CloudGuard Dome9 Compliance Content Updates- September 2021 - December 2022
- 1 December 28 2022
- 2 December 21 2022
- 3 December 15 2022
- 4 December 14 2022
- 5 December 07 2022
- 6 December 04 2022
- 7 November 30 2022
- 8 November 28 2022
- 9 November 23 2022
- 10 November 16 2022
- 11 November 09 2022
- 12 November 02 2022
- 13 October 26 2022
- 14 October 19 2022
- 15 October 12 2022
- 16 September 28 2022
- 17 September 21 2022
- 18 September 14 2022
- 19 September 07 2022
- 20 August 24 2022
- 21 August 10 2022
- 22 August 03 2022
- 23 July 27 2022
- 24 July 20 2022
- 25 July 13 2022
- 26 July 06 2022
- 27 June 29 2022
- 28 June 22 2022
- 29 June 15 2022
- 30 June 08 2022
- 31 June 01 2022
- 32 May 25 2022
- 33 May 18 2022
- 34 May 11 2022
- 35 April 27 2022
- 36 April 20 2022
- 37 April 13 2022
- 38 April 06 2022
- 39 April 06 2022
- 40 March 30 2022
- 41 March 23 2022
- 42 March 16 2022
- 43 March 09 2022
- 44 March 01 2022
- 45 February 23 2022
- 46 February 16 2022
- 47 February 09 2022
- 48 February 02 2022
- 49 January 26 2022
- 50 January 19 2022
- 51 January 12 2022
- 52 January 05 2022
- 53 January 04 2022
- 54 January 02 2022
- 55 December 29 2021
- 56 December 22 2021
- 57 December 15 2021
- 58 December 08 2021
- 59 December 01 2021
- 60 November 24 2021
- 61 November 17 2021
- 62 November 10 2021
- 63 November 03 2021
- 64 October 27 2021
- 65 October 20 2021
- 66 October 06 2021
- 67 October 04 2021
- 68 September 29 2021
- 69 September 13 2021
- 70 September 05 2021
- 71 September 01, 2021
December 28 2022
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | High | New |
|
|
|
| |
Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard) | High | Modification |
|
|
|
|
December 21 2022
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | High | Modification |
|
|
|
| |
Ensure Diagnostic Setting captures appropriate categories | Low | Modification |
|
|
|
| |
Ensure that IAM Role doesn't have excessive permissions (Allowing all actions) | High | Modification |
|
|
|
| |
Ensure that IAM Role doesn't have an overly permissive scope (Contains a wildcard) | High | New |
|
|
|
| |
Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard) | High | New |
|
|
|
| |
Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard) | High | New |
|
|
|
| |
Enable ALB Elastic Load Balancer v2 (ELBv2) access log | Low | Modification |
|
|
|
| |
Ensure that your AWS CloudTrail logging bucket has MFA delete enabled | Low | Modification |
|
|
|
| |
Ensure that Containers and its blobs are not exposed publicly | Critical | New |
|
|
|
| |
Ensure S3 buckets are not publicly accessible without a condition | High | Removal |
|
|
|
| |
Ensure S3 buckets are not publicly accessible | High | Removal |
|
|
|
|
December 15 2022
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Lambda Function is not publicly exposed via resource policy without a condition | Critical | Modification |
|
|
|
|
December 14 2022
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure credentials unused for 45 days or greater are disabled (First access key) | Low | Modification |
|
|
|
| |
Ensure credentials unused for 45 days or greater are disabled (Second access key) | Low | Modification |
|
|
|
| |
Ensure Amazon DynamoDB tables have continuous backups enabled | High | Modification |
|
|
|
|
December 07 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK) | New |
|
|
|
| |
Ensure that Lambda Function is not publicly exposed via resource policy without a condition | New |
|
|
|
|
December 04 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure AWS Kinesis Streams Keys are rotated | Modification |
|
|
|
| |
AWS Kinesis streams are encrypted with customer managed CMK | Modification |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | Modification |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Modification |
|
|
|
| |
Ensure SageMaker Notebook Instance Data Encryption is enabled | Modification |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | Modification |
|
|
|
|
November 30 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | Modification |
|
|
|
| |
Ensure access keys are rotated every 90 days or less (First access key) | Modification |
|
|
|
| |
Ensure access keys are rotated every 90 days or less (Second access key) | Modification |
|
|
|
| |
Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard) | Modification |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet) | Modification |
|
|
|
| |
Minimize wildcard use in Roles and ClusterRoles (RBAC) | Modification |
|
|
|
| |
Minimize access to create pods (RBAC) | Modification |
|
|
|
| |
Ensure that logging for Azure KeyVault is 'Enabled' | Modification |
|
|
|
| |
Ensure that EC2 instance's volumes are encrypted | New |
|
|
|
| |
Ensure that EC2 instance's custom AMI is encrypted at rest | New |
|
|
|
| |
Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard) | Modification |
|
|
|
| |
Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard) | New |
|
|
|
| |
Ensure that EC2 instance's custom AMI is not publicly shared | New |
|
|
|
| |
Ensure that Lambda Function URL is secured with IAM authentication | New |
|
|
|
| |
Ensure that EC2 instances requires the use of Instance Metadata Service Version 2 (IMDSv2) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (PSP) | Modification |
|
|
|
| |
Minimize the admission of privileged containers (PSP) | Modification |
|
|
|
| |
Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs | Modification |
|
|
|
| |
Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs | Modification |
|
|
|
| |
Ensure that the --anonymous-auth argument is set to false (API Server) | Modification |
|
|
|
| |
