ACL should not allow public access | New |
|
|
| GCP CloudGuard Best Practices | |
Ensure that Cloud Storage bucket has usage logs enabled | Modification | Name, description, remediation, severity,reference | GCP CSA CCM v.3.0.1 | |||
Ensure that there are only GCP-managed service account keys for each service account | Modification | description,logic,remediation,reference | ServiceAccount should not have keys with [ managedBy = 'User' ] | ServiceAccount where name unlike '%CloudGuard%' or (name like '%CloudGuard%' and roles contain-any [not $ in ('roles/viewer', 'roles/iam.securityReviewer')]) should not have keys with [ managedBy = 'User' ] | GCP CIS Foundations v. 1.0.0 | |
Ensure that Service Account has no Admin privileges | Modification | Name, description,logic,remediation,reference | ServiceAccount should not have roles contain-any [($ like '%Admin') or ($ like '%admin') or $ in ('roles/owner', 'roles/editor') ] | ServiceAccount should not have roles contain-any [ ($ like '%admin') or $ in ('roles/owner', 'roles/editor') ] | GCP HIPAA | |
Ensure that IAM users are not assigned Service Account User role at project level | Removal |
|
|
| GCP CIS Foundations v. 1.0.0 | |
Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies | Modification | Name, description,logic,remediation,reference | ServiceAccount should not have roles contain [ 'roles/iam.serviceAccountAdmin' ] and roles contain [ 'roles/iam.serviceAccountUser' ] | ServiceAccount should not have roles contain-any [ $ like 'roles/iam.serviceAccount%' ] or roles contain-any [ $ like 'roles/iam.securityAdmin' ] | GCP CIS Foundations v. 1.0.0 | |
Ensure that Separation of duties is enforced while assigning KMS related roles to users | Removal |
|
|
| GCP CIS Foundations v. 1.0.0 | |
March 7, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
IamUser with Admin or wide permissions without MFA enabled |
|
|
|
|
| |
Ensure storage for critical data are encrypted with Customer Managed Key |
|
|
|
|
| |
S3 Buckets outside of Europe |
|
|
|
|
| |
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' |
|
|
|
|
| |
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
|
|
|
|
| |
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
|
|
|
|
| |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
|
|
|
|
| |
Ensure that 'OS and Data' disks are encrypted with CMK |
|
|
|
|
| |
Ensure that 'Unattached disks' are encrypted with CMK |
|
|
|
|
|
February 16, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Role names cannot be enumeratable | Modification | Logic | IamRole should not have name in('0','1','2','3','4','5','6','7','8','9','A','ADS','API','APIGateway','AWS','Aaron','Abram','Account','Adelia','Adell','Admin','Administrator','Agustin','Ai','Alert_Logic_Cloud_Defender','Alexa','AlexaForBusiness','Alfonzo','Ali','Alica','Alisia','Allan','Almeda','Alpha','Alvera','Amado','AmazonRedShift','Amberly','Amos','Analytics','Anderson','Anette','Angele','Angie','Annalisa','Anne','Annice','Antonetta','Antonia','Antwan','AppStream2','AppStream2.0','AppSync','Argelia','Argentina','Arnoldo','Artifact','Arvilla','Athena','Audit','AutoScaling','Avery','Ayanna','B','Bari','Bastion','Batch','Benton','Bethel','Billing','Bobette','Brandie','Brenton','Bret','Britt','Bruce','Bryan','Bryant','Brynn','Buddy','C','CF','CLI','Caitlin','Caleb','Carlotta','CertificateManager','Chauncey','Cheri','Chery','Chime','Chris','Cicely','Clark','Cloud9','CloudCheckr','CloudFormation','CloudFront','CloudHSM','CloudMGR','CloudSearch','CloudSploitRole','CloudTrail','CloudWatch','CodeBuild','CodeCommit','CodeDeploy','CodePipeline','CodeStar','Cognito','Coleman','Comprehend','Config','Configuration','Connect','Cordell','Coretta','Corrine','Curt','Curtis','D','DB','DBAdmin','DMS','DS','DSWebAppsScanningRole','Dane','Darnell','Darrel','Darrin','DataPipeline','DataScientist','DatabaseAdministrator','DatadogAWSIntegrationRole','Db','Debrah','DeepLens','Deetta','Default','Delores','Deloris','Demarcus','Demo','Dena','Denice','Denita','Dennis','Derick','Desirae','Dev','Developer','DeviceFarm','Dewey','Dick','Dino','DirectConnect','DirectoryService','Dirk','Docker','Domenic','Dominique','Donn','Dyan','DynamoDB','E','EBS','EC2','ECS','EFS','EKS','EMR','EMR-Test','EMR-test','EMR_Test','EMR_test','Eboni','Echo','Eddie','ElastiCache','ElasticTranscoder','ElasticsearchService','Elia','Elisabeth','Elsy','Emelda','Emely','Encryption','Erick','Ervin','Ester','Eugenia','Eugenie','External','F','Fabian','Fallon','Faye','Felton','Fernando','Fidel','Floyd','Frankie','FreeRTOS','G','Gala','GameLift','Gene','Georgie','Gertha','Gertie','Gia','Giuseppe','Glacier','Global','GlobalLog','Glue','Graham','Greengrass','Gregg','GuardDuty','H','Hacker','Haywood','Hedwig','Hilario','Hilda','Hoyt','I','IAM','IT','Ian','Ina','Inspector','Intern','IoT1-Click','IoT1Click','IoTAnalytics','IoTCore','IoTDeviceDefender','IoTDeviceManagement','J','Jacinto','Jackson','Jacque','Jade','Jammie','Janita','Jc','Jeanetta','Jenine','Jeremiah','Jewel','Joan','Joanie','Jodie','Joesph','Josue','Judson','Julee','Juliette','K','K8s','KVS','Kaci','Karine','Katy','Keith','Kenna','Kermit','Kiana','Kimiko','Kinesis','KinesisVideoStreams','Kirby','KochavaReadS3','Kops','Korey','Kristian','Kube','KubernetesNode','L','Lacey','Lady','Lakiesha','Lambda','Lang','Lanny','Lashandra','Lauren','Leatrice','Lenard','Leona','Les','Lex','Lightsail','Lillian','Linh','Linnie','Logger','Logging','Loggly_aws','Logs','Loni','Lucie','Lucius','Luke','M','ML','MQ','MachineLearning','Macie','Madeline','Malisa','Marcell','Marcos','Margery','Margrett','Maria','Maribel','Marin','Marlon','Marshall','Maryanna','Marylou','Master','Mathilda','Matthew','Mauricio','Mauro','Maximo','MediaConvert','MediaLive','MediaPackage','MediaStore','MediaTailor','Mee','Melania','Melany','Melody','Meridith','Mesos','Michale','Micheal','Michell','Mickie','MigrationHub','Mikel','Milford','Miquel','Mirna','Misc','Miscellaneous','MobileAnalytics','MobileHub','Mohamed','Molly','Monitor','Monitoring','Monroe','MtSecurityScan','MyRole','N','Natacha','Neida','Neil','Neptune','NetAdmin','NetAdministrator','NetworkAdmin','NetworkAdministrator','Nevada','NewRelic-Infrastructure-AWS-Integration','Ngoc','Nobuko','Norris','Numbers','Nyla','O','Odis','OktaSSO','Onie','OpsClarity-Access','OpsWorks','Orbitera','Orville','P','Palmer','Parker','PenTest','PenetrationTest','PenetrationTester','Pentest','Percy','Phil','Pierre','Pinpoint','Polly','Porsche','Porsha','PowerUser','Poweruser','Pusher','Q','QuickSight','R','RDS','Raeann','Ramona','Rancher','Randal','Randy','ReadOnly','Readonly','RedShift','RedlineAccess','Reggie','Regina','Reina','Rekognition','Renee','Reta','Rhona','Richard','Rickey','Rico','Rigoberto','Robbie','Robbin','Rocky','Roger','Role','Root','RootRole','Rosalind','Rosio','Route53','Royce','Ruben','Rueben','S','S3','SES','SMS','SNS','SQS','SSO','SWF','SageMaker','Salvador','Sammy','Scarlett','Scheduler','SecAudit','SecretsManager','SecurityAudit','See','Server','Service','Seth','Shakira','Shannon','Shaquana','Shara','Shared','Shelia','Shelley','Sherryl','Shield','Shon','Sidney','Silas','SimpleEmailService','SingleSign-On','SingleSignOn','Snowball','Son','Song','Soraya','Spark','Stackdriver','StepFunctions','Storage','StorageGateway','Sumerian','Support','Sylvester','Synthia','Syreeta','SysAdmin','SysAdministrator','SystemAdmin','SystemAdministrator','SystemsManager','T','Tanja','Task','TaskScheduler','Temp','Temporary','Teodoro','Terrilyn','Test','Testing