Ensure that the --hostname-override argument is not set (Kubelet) | Removal |
|
|
|
| |
Ensure that the --cadvisor-port argument is set to 0 (Kubelet) | Removal |
|
|
|
| |
Ensure that Virtual Networks Subnets have Security Groups | Removal |
|
|
|
|
November 28 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. | New |
|
|
|
| |
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition. | New |
|
|
|
|
November 23 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that all the expired SSL/TLS certificates are removed from ACM | Modification |
|
|
|
| |
Ensure to update the Security Policy of the Network Load Balancer | Modification |
|
|
|
|
November 16 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure AWS Kinesis Streams Keys are rotated | Modification |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift) | Modification |
|
|
|
| |
ACM has a PENDING_VALIDATION Certificate | Modification |
|
|
|
| |
Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments | Modification |
|
|
|
| |
Ensure that SQL Server Auditing Retention is greater than 90 days | Removal |
|
|
|
| |
Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days | Removal |
|
|
|
| |
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String | Removal |
|
|
|
| |
Container metadata | Removal |
|
|
|
|
November 09 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
AWS Kinesis streams are encrypted with customer managed CMK | Modification |
|
|
|
| |
AWS Kinesis data streams have server side encryption (SSE) enabled | Modification |
|
|
|
| |
Ensure that S3 Bucket is encrypted at rest | New |
|
|
|
| |
Ensure credentials unused for 45 days or greater are disabled (First access key) | Modification |
|
|
|
| |
Ensure credentials unused for 45 days or greater are disabled (Console password) | Modification |
|
|
|
| |
Ensure credentials unused for 45 days or greater are disabled (Second access key) | Modification |
|
|
|
| |
Ensure that SQL server 'Auditing' is set to 'On' | Modification |
|
|
|
| |
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Modification |
|
|
|
| |
Ensure that SQL Database Auditing Retention is greater than 90 days | Modification |
|
|
|
| |
Ensure that S3 Buckets are configured with Block public access (bucket/account settings) | Modification |
|
|
|
| |
Ensure that AWS DynamoDB is encrypted using customer-managed CMK | Modification |
|
|
|
| |
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | Modification |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | Modification |
|
|
|
| |
Identify unused AWS VPCs | Modification |
|
|
|
| |
Ensure Flow-Logs are Enabled on NSG | Modification |
|
|
|
| |
Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level | Removal |
|
|
|
|
November 02 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
SSL/TLS certificates expire in one week | Modification |
|
|
|
| |
ELB secured listener certificate expires in one week | Modification |
|
|
|
| |
ALB secured listener certificate expires in one week | Modification |
|
|
|
| |
Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users | Modification |
|
|
|
| |
Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users | Modification |
|
|
|
| |
Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users | Modification |
|
|
|
| |
Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users | Modification |
|
|
|
| |
Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition | Modification |
|
|
|
| |
Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists) | Modification |
|
|
|
| |
Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users | New |
|
|
|
| |
Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions) | New |
|
|
|
| |
Ensure the Key Vault is Recoverable | Modification |
|
|
|
| |
Ensure That Storage Account Access Keys are Periodically Regenerated | Modification |
|
|
|
| |
Ensure that SQL Server 'Auditing' Retention is 'greater than 90 days' | Modification |
|
|
|
| |
ACM has soon to be expired certificates | Modification |
|
|
|
| |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | Modification |
|
|
|
| |
S3 bucket should not be world-listable from anonymous users | Removal |
|
|
|
| |
S3 bucket should not be world-writable from anonymous users | Removal |
|
|
|
| |
S3 bucket should not have writable permissions from anonymous users | Removal |
|
|
|
| |
S3 bucket should not have world-readable permissions from anonymous users | Removal |
|
|
|
| |
S3 bucket should not allow delete actions from all principals without a condition | Removal |
|
|
|
| |
S3 bucket should not allow get actions from all principals without a condition | Removal |
|
|
|
| |
S3 bucket should not allow list actions from all principals without a condition | Removal |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals without a condition | Removal |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | Removal |
|
|
|
| |
S3 bucket should not allow get actions from all principals with a condition | Removal |
|
|
|
| |
S3 bucket should not allow list actions from all principals | Removal |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals | Removal |
|
|
|
|
October 26 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Minimize access to secrets (RBAC) | Modification |
|
|
|
| |
Ensure that default service accounts are not actively used. (RBAC) | Modification |
|
|
|
| |
Apply Security Context to Your Pods and Containers | Modification |
|
|
|
| |
Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Modification |
|
|
|
| |
Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected | Modification |
|
|
|
|
October 19 2022
Deprecated 221 CSPM Network rules for GCP and replaced them with 4 new rules.
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure MFA Delete is enable on S3 buckets | Modification |
|
|
|
| |
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port. | New |
|
|
|
| |
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP port. | New |
|
|
|
| |
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP DB port. | New |
|
|
|
| |
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP DB port. | New |
|
|
|
| |
Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled | New |
|
|
|
| |
Ensure that Microsoft Defender for Container Registries is set to 'On' | New |
|
|
|
| |
Ensure that Microsoft Defender for Key Vault is set to 'On' | New |
|
|
|
| |
Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | New |
|
|
|
| |
Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected | New |
|
|
|
| |
Ensure that your AWS CloudTrail logging bucket has MFA enabled | Modification |
|
|
|
| |
Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports. | New |
|
|
|
| |
Ensure that no VMInstance allows incoming traffic from 0.0.0.0/0 to the ICMP port. | New |
|
|
|
|
October 12 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Virtual Machines are utilizing Managed Disks | New |
|
|
|
| |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | New |
|
|
|
| |
Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server | New |
|
|
|
| |
Ensure that VA setting 'Send scan reports to' is configured for a SQL server | New |
|
|
|
| |
Ensure that Microsoft Defender for Servers is set to 'On' | New |
|
|
|
| |
Ensure that Microsoft Defender for App Service is set to 'On' | New |
|
|
|
| |
Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | New |
|
|
|
| |
Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | New |
|
|
|
| |
Ensure that Microsoft Defender for Storage is set to 'On' | New |
|
|
|
| |
Ensure that ECR image tags are immutable. | Modification |
|
|
|
| |
Ensure that ECR repositories are encrypted. | New |
|
|
|
| |
Ensure that IAM user does not have directly embedded policy | Modification |
|
|
|
|
September 28 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure IAM policies that allow full '*:*' administrative privileges are not created | Modification |
|
|
|
| |
Ensure that 'Java version' is the latest, if used to run the Linux Web App | New |
|
|
|
| |
Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App | New |
|
|
|
| |
Ensure FTP deployments are Disabled for webapp | New |
|
|
|
| |
Ensure FTP deployments are Disabled for FunctionApp | New |
|
|
|
| |
Ensure that the endpoint protection for all Virtual Machines is installed | New |
|
|
|
| |
Instances without Inspector runs in the last 30 days | Modification |
|
|
|
| |
Storage Accounts outside Europe | Modification |
|
|
|
| |
Ensure that ECR image tags are immutable. | New |
|
|
|
| |
Ensure that ECR image scan on push is enabled. | New |
|
|
|
|
September 21 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Use encrypted storage for instances that might host a database. | Modification |
|
|
|
| |
EksCluster should not have more than one security groups | Modification |
|
|
|
| |
Ensure Network policy is enabled on Kubernetes Engine Clusters | Modification |
|
|
|
| |
Ensure that all authorization Type in API Gateway are not set to None | Modification |
|
|
|
|
September 14 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure That Storage Account Access Keys are Periodically Regenerated | Modification |
|
|
|
| |
Ensure That 'PHP version' is the Latest, If Used to Run the Windows Web App | New |
|
|
|
| |
Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Linux Web App | New |
|
|
|
| |
Ensure that 'Java version' is the latest, if used to run the Windows Web App | New |
|
|
|
| |
Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | New |
|
|
|
| |
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | New |
|
|
|
| |
Ensure Storage logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests | New |
|
|
|
|
September 07 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure a log metric filter and alarm exist for unauthorized API calls | Modification |
|
|
|
| |
Ensure That Storage Account Access Keys are Periodically Regenerated | New |
|
|
|
| |
Ensure the storage container storing the activity logs is not publicly accessible | New |
|
|
|
| |
Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | New |
|
|
|
| |
Ensure 'Additional email addresses' is Configured with a Security Contact Email | New |
|
|
|
| |
Ensure That 'Notify about alerts with the following severity' is Set to 'High' | New |
|
|
|
| |
Ensure That 'All users with the following roles' is set to 'Owner' | New |
|
|
|
| |
Ensure that EC2 AMIs are not publicly accessible | Modification |
|
|
|
| |
Ensure inactive user for 90 days or greater are disabled | Modification |
|
|
|
| |
ACM has a soon to be expired certificates | Modification |
|
|
|
|
August 24 2022
Deprecated 1048 CSPM Network rules for AWS and replaced them with 12 new rules
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift) | Modification |
|
|
|
| |
Verify that RBAC is enabled (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port | New |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port | New |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port | New |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port | New |
|
|
|
| |
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP port | New |
|
|
|
| |
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port | New |
|
|
|
| |
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP DB port | New |
|
|
|
| |
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP DB port | New |
|
|
|
| |
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port | New |
|
|
|
| |
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port | New |
|
|
|
| |
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP DB port | New |
|
|
|
| |
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP DB port | New |
|
|
|
| |
Ensure that the --authorization-mode argument is set to Node (API Server) | Removal |
|
|
|
|
August 10 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure no root account access key exists | Modification |
|
|
|
| |
S3 bucket should not allow get actions from all principals with a condition | Modification |
|
|
|
| |
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate | Modification |
|
|
|
|
August 03 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Modification |
|
|
|
| |
Ensure 'Access Approval' is 'Enabled' | New |
|
|
|
| |
Ensure Soft Delete is Enabled for Azure Storage | New |
|
|
|
| |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | New |
|
|
|
| |
Ensure that 'Public access level' is set to Private for blob containers | New |
|
|
|
|
July 27 2022
Deprecated 221 CSPM Network rules for Azure and replaced them with 4 new rules
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports | New |
|
|
|
| |
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports | New |
|
|
|
| |
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports | New |
|
|
|
| |
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports | New |
|
|
|
|
July 20 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Instances outside of Brazilian region | New |
|
|
|
| |
S3 Buckets outside of Brazil | New |
|
|
|
|
July 13 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server | New |
|
|
|
| |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server | New |
|
|
|
| |
Ensure the 'Minimum TLS version' is set to 'Version 1.2' | New |
|
|
|
| |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | New |
|
|
|
|
July 06 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that all Namespaces have Network Policies defined. | New |
|
|
|
| |
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol | Modification |
|
|
|
| |
Ensure whether IAM users are members of at least one IAM group | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Modification |
|
|
|
|
June 29 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Essential Contacts is Configured for Organization | New |
|
|
|
| |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | New |
|
|
|
| |
D9.AZU.NET.65 | Storage Accounts outside Brazil | New |
|
|
|
|
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