','Thomasine','ThreatStackRole','Tia','Tiana','Timer','Tommie','Tonisha','Tory','Transcribe','Translate','Tresa','Trinidad','Truman','TrustedAdvisor','Tyisha','U','Ulysses','Uploader','Ursula','User','V','VPC','VPC_NAT','VPN','Valentine','Verona','W','WAF','Walter','Waltraud','Waylon','Werner','Wilma','Wilmer','WorkDocs','WorkMail','WorkSpaces','X','X-Ray','XRay','Y','Yahaira','Yer','Yolanda','Z','Zandra','a','aaron','abram','account','adelia','adell','adm','admin','administrator','ads','agustin','ai','alert_logic_cloud_defender','alertlogic','alexa','alexaforbusiness','alfonzo','ali','alica','alisia','allan','almeda','alpha','alvera','amado','amazonredshift','amberly','amos','analytics','anderson','anette','angele','angie','annalisa','anne','annice','antonetta','antonia','antwan','api','apigateway','appstream2','appstream2.0','appsync','argelia','argentina','arnoldo','artifact','arvilla','athena','audit','autoscaling','avery','aws','ayanna','b','bari','bastion','batch','benton','bethel','billing','bobette','bp-cloudhealth','brandie','brenton','bret','britt','bruce','bryan','bryant','brynn','buddy','bulletproof','c','caitlin','caleb','carlotta','cb-access','certificatemanager','cf','chauncey','cheri','chery','chime','chris','cicely','clark','cli','cloud9','cloudability','cloudbreak','cloudcheckr','cloudcraft','cloudformation','cloudfront','cloudhsm','cloudmgr','cloudsearch','cloudsploit','cloudsploitrole','cloudtrail','cloudwatch','codebuild','codecommit','codedeploy','codepipeline','codestar','cognito','coleman','comprehend','config','configuration','connect','cordell','coretta','corrine','curt','curtis','d','dane','darnell','darrel','darrin','databaseadministrator','datadog','datadogawsintegrationrole','datapipeline','datascientist','db','dbadmin','debrah','deeplens','deepsecurity','deetta','default','delores','deloris','demarcus','demo','dena','denice','denita','dennis','derick','desirae','dev','developer','devicefarm','dewey','dick','dino','directconnect','directoryservice','dirk','dms','docker','domenic','dominique','donn','ds','dswebappsscanningrole','dyan','dynamodb','dynatrace','e','eboni','ebs','ec2','echo','ecs','eddie','efs','eks','elasticache','elasticsearchservice','elastictranscoder','elia','elisabeth','elsy','emelda','emely','emr','emr-test','emr_test','encryption','erick','ervin','ester','eugenia','eugenie','external','f','fabian','fallon','faye','felton','fernando','fidel','floyd','frankie','freertos','freshservice','g','gala','gamelift','gene','georgie','gertha','gertie','gia','giuseppe','glacier','global','globallog','globus','glue','graham','greengrass','gregg','guardduty','h','hacker','haywood','hedwig','hilario','hilda','hoyt','i','iam','ian','ina','inspector','instaclustr','intern','iot1-click','iot1click','iotanalytics','iotcore','iotdevicedefender','iotdevicemanagement','it','j','jacinto','jackson','jacque','jade','jammie','janita','jc','jeanetta','jenine','jeremiah','jewel','joan','joanie','jodie','joesph','josue','judson','julee','juliette','k','k8s','kaci','karine','katy','keith','kenna','kermit','keyWatch','keywatch','kiana','kimiko','kinesis','kinesisvideostreams','kirby','kochava','kochavareads3','kops','korey','kristian','kube','kubernetes','kubernetesnode','kvs','l','lacey','lady','lakiesha','lambda','lang','lanny','lashandra','lauren','leatrice','lenard','leona','les','lex','lightsail','lillian','linh','linnie','logger','logging','loggly','loggly-role','loggly_aws','logs','loni','lucie','lucius','luke','m','machinelearning','macie','madeline','malisa','manage','management','management-admin','marcell','marcos','margery','margrett','maria','maribel','marin','marlon','marshall','maryanna','marylou','master','mathilda','matthew','mauricio','mauro','maximo','mediaconvert','medialive','mediapackage','mediastore','mediatailor','mediatemple','mee','melania','melany','melody','meridith','mesos','michale','micheal','michell','mickie','migrationhub','mikel','milford','miquel','mirna','misc','miscellaneous','ml','mobileanalytics','mobilehub','mohamed','molly','mongodb','monitor','monitoring','monroe','mq','mtsecurityscan','myMMSRole','myRole','mymmsrole','myrole','n','natacha','neida','neil','neptune','netadmin','netadministrator','networkadmin','networkadministrator','nevada','newrelic','newrelic-infrastructure-aws-integration','ngoc','nobuko','norris','numbers','nyla','o','odis','okta','oktasso','onie','opsclarity','opsclarity-access','opsworks','orbitera','orville','p','palmer','parker','penetrationtest','penetrationtester','pentest','percy','phil','pierre','pinpoint','polly','porsche','porsha','poweruser','pusher','q','quicksight','r','raeann','ramona','rancher','randal','randy','rds','readonly','redline','redline13','redlineaccess','redshift','reggie','regina','reina','rekognition','renee','reta','rhona','richard','rickey','rico','rigoberto','robbie','robbin','rocky','roger','role','roleWatch','rolewatch','root','rootRole','rootrole','rosalind','rosio','route53','royce','ruben','rueben','s','s3','s3stat','sa','sagemaker','salvador','sammy','scarlett','scheduler','secaudit','secretsmanager','securityaudit','see','server','service','ses','seth','shakira','shannon','shaquana','shara','shared','shelia','shelley','sherryl','shield','shon','sidney','signalfx','silas','simpleemailservice','singlesign-on','singlesignon','skeddly','sms','snowball','sns','son','song','soraya','spark','sqs','sso','stackdriver','stepfunctions','storage','storagegateway','sumerian','support','swf','sylvester','synthia','syreeta','sysadmin','sysadministrator','systemadmin','systemadministrator','systemsmanager','t','tanja','task','taskscheduler','temp','temporary','teodoro','teraproc','teraproc-access','terrilyn','test','testing','thomasine','threatstack','threatstackrole','tia','tiana','timer','tommie','tonisha','tory','transcribe','translate','tresa','trinidad','truman','trustedadvisor','tyisha','u','ulysses','uploader','ursula','user','v','valentine','verona','vmimport','vpc','vpc_nat','vpn','w','waf','walter','waltraud','waylon','werner','wilma','wilmer','workdocs','workmail','workspaces','workspaces_DefaultRole','workspaces_defaultrole','x','x-ray','xray','y','yahaira','yer','yolanda','z','zandra') | IamRole should not have name in($Enumeratable_Role_Names) | AWS CloudGuard Best Practices | |
Ensure that multi-factor authentication is enabled for all non-privileged users | Removal |
|
|
| Azure CIS Foundations v. 1.2.0 | |
Ensure that multi-factor authentication is enabled for all privileged users | Removal |
|
|
| Azure Security Benchmark |
February 10, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure first access key is rotated every 90 days or less | Modification | Logic | IamUser where firstAccessKey.isActive='true' should not have firstAccessKey.lastRotated after(-90, 'days') | IamUser where firstAccessKey.isActive='true' should not have firstAccessKey.lastRotated before(-90, 'days') | AWS CIS Foundations v. 1.0.0 | |
Ensure second access key is rotated every 90 days or less | Modification | Logic | IamUser where secondAccessKey.isActive='true' should not have secondAccessKey.lastRotated after(-90, 'days') | IamUser where secondAccessKey.isActive='true' should not have secondAccessKey.lastRotated before(-90, 'days') | AWS CIS Foundations v. 1.0.0 |
February 03, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|
|---|---|---|---|---|---|---|---|