| |
Ensure IAM Role does not have inline policies | Removal |
|
|
|
|
June 22 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that the seccomp profile is set to docker/default in your pod definitions | Modification |
|
|
|
| |
Apply Security Context to Your Pods and Containers - SELinux | Modification |
|
|
|
| |
Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | New |
|
|
|
| |
Ensure that Object-level logging for read events is enabled for S3 bucket | New |
|
|
|
|
June 15 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | New |
|
|
|
| |
Ensure Cloud Asset Inventory Is Enabled | New |
|
|
|
| |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Modification |
|
|
|
| |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Modification |
|
|
|
| |
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Modification |
|
|
|
| |
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account | Modification |
|
|
|
| |
Ensure IAM user password is rotated every 90 days or less | New |
|
|
|
| |
Ensure cross-account IAM Role uses MFA or external ID as a condition | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (PSP) | Modification |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (PSP) | Modification |
|
|
|
| |
Minimize the admission of privileged containers (PSP) | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Removal |
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Blobs | Removal |
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Files | Removal |
|
|
|
|
June 08 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Auditing Monitoring Effect' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Encryption Monitoring Effect' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'System Configurations Monitoring Effect' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Storage Encryption Monitoring Effect' is not 'Disabled' | Removal |
|
|
|
| |
Ensure ASC Default policy setting 'Web Application Firewall Monitoring Effect' is not 'Disabled' | Removal |
|
|
|
|
June 01 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled | Modification |
|
|
|
| |
Ensure to not use the deprecated Classic registry | New |
|
|
|
| |
Ensure custom role definition doesn't have excessive permissions (Wildcard) | New |
|
|
|
| |
Ensure to audit role assignments that have implicit role management permissions | New |
|
|
|
| |
Ensure to audit role assignments that have implicit managed identity permissions | New |
|
|
|
| |
Ensure to audit role assignments that have implicit 'Owner' permissions | New |
|
|
|
| |
Ensure to not use the deprecated Classic registry | Removal |
|
|
|
| |
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled | Removal |
|
|
|
|
May 25 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets | Comments |
|---|---|---|---|---|---|---|---|
Ensure all data in Amazon S3 has been discovered, classified and secured when required. | New |
|
|
|
|
| |
Storage bucket access control should be with uniform bucket-level access | Removal |
|
|
|
| Duplicted rule - GCP.IAM.27 | |
Storage Bucket default ACL / ACL should not allow public access | Removal |
|
|
|
| Duplicted rule - GCP.IAM.09 |
May 18 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that anonymous requests are authorized (RBAC)(Openshift) | Modification |
|
|
|
| |
Ensure that the --basic-auth-file argument is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --token-auth-file parameter is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Use https for kubelet connections (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the kubelet uses certificates to authenticate (API Server) (Openshift) | Modification |
|
|
|
| |
Verify that the kubelet certificate authority is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift) | Modification |
|
|
|
| |
Verify that the Node authorizer is enabled (API Server) (Openshift) | Modification |
|
|
|
| |
Verify that RBAC is enabled (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the APIPriorityAndFairness feature gate is enabled (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin AlwaysAdmit is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin AlwaysPullImages is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin ServiceAccount is set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin NamespaceLifecycle is set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift) | Modification |
|
|
|
| |
Ensure that the admission control plugin NodeRestriction is set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --insecure-bind-address argument is not set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --insecure-port argument is set to 0 (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --secure-port argument is not set to 0 (API Server) (Openshift) | Modification |
|
|
|
| |
Profiling (metric) is protected by RBAC (RBAC) (Openshift) | Modification |
|
|
|
| |
Ensure that the --audit-log-path argument is set (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --service-account-lookup argument is set to true (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --etcd-cafile argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that encryption providers are appropriately configured (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that garbage collection is configured as appropriate (Kubelet) (Openshift) | Modification |
|
|
|
| |
Profiling (pprof) is protected by RBAC (RBAC) (Openshift) | Modification |
|
|
|
| |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift) | Modification |
|
|
|
| |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift) | Modification |
|
|
|
| |
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) (Openshift) | Modification |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift) | Modification |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) (Openshift) | Modification |
|
|
|
| |
Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift) | Modification |
|
|
|
| |
Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift) | Modification |
|
|
|
| |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that the --client-cert-auth argument is set to true (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that the --peer-client-cert-auth argument is set to true (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that the --peer-auto-tls argument is not set to true (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift) | Modification |
|
|
|
| |
Ensure that a minimal audit policy is created (API Server) (Openshift) | Modification |
|
|
|
| |
Verify that the read only port is not used or is set to 0 (API Server) (Openshift) | Modification |
|
|
|
| |
Ensure that the --hostname-override argument is not set (Kubelet) (Openshift) | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift) | Modification |
|
|
|
| |
Ensure that the --rotate-certificates argument is not set to false (Kubelet) (Openshift) | Modification |
|
|
|
| |
Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) (Openshift) | Modification |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift) | Modification |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of privileged containers (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of root containers (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers with added capabilities (SCC) (Openshift) | Modification |
|
|
|
| |
Minimize the admission of containers with capabilities assigned (SCC) (Openshift) | Modification |
|
|
|
| |
Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On' | Modification |
|
|
|
| |
Minimize the admission of HostPath volumes | New |
|
|
|
| |
Minimize the admission of containers which use HostPorts | New |
|
|
|
|
May 11 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that the cluster-admin role is only used where required (RBAC) | Modification |
|
|
|
| |
Ensure SNS Topics administrative actions aren't publicly executable without a condition | Modification |
|
|
|
| |
Ensure security contact information is registered | New |
|
|
|
| |
Use customer-managed encryption keys (CMEK) for BigQuery to control encryption Use Cloud KMS keys to protect your data in BigQuery also known as AES-256 keys | Removal |
|
|
|
|
To your attention: An additional I/S change was done to 251 Azure networking rules.