Ensure first access key is rotated every 90 days or less | Modification | Logic | IamUser where createDate before(-90, 'days') and firstAccessKey.isActive='true' should have (firstAccessKey.lastRotated after(-90, 'days') and firstAccessKey.lastUsedDate > firstAccessKey.lastRotated ) | IamUser where firstAccessKey.isActive='true' should not have firstAccessKey.lastRotated after(-90, 'days') | AWS CIS Foundations v. 1.0.0 |
| |
Ensure second access key is rotated every 90 days or less | Modification | Logic | IamUser where createDate before(-90, 'days') and secondAccessKey.isActive='true' should have (secondAccessKey.lastRotated after(-90, 'days') and secondAccessKey.lastUsedDate > secondAccessKey.lastRotated ) | IamUser where secondAccessKey.isActive='true' should not have secondAccessKey.lastRotated after(-90, 'days') |
| AWS CIS Foundations v. 1.0.0 | |
Ensure that Role names cannot be enumeratable | New |
|
|
| AWS CloudGuard Best Practices |
| |
nsure that public System Manager Documents include parameters | New |
|
|
| AWS CloudGuard Best Practices |
|
January 27, 2021
Rule ID
| Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All' | New |
|
|
| Azure ISO 27001:2013 | |
Ensure that AZURE DEFENDER FOR SQL and Advanced Threat Protection (ATP) on a SQL server is set to 'On' | Modification | Remediation |
|
| Azure Security Benchmark | |
Ensure that ADS - ATP 'Administrator and subscription owner' is 'Enabled' | Remediation | Remediation |
|
| Azure ISO 27001:2013 | |
Ensure that ADS - ATP 'Send alerts to' is set | Modification | Remediation |
|
| Azure ISO 27001:2013 | |
Ensure that multi-factor authentication is enabled for all privileged users | Modification | Logic, description | User should have userCredentialRegistrationDetails.isRegisterWithMfa=true | RoleAssignment should have (properties contain [getResource('User', principalId) contain [userCredentialRegistrationDetails.isRegisterWithMfa=true]] and properties contain [getResources('RoleDefinition',roleDefinitionId) contain [properties.roleName in ('Owner','Contributor')]]) | Azure Security Benchmark | |
Ensure that multi-factor authentication is enabled for all non-privileged users | New |
|
|
| Azure CloudGuard Best Practices | |
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | New |
|
|
| Azure Security Benchmark | |
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | New |
|
|
| Azure Security Benchmark |
January 20, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that node-to-node encryption is enabled for Elasticsearch service | Modification | Logic | ElasticSearchDomain should have nodeToNodeEncryptionOptions.enabled=false | ElasticSearchDomain should not have nodeToNodeEncryptionOptions.enabled=false | AWS CloudGuard Best Practices | |
Ensure that 'Auditing' in SQL Servers is set to 'On' | New |
|
|
| Azure ISO 27001:2013 | |
Ensure that 'Auditing' Retention on SQL Server is 'greater than 90 days' | New |
|
|
| Azure ISO 27001:2013 | |
Ensure that ADS - ATP 'Send alerts to' is set | New |
|
|
| Azure ISO 27001:2013 | |
Ensure that ADS - ATP 'Administrator and subscription owner' is 'Enabled' | New |
|
|
| Azure ISO 27001:2013 | |
Ensure SSM Documents are not Publicly Exposed | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Sensitive Parameters are Encrypted | New |
|
|
| Terraform AWS CIS Foundations | |
nsure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | Modification | Logic | aws_security_group should not have ingress with [(from_port<=22 and to_port>=22) and (cidr_blocks contain ['0.0.0.0:0'] or ipv6_cidr_blocks contain ['::/0'])] | aws_security_group should not have ingress with [(from_port<=22 and to_port>=22) and (cidr_blocks contain ['0.0.0.0/0'] or ipv6_cidr_blocks contain ['::/0'])] | Terraform AWS CIS Foundations | |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | Modification | Logic | aws_security_group should not have ingress with [(from_port<=3389 and to_port>=3389) and (cidr_blocks contain ['0.0.0.0:0'] or ipv6_cidr_blocks contain ['::/0'])] | aws_security_group should not have ingress with [(from_port<=3389 and to_port>=3389) and (cidr_blocks contain ['0.0.0.0/0'] or ipv6_cidr_blocks contain ['::/0'])] | Terraform AWS CIS Foundations | |
Ensure IAM policies that allow full '*:*' administrative privileges are not created | Modification | Logic | IamPolicy where (arn!='arn:aws:iam::aws:policy/AdministratorAccess' or arn!='arn:aws-us-gov:iam::aws:policy/AdministratorAccess') and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty() | IamPolicy where (arn!='arn:aws:iam::aws:policy/AdministratorAccess' and arn!='arn:aws-us-gov:iam::aws:policy/AdministratorAccess') and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty() | AWS CIS Foundations v. 1.1.0 |
January 04, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that 'OS disk' are encrypted | modification | Logic | VirtualMachine where isScaleSetVm=false should have disks contain-all [ encrypted=true ] | VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]]) | Azure Security Benchmark | |
Ensure 'Block Project-wide SSH keys' enabled for non-windows VM instances | modification | Logic | VMInstance where not (disks contain [ licenses contain [ $ like '%windows%' ] ]) should have metadata.items contain-any [ key='block-project-ssh-keys' and value='true'] | VMInstance where not (disks contain [ licenses contain [ $ like '%windows%' ] ]) should have metadata.items contain-any [ key='block-project-ssh-keys' and value regexMatch /TRUE/i ] | GCP PCI-DSS 3.2 | |
Ensure oslogin is enabled for a Project | modification | Logic | Project should have metadata.items contain [ key='enable-oslogin' and value='TRUE' ] | Project should have metadata.items contain [ key='enable-oslogin' and value regexMatch /TRUE/i ] | GCP PCI-DSS 3.2 | |
Ensure oslogin is enabled for a Virtual Machine | modification | Logic | VMInstance should have metadata.items contain [ key='enable-oslogin' and value='TRUE' ] | VMInstance should have metadata.items contain [ key='enable-oslogin' and value regexMatch /TRUE/i ] | GCP PCI-DSS 3.2 | |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | modification | Logic | VMInstance should not have serviceAccounts contain [ scopes contain-any ['https://www.googleapis.com/auth/cloud-platform']] | VMInstance should not have serviceAccounts contain [ isDefaultServiceAccount=true and scopes contain [ 'https://www.googleapis.com/auth/cloud-platform' or 'cloud-platform' ] ] | GCP PCI-DSS 3.2 | |
Key vault should have purge protection enabled | New |
|
|
| Azure Security Benchmark | |
Managed identity should be used in your Function App | New |
|
|
| Azure Security Benchmark | |
Unattached disks should be encrypted | New |
|
|
| Azure Security Benchmark | |
Function App should only be accessible over HTTPS | New |
|
|
| Azure Security Benchmark | |
Web Application should only be accessible over HTTPS | New |
|
|
| Azure Security Benchmark | |
Latest TLS version should be used in your Function App | New |
|
|
| Azure Security Benchmark |
December 22, 2020
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Amazon System Manager Document should not be publicly available | New |
|
|
| AWS CloudGuard Best Practices | |
Ensure that sensitive parameters are encrypted | New |
|
|
| AWS CloudGuard Best Practices |
December 21, 2020
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure IAM policies that allow full '*:*' administrative privileges are not created | Modification | Logic | IamPolicy where arn!='arn:aws:iam::aws:policy/AdministratorAccess' and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty() | IamPolicy where (arn!='arn:aws:iam::aws:policy/AdministratorAccess' or arn!='arn:aws-us-gov:iam::aws:policy/AdministratorAccess') and document.Statement contain-any [Effect = 'Allow' and (Resource ='*' or Resource contain[$='*'] ) and (Action ='*' or Action contain[$='*']) ] should have users isEmpty() and roles isEmpty() and groups isEmpty() | AWS CIS Foundations v. 1.1.0 | |
ELB is setup with SSL for secure communication | Modification | Logic | ELB should have elbListeners contain [(sourceProtocol='HTTPS' and instanceProtocol='HTTPS')] | ELB should have elbListeners contain [(sourceProtocol='SSL' and instanceProtocol='SSL')] | AWS MAS TRM Framework | |
Ensure that Register with Azure Active Directory is enabled on App Service | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that 'HTTP Version' is the latest, if used to run the web app | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that AZURE DEFENDER FOR SQL and Advanced Threat Protection (ATP) on a SQL server is set to 'On' | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that ADS - ATP 'Send alerts to' is set | New |
|
|
| Azure CloudGuard Best Practices | |
Ensure that ADS - ATP 'Administrator and subscription owner' is 'Enabled' | New |
|
|
| Azure CloudGuard Best Practices |
December 09, 2020
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE) | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE) | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that SQS policy won't allow all actions from all principals | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure SNS Topics aren't publicly accessible | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure SNS Topics administrative actions aren’t publicly executable | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure that VPC Endpoint policy won't allow all actions | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Auto Scaling group being used with multiple Availability zones | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Network firewall delete protection enabled | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Network firewall have subnet change protection enabled | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Network firewall have policy change protection enabled | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Network firewall resides in a dedicated subnet | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure NAT gateway has a name tag | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Transit gateway have a name tag | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure VPC Endpoint has a name tag | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Auto Scaling group does not have suspended processes | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Auto Scaling group have scaling cooldown configured | New |
|
|
| Terraform AWS CIS Foundations | |
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE) | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE) | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that AWS Secret Manager Secret rotation is enabled | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that SQS policy won't allow all actions from all principals | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure SNS Topics aren't publicly accessible | Modification | Logic, Reference, remediation | SnsTopic where policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')] should not have policy.Statement contain [Condition.StringEquals isEmpty()] | SnsTopic where policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')] should have policy.Statement contain [Condition] | AWS CloudGuard Best Practices | |
Ensure SNS Topics administrative actions aren’t publicly executable | Modification | Logic, Reference, remediation | SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' or 'SNS:Publish'])] | SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic']) and Condition isEmpty()] | AWS CloudGuard Best Practices | |
Ensure that VPC Endpoint policy won't allow all actions | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure NAT gateway state is available | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure SNS topic have active subscriptions | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that the VPC Endpoint status is Available state | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure that NAT gateway is not associated in a private subnet | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure NAT gateway has a name tag | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure Transit gateway have a name tag | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure VPC Endpoint has a name tag | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Ensure SQS Dead-letter queue is not configured to send messages to the source queue | Modification | Reference, remediation |
|
| AWS CloudGuard Best Practices | |
Instances without Inspector runs in the last 30 days | Modification | Logic | Instance should have scanners.scans contain [source = 'Inspector' and startTime after(-30, 'days') and state in ('COMPLETED') ] | Instance where region in('eu_central_1','eu_west_1','eu_west_2','ap_south_1','us_west_1','us_east_1','us_east_2','us_west_2','ap_northeast_2','eu_north_1','ap_southeast_2','ap_northeast_1','us_gov_east_1','us_gov_west_1') should have scanners.scans contain [source = 'Inspector' and startTime after(-30, 'days') and state in ('COMPLETED') ] | AWS MAS TRM Framework | |
Ensure that the expiry date is set on all keys | Modification | Logic | KeyVault where keys should have keys contain [ enabled=true and expires after(1,'days') ] | KeyVault where keys should have keys contain-none [ enabled=true and expires isEmpty() ] and keys contain-none [ enabled=true and expires before(1,'days') ] | Azure NIST 800-171 | |
Ensure that the expiry date is set on all secrets | Modification | Logic | KeyVault where secrets should have secrets contain [ enabled=true and expires after(1,'days') ] | KeyVault where secrets should have secrets contain-none [ enabled=true and expires isEmpty() ] and secrets contain-none [ enabled=true and expires before(1,'days') ] | Azure NIST 800-171 | |
Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Modification | Logic | PostgreSQL where logsConfiguration contain [ name='log_duration' ] should have logsConfiguration with [ value='ON' ] | PostgreSQL should have logsConfiguration contain [ name='log_duration' and value='on' ] | Azure CloudGuard Best Practices | |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Modification | Logic | PostgreSQL should have logsConfiguration with [ value='ON'] where name='connection_throttling' | PostgreSQL should have logsConfiguration contain [ name='connection_throttling' and value='on' ] | Azure CloudGuard Best Practices | |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Modification | Logic | PostgreSQL where logsConfiguration contain [ name='log_connections' ] should have logsConfiguration with [ value='on' ] | PostgreSQL should have logsConfiguration contain [ name='log_connections' and value='on' ] | Azure CloudGuard Best Practices | |
Ensure that the Auto Scaling Group has an associated ELB | Removal |
|
|
| AWS MAS TRM Framework |
December 07, 2020