April 27 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that SQS policy won't allow all actions from all principals | Modification |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | Removal |
|
|
|
|
April 20 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure no HTTPS proxy load balancers permit SSL policies with weak cipher suites | New |
|
|
|
| |
Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites | New |
|
|
|
| |
Ensure legacy networks do not exist for a project | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ICMP (Ping) | Modification |
|
|
|
|
April 13 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) | New |
|
|
|
| |
Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | Modification |
|
|
|
| |
Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' | Modification |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes | Modification |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC network route changes | Modification |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC network changes | Modification |
|
|
|
| |
Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | Modification |
|
|
|
| |
Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | Modification |
|
|
|
|
April 06 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Spring Cloud App has end-to-end TLS enabled | New |
|
|
|
| |
Ensure that Spring Cloud App enforces HTTPS connections | New |
|
|
|
| |
Ensure that Spring Cloud App has system-assigned managed identity enabled | New |
|
|
|
|
April 06 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | Modification |
|
|
|
| |
Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | Modification |
|
|
|
| |
Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' | Modification |
|
|
|
| |
Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | Modification |
|
|
|
| |
Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | Modification |
|
|
|
| |
Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value | Modification |
|
|
|
|
March 30 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
S3 bucket should not allow delete actions from all principals without a condition | Modification |
|
|
|
| |
S3 bucket should not allow get actions from all principals without a condition | Modification |
|
|
|
| |
S3 bucket should not allow list actions from all principals without a condition | Modification |
|
|
|
| |
S3 bucket should not allow all actions from all principals without a condition | Modification |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals without a condition | Modification |
|
|
|
| |
Ensure S3 buckets are not publicly accessible without a condition | Modification |
|
|
|
| |
Ensure Global Firewall rule should not allows all traffic | Modification |
|
|
|
| |
Ensure that S3 buckets are not publicly accessible without a condition | Modification |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition | Modification |
|
|
|
| |
Ensure VM Instance should not have public IP | Modification |
|
|
|
| |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | Modification |
|
|
|
| |
Ensure EKS Node Group IAM role do not have administrator privileges | New |
|
|
|
| |
Ensure CloudTrail logs have KmsKeyId defined | Modification |
|
|
|
| |
Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On' | Modification |
|
|
|
| |
Ensure DocDB is encrypted at rest | New |
|
|
|
| |
Ensure all data stored in the Launch configuration EBS is securely encrypted | New |
|
|
|
| |
Ensure DAX is encrypted at rest (default is unencrypted) | New |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to ElasticSearch (TCP:9300) | Modification |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Kibana (TCP:5601) | Modification |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Redis (TCP:6379) | Modification |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379) | Modification |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27017) | Modification |
|
|
|
| |
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27018) | Modification |
|
|
|
| |
Ensure DocDB TLS is not disabled | New |
|
|
|
| |
Ensure that the --DenyServiceExternalIPs is not set | New |
|
|
|
| |
Ensure that the --kubelet-https argument is set to true | New |
|
|
|
| |
Invalid CPU or Memory Value Specified | Removal |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | Removal |
|
|
|
| |
Change Control for Network Security Group Configuration | Removal |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | Removal |
|
|
|
|
March 23 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
S3 bucket should not allow delete actions from all principals | Modification |
|
|
|
| |
S3 bucket should not allow get actions from all principals | Modification |
|
|
|
| |
S3 bucket should not allow list actions from all principals | Modification |
|
|
|
| |
S3 bucket should not allow all actions from all principals | Modification |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals | Modification |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | New |
|
|
|
| |
S3 bucket should not allow get actions from all principals | New |
|
|
|
| |
S3 bucket should not allow list actions from all principals | New |
|
|
|
| |
S3 bucket should not allow put or restore actions from all principals | New |
|
|
|
| |
S3 bucket should not allow all actions from all principals | New |
|
|
|
| |
Ensure S3 buckets are not publicly accessible | Modification |
|
|
|
| |
Ensure S3 buckets are not publicly accessible | New |
|
|
|
| |
Ensure that S3 buckets are not publicly accessible | Modification |
|
|
|
| |
Ensure that S3 buckets are not publicly accessible | New |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | Modification |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | New |
|
|
|
| |
Ensure that sinks are configured for all log entries | New |
|
|
|
| |
Ensure that DNSSEC is enabled for Cloud DNS | New |
|
|
|
| |
Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC | New |
|
|
|
| |
Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC | New |
|
|
|
| |
Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users | Modification |
|
|
|
| |
Ensure IAM user, group, or role should have IAM access key permissions restricted | Modification |
|
|
|
| |
Ensure IAM user, group, or role should have MFA permissions restricted | Modification |
|
|
|
| |
Ensure IAM group do not have administrator privileges | New |
|
|
|
| |
Ensure IAM groups have at least one IAM User attached | New |
|
|
|
| |
Ensure IAM User do not have administrator privileges | New |
|
|
|
| |
Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element | New |
|
|
|
| |
Ensure OpenSearch should have IAM permissions restricted | New |
|
|
|
| |
Ensure storage for critical data are encrypted with Customer Managed Key | New |
|
|
|
| |
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account | New |
|
|
|
| |
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | New |
|
|
|
| |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | New |
|
|
|
| |
Ensure that Activity Log Retention is set 365 days or greater | New |
|
|
|
| |
Ensure Cosmos DB account public network access is disabled | New |
|
|
|
| |
Ensure Cosmos DB account access is not allowed from all networks | New |
|
|
|
| |
Ensure KMS encryption keys are rotated within a period of 90 days | New |
|
|
|
| |
Ensure that 'Auditing' is set to 'On' | Removal |
|
|
|
|
March 16 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | New |
|
|
|
| |
Storage bucket access control should be with uniform bucket-level access | Modification |
|
|
|
| |
Ensure that BigQuery datasets are not anonymously or publicly accessible | New |
|
|
|
| |
Ensure that retention policies on log buckets are configured using Bucket Lock | New |
|
|
|
| |
Ensure that AWS EKS Cluster endpoint access is not public | Removal |
|
|
|
|
March 09 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that the expiration date is set on all Secrets | Modification |
|
|
|
| |
Ensure that Role names cannot be enumerable | Modification |
|
|
|
| |
Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users | New |
|
|
|
| |
Ensure IAM user, group, or role should have IAM access key permissions restricted | New |
|
|
|
| |
Ensure IAM user, group, or role should have MFA permissions restricted | New |
|
|
|
| |
Ensure Cosmos DB account is encrypted with customer-managed keys | New |
|
|
|
| |
Ensure function app is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure that 'Auditing' Retention is 'greater than 90 days' | Modification |
|
|
|
| |
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Auditing Monitoring Effect' is not 'Disabled' | Modification |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Encryption Monitoring Effect' is not 'Disabled' | Modification |
|
|
|
| |
Storage Bucket default ACL / ACL should not allow public access | Modification |
|
|
|
| |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | New |
|
|
|
| |
CloudFront Distribution should have WAF enabled | New |
|
|
|
| |
Ensure Elasticsearch Domain enforces HTTPS | New |
|
|
|
| |
Ensure that there is no Wildcard principal in ElasticSearch access policy | New |
|
|
|
| |
Ensure that there is no wildcard action in ElasticSearch access policy | New |
|
|
|
| |
Ensure API gateway methods are not publicly accessible | New |
|
|
|
| |
Ensure Cloudfront distribution has Access Logging enabled | New |
|
|
|
| |
Ensure Elasticsearch Domain Logging is enabled | New |
|
|
|
| |
Ensure API Gateway has Access Logging enabled | New |
|
|
|
| |
Ensure API Gateway V2 has Access Logging enabled | New |
|
|
|
| |
Ensure API Gateway caching is enabled | New |
|
|
|
| |
Ensure API Gateway has X-Ray Tracing enabled | New |
|
|
|
| |
Ensure AWS Lambda function is configured inside a VPC | New |
|
|
|
| |
Ensure no lambda allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
|
March 01 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure inactive user for 30 days or greater are disabled | Modification |
|
|
|
| |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | New |
|
|
|
| |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | New |
|
|
|
| |
Ensure that 'HTTP Version' is the latest, if used to run the web app | New |
|
|
|
| |
Function App should only be accessible over HTTPS | New |
|
|
|
| |
Ensure Backup Vault is encrypted at rest using KMS CMK | New |
|
|
|
| |
Ensure DocDB has audit logs enabled | New |
|
|
|
| |
Ensure DocDB Logging is enabled | New |
|
|
|
| |
Ensure every security groups rule has a description | New |
|
|
|
| |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | New |
|
|
|
| |
Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets | New |
|
|
|
|
February 23 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Do not setup access keys during initial user setup for all IAM users that have a console password | New |
|
|
|
| |
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE) | Modification |
|
|
|
| |
Ensure that SQS policy won't allow all actions from all principals without a condition | Modification |
|
|
|
| |
Ensure that Role names cannot be enumerable | Modification |
|
|
|
| |
Ensure inative user for 30 days or greater are disabled | New |
|
|
|
| |
Ensure whether IAM users are members of at least one IAM group | New |
|
|
|
| |
Ensure all IAM policies are in use | New |
|
|
|
| |
Ensure that SQS policy won't allow all actions from all principals | New |
|
|
|
| |
Ensure a log metric filter and alarm exists for AWS MFA Deletion for IAM users | New |
|
|
|
| |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Modification |
|
|
|
|
February 16 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure AWS RDS database instance is not publicly accessible | New |
|
|
| AWS CloudFormation ruleset | |
Ensure RDS cluster has IAM authentication enabled | New |
|
|
| AWS CloudFormation ruleset | |
Ensure enhanced monitoring for Amazon RDS instances is enabled | New |
|
|
| AWS CloudFormation ruleset | |
Ensure CloudTrail log file validation is enabled | New |
|
|
| AWS CloudFormation ruleset | |
Ensure that CloudTrail is integrated with CloudWatch | New |
|
|
| AWS CloudFormation ruleset | |
Ensure RDS instances have backup policy | New |
|
|
| AWS CloudFormation ruleset | |
Ensure RDS instances have Multi-AZ enabled | New |
|
|
| AWS CloudFormation ruleset | |
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days | Modification |
|
|
|
| |
Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses | New |
|
|
|
| |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Modification |
|
|
|
| |
Ensure that 'Public access level' is set to Private for blob containers | Modification | Severity | High | Critical | Azure Terraform Ruleset | |
Ensure that Azure Resource Group has resource lock enabled | Modification | Severity | Low | High | Azure Terraform Ruleset | |
Ensure that Network Watcher is 'Enabled' | Modification |
|
|
| Azure Terraform Ruleset | |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Modification | Severity | High | Low | Azure Terraform Ruleset |
February 09 2022
Full review of the CSPM rules severity. The documentation (link ) details severity criteria and implications.