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Reference | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure IAM password policy requires minimum length of 14 or greater | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure IAM password policy prevents password reuse | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a support role has been created to manage incidents with AWS Support | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure AWS Config is enabled in all regions | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure CloudTrail is enabled in all regions | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | Reference | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure rotation for customer created CMKs is enabled | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure VPC flow logging is enabled in all VPCs |
| New - Moved to Logging |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for unauthorized API calls | Logic, Reference, remediation | Modification | List<CloudTrail> should have items with [hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.errorCode = UnauthorizedOperation) || ($.errorCode =AccessDenied) || ($.eventName!=HeadBucket) }')] length() > 0] | List<CloudTrail> should have items with [hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.errorCode = UnauthorizedOperation) || ($.errorCode =AccessDenied) }')] length() > 0] | AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for IAM policy changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for AWS Config configuration changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for security group changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for changes to network gateways | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for route table changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure a log metric filter and alarm exist for VPC changes | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 | |
Ensure the default security group of every VPC restricts all traffic | Reference, remediation | Modification |
|
| AWS CIS Foundations v. 1.3.0 |
December 02, 2020
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets
|
|---|---|---|---|---|---|---|
Ensure Network firewall status is not FAILED | New |
|
|
| AWS CloudGuard Best Practices | |
Ensure the log profile captures activity logs for all regions including global | Modification | Logic | LogProfile should have properties.locations length()>=34 | LogProfile should have properties.locations length()>=65 | Azure CloudGuard Best Practices | |
Ensure AWS RDS retention policy is at least 7 days | Modification | Logic | RDS should have backupRetentionPeriod>7 | RDS should have backupRetentionPeriod>6 | AWS CloudGuard Well Architected Framework | |
Ensure default network access rule for Storage Accounts is set to deny | Modification | Logic | StorageAccount should not have networkRuleSet.defaultAction='Allow' or networkRuleSet.ipRules contain-any [ ipAddressOrRange isPublic() ] | StorageAccount should not have networkRuleSet.defaultAction='Allow' | Azure CloudGuard Best Practices | |
Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled | Modification | Logic | GkeCluster should not have nodePools contain [ config.metadata.disable-legacy-endpoints = true ] | GkeCluster should have nodePools contain [ config.metadata.disable-legacy-endpoints = true ] | GCP CloudGuard Containers Security | |
ECS Cluster should have active services onlysure that the --repair-malformed-updates argument is set to false (API Server) | Removal |
|
|
| AWS CloudGuard Network Alerts | |
ECS Cluster should not have services without running tasks | Removal |
|
|
| AWS CloudGuard Network Alerts | |
ECS Cluster instances must be placed in a VPC | Removal |
|
|
| AWS CloudGuard Network Alerts | |
Ensure AWS EC2 instances with public IP addresses block unrestricted traffic (0.0.0.0/0) to their subnets | Removal |
|
|
| AWS CloudGuard Best Practices | |
Ensure there is at least one task in the deployment in RUNNING status | Removal |
|
|
| AWS CloudGuard Best Practices | |
S3 bucket should not allow put actions from all principals | Removal |
|
|
| AWS PCI-DSS 3.2 |
October 02, 2020
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that the --repair-malformed-updates argument is set to false (API Server) | High | CIS Kubernetes Benchmark v1.4.0 | |
Ensure there is an up to date Network Diagram for your cloud network | Medium | GCP NIST CSF v1.1 |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that AWS Secret Manager Secret rotation is enabled | High | AWS CloudGuard Best Practices | |
Ensure that Security Groups are not open to all | Medium | AWS CloudGuard Best Practices | |
Remove Unused Security Groups that are open to all | Medium | AWS CloudGuard Best Practices | |
Ensure that Lambda Functions with overly permissive policies are not created | High | AWS CloudGuard Best Practices | |
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days | Medium | AWS CloudGuard Best Practices | |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | High | AWS CloudGuard Best Practices | |
Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level | High | AWS CloudGuard Best Practices |
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure that Lambda Functions with Admin Privileges are not created | Low | name | AWS HIPAA | |
Remove Unused Security Groups | Medium | logic | AWS HIPAA | |
Ensure that RDP access is not permitted from the entire internet | High | name | Azure CIS Foundations v. 1.1.0 | |
Ensure that SSH access is not permitted from the entire internet | High | name | Azure CIS Foundations v. 1.1.0 | |
Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements | High | logic | AWS CloudGuard Well Architected Framework |
August 11, 2020
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Duplicate - Ensure that you are using authorized IP address ranges in order to secure access to the API server | High | Azure CloudGuard Network Alerts | |
Deprecated - Unused firewall rules | Medium | GCP CloudGuard Network Alerts |
June 29, 2020
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3 | Medium | AWS Dome9 Best Practices | |
Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters | High | AWS Dome9 Best Practices | |
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE) | High | AWS Dome9 Best Practices | |
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue | Low | AWS Dome9 Best Practices | |
Ensure that encryption of data at rest is enabled on Elasticsearch domains | High | AWS Dome9 Best Practices | |
Ensure that node-to-node encryption is enabled for Elasticsearch service | High | AWS Dome9 Best Practices | |
Enforce creation of ElasticSearch domains within your VPCs | Medium | AWS Dome9 Best Practices | |
Ensure that AWS EKS Cluster endpoint access is not public | Medium | AWS Dome9 Best Practices | |
Ensure that AWS EKS Cluster control plane logging is enabled | Medium | AWS Dome9 Best Practices | |
Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel | High | AWS Dome9 Best Practices | |
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE) | High | AWS Dome9 Best Practices | |
Ensure that object-level logging is enabled for S3 buckets | High | AWS Dome9 Best Practices | |
Ensure that the VPC Endpoint status is Available state | High | AWS Dome9 Best Practices | |
Ensure that you are using authorized IP address ranges in order to secure access to the API server | High | Azure Dome9 Best Practices | |
Ensure that firewall rules are enabled and configured for Analysis services server | High | Azure Dome9 Best Practices | |
Ensure that multi-factor authentication is enabled for all privileged users | High | Azure Dome9 Best Practices | |
Ensure that 'Number of methods required to reset' is set to '2' | Low | Azure Dome9 Best Practices | |
Ensure that there are no guest users | High | Azure Dome9 Best Practices | |
Ensure PubSub service is encrypted, with customer managed encryption keys. | High | GCP Dome9 Best Practices | |
Ensure that all the deployed cloud functions are in 'active' mode | Low | GCP Dome9 Best Practices | |
Ensure that at least one event trigger was configured in your function | High | GCP Dome9 Best Practices |
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Make sure that ALB is protected by a WAF | Medium | Logic | AWS Dome9 Best Practices | |
S3 buckets should not grant any external privileges via ACL | High | Logic | AWS NIST 800-53 Rev 4 | |
Ensure that Static website hosting is disabled on your S3 bucket | High | Name and Description | AWS Dome9 Best Practices | |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --anonymous-auth argument is set to false (API Server) | Low | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --basic-auth-file argument is not set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --insecure-allow-any-token argument is not set (API Server) | Low | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --kubelet-https argument is set to true (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --insecure-bind-address argument is not set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --insecure-port argument is set to 0 (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --secure-port argument is not set to 0 (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --profiling argument is set to false (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --repair-malformed-updates argument is set to false (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin AlwaysAdmit is not set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin AlwaysPullImages is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin NamespaceLifecycle is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --audit-log-path argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --token-auth-file parameter is not set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --service-account-lookup argument is set to true (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin PodSecurityPolicy is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --service-account-key-file argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin ServiceAccount is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --client-ca-file argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --etcd-cafile argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --authorization-mode argument is set to Node (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin NodeRestriction is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin EventRateLimit is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the AdvancedAuditing argument is not set to false (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --request-timeout argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --authorization-mode argument includes RBAC (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --profiling argument is set to false (Scheduler) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --address argument is set to 127.0.0.1 (Scheduler) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --profiling argument is set to false (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --address argument is set to 127.0.0.1 (Controller Manager) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --client-cert-auth argument is set to true (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --auto-tls argument is not set to true (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --peer-client-cert-auth argument is set to true (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --peer-auto-tls argument is not set to true (etcd) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the admission control plugin DenyEscalatingExec is set (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the --experimental-encryption-provider-config argument is set as appropriate (API Server) | High | Logic | Kubernetes v.1.13 Dome9 Best Practices |
May 19, 2020
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that the cluster-admin role is only used where required (RBAC) | Low | Kubernetes v.1.13 Dome9 Best Practices | |
Minimize access to secrets (RBAC) | Low | Kubernetes v.1.13 Dome9 Best Practices | |
Minimize wildcard use in Roles and ClusterRoles (RBAC) | Low | Kubernetes v.1.13 Dome9 Best Practices | |
Minimize access to create pods (RBAC) | Low | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that default service accounts are not actively used. (RBAC) | Medium | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that Service Account Tokens are only mounted where necessary (RBAC) | Low | Kubernetes v.1.13 Dome9 Best Practices |
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure AWS IAM policies do not grant 'assume role' permission across all services | High | Logic | AWS Dome9 Best Practices |
May 12, 2020
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that the --audit-log-path argument is set (API Server) | High | CIS Kubernetes Benchmark v1.5.0 | |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) | High | CIS Kubernetes Benchmark v1.5.0 | |
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) | High | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of containers wishing to share the host network namespace (PSP) | High | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of containers wishing to share the host process ID namespace (PSP) | High | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of containers with allowPrivilegeEscalation (PSP) | High | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of privileged containers (PSP) | Medium | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of root containers (PSP) | Medium | CIS Kubernetes Benchmark v1.5.0 | |
Create administrative boundaries between resources using namespaces | Low | CIS Kubernetes Benchmark v1.5.0 | |
Ensure that the --anonymous-auth argument is set to false (API Server) | Low | CIS Kubernetes Benchmark v1.5.0 | |
Ensure that the seccomp profile is set to docker/default in your pod definitions | Low | CIS Kubernetes Benchmark v1.5.0 | |
Minimize the admission of containers with the NET_RAW capability (PSP) | Low | CIS Kubernetes Benchmark v1.5.0 | |
The default namespace should not be used | Low | CIS Kubernetes Benchmark v1.5.0 | |
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol | High | AWS Dome9 Best Practices | |
Ensure that you have an authorized network when connecting directly to a Cloud SQL instance on a Public IP | High | GCP Dome9 Best Practices | |
Ensure that auto backup is enabled for your Cloud SQL instance | High | GCP Dome9 Best Practices | |
Ensure to use SSL/TLS certificates to encrypt data when using Public IP on your Cloud SQL instance | High | GCP Dome9 Best Practices | |
Ensure to have customer managed encryption keys(CMEK) to manage permissions | High | GCP Dome9 Best Practices | |
Ensure that the pod security policy is enabled in your AKS cluster | High | Azure Dome9 Best Practices | |
Ensure that you are using authorized IP address ranges in order to secure access to the API server | High | Azure Dome9 Best Practices | |