Full list of rules with updated severities available upon request.
February 02 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that AWS Secret Manager Secret rotation interval is at least 30 days | Modification |
|
|
|
| |
Ensure that Cloud Storage buckets have uniform bucket-level access enabled | New |
|
|
|
| |
Ensure that Cloud DNS logging is enabled for all VPC networks | New |
|
|
|
|
January 26 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | Modification |
|
|
|
| |
Ensure first access key is rotated every 90 days or less | Modification |
|
|
|
| |
Ensure second access key is rotated every 90 days or less | Modification |
|
|
|
| |
Ensure second access key is rotated every 45 days or less | New |
|
|
|
| |
Ensure first access key is rotated every 30 days or less | New |
|
|
|
| |
Ensure second access key is rotated every 30 days or less | New |
|
|
|
| |
Ensure first access key is rotated every 45 days or less | New |
|
|
|
| |
Ensure the GKE Cluster alpha cluster feature is disabled | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018) | New |
|
|
|
| |
Ensure that IAM Access analyzer is enabled for all regions | New |
|
|
|
| |
Ensure a log metric filter and alarm exists for AWS Organizations changes | New |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
| |
Use encryption for S3 Bucket write actions | Removal |
|
|
|
| |
Security Groups - with admin ports too exposed to the public internet | Removal |
|
|
|
|
January 19 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that encryption is enabled for RDS Instances | Modification |
|
|
|
| |
Credentials (with password enabled) unused for 45 days or more should be disabled | Modification |
|
|
|
| |
Ensure IAM password policy prevents password reuse | Modification |
|
|
|
| |
Ensure that CloudTrail trails are integrated with CloudWatch Logs | Modification |
|
|
|
| |
Ensure that object-level logging is enabled for S3 buckets | Modification |
|
|
|
| |
Ensure IAM Users Receive Permissions Only Through Groups | Modification |
|
|
|
| |
Ensure `Automatic node repair` is enabled for Kubernetes Clusters | Modification |
|
|
|
| |
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | Modification |
|
|
|
| |
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | New |
|
|
|
| |
Ensure log metric filter and alerts exist for project ownership assignments/changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for Audit Configuration changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for Custom Role changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC network route changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for VPC network changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes | New |
|
|
|
| |
Ensure that the log metric filter and alerts exist for SQL instance configuration changes | New |
|
|
|
| |
Ensure oslogin is enabled for a Virtual Machine | Modification |
|
|
|
| |
Ensure inative user for 90 days or greater are disabled | New |
|
|
|
| |
Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs | Modification |
|
|
|
| |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Modification |
|
|
|
| |
Ensure that Register with Azure Active Directory is enabled on App Service | Modification |
|
|
|
| |
Ensure that logging for Azure KeyVault is 'Enabled' | Modification |
|
|
|
| |
Ensure EBS volume encryption is enabled | New |
|
|
|
| |
Ensure that S3 Buckets are configured with Block public access (bucket settings) | New |
|
|
|
| |
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | Removal |
|
|
|
| |
Password Policy must require minimal length of 7 | Removal |
|
|
|
| |
Password policy must prevent reuse of previously used passwords | Removal |
|
|
|
| |
Ensure hardware MFA is enabled for the 'root' account | Removal |
|
|
|
|
January 12 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure credentials (with first activated accessKey) unused for 45 days or greater are disabled | Modification |
|
|
|
| |
Ensure credentials (with second activated accessKey) unused for 45 days or greater are disabled | Modification |
|
|
|
| |
Ensure that Separation of duties is enforced while assigning KMS related roles to users | New |
|
|
|
| |
Ensure that Windows machines 'OS disk' are encrypted | Modification |
|
|
|
| |
Ensure that Linux machines 'OS disk' are encrypted | Modification |
|
|
|
| |
Ensure the key vault is recoverable | Modification |
|
|
|
| |
Ensure App Service Authentication is set on Azure App Service | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379) | New |
|
|
|
| |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | New |
|
|
|
| |
Ensure credentials (with first activated acccessKey) unused for 90 days or greater are disabled | Removal |
|
|
|
| |
Ensure credentials (with second activated acccessKey) unused for 90 days or greater are disabled | Removal |
|
|
|
| |
Ensure IAM policies are attached only to groups or roles | Removal |
|
|
|
|
January 05 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that 'Unattached disks' are encrypted with CMK | Modification |
|
|
|
| |
Ensure that 'Secure transfer required' is set to 'Enabled' for Storage Accounts | Modification |
|
|
|
| |
Ensure that the expiration date is set on all keys | Modification |
|
|
|
| |
Ensure that the expiration date is set on all Secrets | Modification |
|
|
|
| |
Ensure that access logging is enabled for the classic ELB | New |
|
|
|
| |
Ensure that access logging is enabled for the ELB v2 | New |
|
|
|
| |
Ensure that a classic Load balancer is not internet facing | New |
|
|
|
| |
Ensure that a Load balancer is not internet facing | New |
|
|
|
| |
Ensure that ELB has a health check setup | New |
|
|
|
| |
Ensure that ELB target group has a health check enabled | New |
|
|
|
| |
Ensure that ELB Listener protocol is HTTPS or SSL | New |
|
|
|
| |