Ensure that a network policy is in place to secure traffic between pods | High | Azure Dome9 Best Practices |
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Apply Security Context to Your Pods and Containers | High | Severity | CIS Kubernetes Benchmark v1.4.0 | |
Do not admit root containers | High | Severity | CIS Kubernetes Benchmark v1.4.0 | |
Ensure that the seccomp profile is set to docker/default in your pod definitions | High | Severity | CIS Kubernetes Benchmark v1.4.0 | |
Ensure that Container Registry has locks | High | Name |
| |
Ensure that SQL server access is restricted from the internet | High | Name | Azure Dome9 Network Alerts | |
Asset does not contain a security tag | Medium | Logic | GCP PCI-DSS 3.2 | |
Ensure that a Log Profile exists | High | Remediation | Azure CIS Foundations v. 1.1.0 | |
Ensure the log profile captures activity logs for all regions including global | High | Remediation | Azure CIS Foundations v. 1.1.0 | |
Ensure audit profile captures all the activities | Medium | Remediation | Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Retention is set 365 days or greater | Medium | Remediation | Azure CIS Foundations v. 1.1.0 | |
Ensure that 'OS disk' are encrypted | Medium | Logic | Azure CIS Foundations v. 1.1.0 | |
Ensure that Azure Virtual Machine is assigned to an availability set | Medium | Logic | Azure CIS Foundations v. 1.1.0 | |
Ensure that at least one Network Security Group is attached to all VMs and subnets that are public | High | Logic | Azure CIS Foundations v. 1.1.0 | |
Ensure that IamGroup does not have Inline policies | Medium | RuleID | AWS Dome9 Best Practices | |
Ensure Amazon DynamoDB tables have continuous backups enabled | High | Logic and Remediation | AWS Dome9 Well Architected Framework | |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | High | Logic | AWS Dome9 Well Architected Framework | |
Ensure that 'Storage service encryption' is enabled for the File Service | High | Description | Azure HIPAA | |
Ensure that Containers are not running in privileged mode | High | Logic | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure that the seccomp profile is set to runtime/default in your pod definitions | Low |
| CIS Kubernetes Benchmark v1.4.0 | |
Ensure AWS NAT Gateways are being utilized instead of the default route | Medium | Logic | AWS Dome9 Well Architected Framework |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure Amazon DynamoDB tables enforce Server-Side Encryption (SSE) | High | AWS Dome9 Well Architected Framework | |
Ensure that 'Auditing' is enabled for Azure SQL Database | Medium | Azure HIPAA | |
Ensure that 'Send alerts to' is enabled for Azure SQL Database | Medium | Azure HIPAA | |
Ensure that 'Email service and co-administrators' is 'Enabled' for Azure SQL Database | Low | Azure HIPAA | |
Ensure that 'Auditing' Retention is 'greater than 90 days' for Azure SQL Database | Low | Azure HIPAA | |
Ensure that there are no services with Port 80 (HTTP) open on the node port | High | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure there are no nodes with kubelet version under 1.11 | High | Kubernetes v.1.13 Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Medium | Azure Dome9 Best Practices |
February 04, 2020
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure pods outside of kube-system do not have access to node volume | High | Logic | Kubernetes Best Practices | |
S3 bucket should not have writable permissions from anonymous users | High | Remediation | AWS NIST 800-53 Rev 4 | |
S3 bucket should not have world-readable permissions from anonymous users | High | Remediation | AWS NIST 800-53 Rev 4 | |
Ensure that SSH access is restricted from the internet | High | Logic | Azure CIS Foundations v. 1.1.0 |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Use customer-managed encryption keys (CMEK) for BigQuery to control encryption | Medium | GCP Dome9 Best Practices | |
Ensure that the Auto Scaling Group has an associated ELB | Medium | AWS Dome9 Best Practices | |
Ensure that all the expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates managed by AWS Certificate Manager are removed in order to adhere to Amazon Security Best Practices. | Medium | AWS Dome9 Best Practices | |
Ensure that 'OS disk' are encrypted | Medium | Azure CIS Foundations v. 1.0.0 | |
Ensure that IamGroup does not have Inline policies | Medium | AWS Dome9 Best Practices |
November 29, 2019
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure S3 buckets are not publicly accessible | High | Logic | AWS NIST 800-53 Rev 4 | |
Ensure AWS NAT Gateways are being utilized instead of the default route | Medium | Name | AWS Dome9 Best Practices |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure auto upgrades for an existing node pool | High | GCP Dome9 Best Practices GCP Dome9 Containers Security |
October 24, 2019
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | High | logic | Azure CIS Foundations v. 1.1.0 | |
Ensure that Activity Log Retention is set 365 days or greater | Medium | logic | Azure CIS Foundations v. 1.1.0 | |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Medium | logic | Azure CIS Foundations v. 1.1.0 | |
Ensure IAM policies that allow full "*:*" administrative privileges are not created | High | logic | AWS CIS Foundations v. 1.2.0 | |
Ensure a log metric filter and alarm exist for security group changes | Medium | logic | AWS CIS Foundations v. 1.2.0 | |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | Medium | logic | AWS CIS Foundations v. 1.2.0 | |
Use encrypted connection between CloudFront and origin server | High | logic | AWS HIPAA |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Public Instance with service 'Telnet' (TCP:23) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public Instance with service 'DNS' (UDP:53) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ELB with service 'Telnet' (TCP:23) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ELB with service 'DNS' (UDP:53) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Server' (TCP:5900) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Server' (TCP:5900) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet | High | AWS Dome9 Network Alerts | |
Public Instance with service 'Telnet' (TCP:23) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public Instance with service 'DNS' (UDP:53) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ELB with service 'Telnet' (TCP:23) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ELB with service 'DNS' (UDP:53) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Server' (TCP:5900) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Server' (TCP:5900) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide public network | High | AWS Dome9 Network Alerts | |
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public Instance with service 'DNS' (UDP:53) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ELB with service 'Telnet' (TCP:23) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ELB with service 'DNS' (UDP:53) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public Instance with service 'VNC Server' (TCP:5900) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ELB with service 'VNC Server' (TCP:5900) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network | Medium | AWS Dome9 Network Alerts | |
Instance with service 'Telnet' (TCP:23) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
Instance with service 'DNS' (UDP:53) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ELB with service 'Telnet' (TCP:23) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ELB with service 'DNS' (UDP:53) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
Instance with service 'VNC Server' (TCP:5900) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ELB with service 'VNC Server' (TCP:5900) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
D9.AWS.NET.AG10.ApplicationLoadBalancer.5900.TCP | ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
ELB with service 'Telnet' (TCP:23) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ELB with service 'DNS' (UDP:53) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ELB with service 'VNC Listener' (TCP:5500) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
ELB with service 'VNC Server' (TCP:5900) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
Instance with service 'Telnet' (TCP:23) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
Instance with service 'DNS' (UDP:53) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
Instance with service 'VNC Listener' (TCP:5500) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
Instance with service 'VNC Server' (TCP:5900) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope | Low | AWS Dome9 Network Alerts | |
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
September 24, 2019
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure that Container Registry has locks | High | Name | Azure Dome9 Best Practices | |
ECS Cluster At-Rest Encryption | High | Remediation | AWS Dome9 Best Practices | |
Ensure SQL server TDE protector is encrypted with BYOK (Use your own key) | Medium | Compliance Tag | Azure CIS Foundations v. 1.1.0
| |
Ensure entire Azure infrastructure doesn't have access to Azure SQL Server | High | Logic | Azure CSA CCM v.3.0.1 | |
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | High | Name | AWS Dome9 Best Practices | |
Ensure that an API Key is required on a Method Request | Medium | Logic | AWS Dome9 Best Practices |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that 'Auditing' is enabled for Azure SQL Database | Medium | Azure CIS Foundations v. 1.1.0 | |
Ensure that 'Auditing' Retention is 'greater than 90 days' for Azure SQL Database | Low | Azure CIS Foundations v. 1.1.0 | |
Ensure that 'Threat Detection' is enabled for Azure SQL Database | Medium | Azure CIS Foundations v. 1.1.0 | |
Ensure that 'Send alerts to' is enabled for Azure SQL Database | Medium | Azure CIS Foundations v. 1.1.0 | |
Ensure that 'Email service and co-administrators' is 'Enabled' for Azure SQL Database | Low | Azure CIS Foundations v. 1.1.0 | |
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account | Medium | Azure CIS Foundations v. 1.1.0 |
August 28, 2019
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure that 'Storage service encryption' is enabled for the File Service | High | Description | Azure CSA CCM v.3.0.1 | |
Ensure SQL server TDE protector is encrypted with BYOK (Use your own key) | Medium | Name | Azure CIS Foundations v. 1.1.0 | |
Ensure HARDWARE MFA is enabled for the 'root' account | High | Description | AWS CIS Foundations v. 1.1.0 | |
Ensure that Redis is updated regularly with security and operational updates. Note this feature is only available to Premium tier Redis Caches. | High | Description | Azure Dome9 Network Alerts | |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | High | Logic | GCP Dome9 Best Practices | |
Ensure that Azure Virtual network peering is connected | Low | Logic | Azure Dome9 Best Practices | |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | High | Logic | AWS Dome9 Best Practices |
August 20, 2019
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure to update the Security Policy of the Network Load Balancer | High | AWS Dome9 Best Practices | |
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet | high | AWS Dome9 Serverless Architectures Security | |
Ensure that an API Key is required on a Method Request | Medium | AWS Dome9 Serverless Architectures Security | |
Ensure that 'Storage service encryption' is enabled for the Blob Service | High | Azure Dome9 Best Practices | |
Ensure that 'Storage service encryption' is enabled for the File Service | High | Azure Dome9 Best Practices | |
Ensure default network access rule for Storage Accounts is set to deny | High | Azure Dome9 Best Practices | |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | High | Azure Dome9 Best Practices | |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | High | Azure Dome9 Best Practices | |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Medium | Azure Dome9 Best Practices | |
Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Medium | Azure Dome9 Best Practices | |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Medium | Azure Dome9 Best Practices | |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Medium | Azure Dome9 Best Practices | |
Ensure that Azure Active Directory Admin is configured for SQL Server | High | Azure Dome9 Best Practices | |
Ensure that RDP access is restricted from the internet | High | Azure Dome9 Best Practices | |
Ensure that SSH access is restricted from the internet | High | Azure Dome9 Best Practices | |
Ensure that Network Watcher is 'Enabled' | High | Azure Dome9 Best Practices | |
Ensure the key vault is recoverable - enable "Soft Delete" setting for a Key Vault | Medium | Azure Dome9 Best Practices | |
Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | Medium | Azure Dome9 Best Practices | |
Ensure that a Log Profile exists | High | Azure Dome9 Best Practices | |
Ensure that Activity Log Retention is set 365 days or greater | Medium | Azure Dome9 Best Practices | |
Ensure audit profile captures all the activities | Medium | Azure Dome9 Best Practices | |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Medium | Azure Dome9 Best Practices | |
Ensure the log profile captures activity logs for all regions including global | High | Azure Dome9 Best Practices | |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Medium | Azure Dome9 Best Practices | |
Ensure that inbound traffic is restricted to only that which is necessary, and all other traffic denied | High | Azure Dome9 Best Practices |
Rule Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
|---|---|---|---|---|
Ensure that Azure Virtual network peering is connected | Low | Logic | Azure Dome9 Best Practices | |
Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied | High | Logic | Azure Dome9 Best Practices | |
Ensure that the expiry date is set on all keys | High | Logic | Azure CSA CCM v.3.0.1 Azure HIPAA Azure Dome9 SOC2 based on AICPA TSC 2017 Azure PCI-DSS 3.2 Azure CIS Foundations v. 1.0.0 Azure NIST 800-53 Rev 4 Azure GDPR Readiness Azure NIST CSF v1.1 Azure ISO 27001:2013 Azure Dome9 Best Practices | |
Ensure that the expiry date is set on all secrets | High | Logic | Azure CSA CCM v.3.0.1 Azure HIPAA Azure Dome9 SOC2 based on AICPA TSC 2017 Azure PCI-DSS 3.2 Azure CIS Foundations v. 1.0.0 Azure NIST 800-53 Rev 4 Azure GDPR Readiness Azure NIST CSF v1.1 Azure ISO 27001:2013 Azure Dome9 Best Practices |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
|---|---|---|---|
Ensure that 'Threat Detection' is enabled for Azure SQL Database | Medium | Azure CSA CCM v.3.0.1 | |
Ensure that storage account access keys are periodically regenerated | Medium | Azure CSA CCM v.3.0.1 |