Ensure that ELB V2 Listener protocol is not HTTP or TCP | New |
|
|
|
| |
Ensure that ELB v2 drops invalid headers | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018) | New |
|
|
|
|
January 04 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that anonymous requests are authorized (RBAC) | New |
|
|
|
| |
Ensure that the --basic-auth-file argument is not set (API Server) | New |
|
|
|
| |
Ensure that the --token-auth-file parameter is not set (API Server) | New |
|
|
|
| |
Use https for kubelet connections (API Server) | New |
|
|
|
| |
Ensure that the kubelet uses certificates to authenticate (API Server) | New |
|
|
|
| |
Verify that the kubelet certificate authority is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) | New |
|
|
|
| |
Verify that the Node authorizer is enabled (API Server) | New |
|
|
|
| |
Verify that RBAC is enabled (API Server) | New |
|
|
|
| |
Ensure that the APIPriorityAndFairness feature gate is enabled (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysAdmit is not set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysPullImages is not set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextDeny is not set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin ServiceAccount is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin NamespaceLifecycle is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) | New |
|
|
|
| |
Ensure that the admission control plugin NodeRestriction is set (API Server) | New |
|
|
|
| |
Ensure that the --insecure-bind-address argument is not set (API Server) | New |
|
|
|
| |
Ensure that the --insecure-port argument is set to 0 (API Server) | New |
|
|
|
| |
Ensure that the --secure-port argument is not set to 0 (API Server) | New |
|
|
|
| |
Profiling (metric) is protected by RBAC (RBAC) | New |
|
|
|
| |
Ensure that the --audit-log-path argument is set (API Server) | New |
|
|
|
| |
Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --service-account-lookup argument is set to true (API Server) | New |
|
|
|
| |
Ensure that the --service-account-key-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --etcd-cafile argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that encryption providers are appropriately configured (API Server) | New |
|
|
|
| |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) | New |
|
|
|
| |
Ensure that garbage collection is configured as appropriate (Kubelet) | New |
|
|
|
| |
Profiling (pprof) is protected by RBAC (RBAC) | New |
|
|
|
| |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) | New |
|
|
|
| |
Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) | New |
|
|
|
| |
Verify that the scheduler API service is protected by authentication and authorization (Scheduler) | New |
|
|
|
| |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --peer-client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --peer-auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Ensure that a unique Certificate Authority is used for etcd (etcd) | New |
|
|
|
| |
Ensure that a minimal audit policy is created (API Server) | New |
|
|
|
| |
Verify that the read only port is not used or is set to 0 (API Server) | New |
|
|
|
| |
Ensure that the --hostname-override argument is not set (Kubelet) | New |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) | New |
|
|
|
| |
Ensure that the --rotate-certificates argument is not set to false (Kubelet) | New |
|
|
|
| |
Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) | New |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) | New |
|
|
|
| |
Minimize the admission of privileged containers (SCC) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (SCC) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (SCC) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (SCC) | New |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (SCC) | New |
|
|
|
| |
Minimize the admission of root containers (SCC) | New |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (SCC) | New |
|
|
|
| |
Minimize the admission of containers with added capabilities (SCC) | New |
|
|
|
| |
Minimize the admission of containers with capabilities assigned (SCC) | New |
|
|
|
| |
Ensure that the CNI in use supports Network Policies | New |
|
|
|
| |
Ensure that an application uses secrets are as files over secrets as environment variables | Modification |
|
|
|
| |
Apply Security Context to Your Pods and Containers | Modification |
|
|
|
| |
CPU & Memory Limits Should be Set | Modification |
|
|
|
| |
CPU & Memory Requests Should be Set | Modification |
|
|
|
| |
Do not admit root containers | Modification |
|
|
|
| |
Ensure that Containers are not running in privileged mode | Modification |
|
|
|
| |
Ensure that Containers are not running with dangerous capabilities | Modification |
|
|
|
| |
Ensure that Containers are not running with insecure capabilities | Modification |
|
|
|
|
January 02 2022
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version | New |
|
|
|
| |
Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions | New |
|
|
|
| |
Ensure undedicated AWS IAM managed policies do not have full action permissions | New |
|
|
|
|
December 29 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that S3 Buckets are encrypted with CMK | Modification |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled | Modification |
|
|
|
| |
SSL/TLS certificates expire in 45 days | New |
|
|
|
| |
Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys | New |
|
|
|
| |
Ensure API keys are not created for a project | New |
|
|
|
| |
Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix | New |
|
|
|
| |
Ensure ACM certificate was not issued before the Heartbleed security bug fix | New |
|
|
|
| |
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate | New |
|
|
|
| |
Ensure 'root' account does not have an active X.509 signing certificate | New |
|
|
|
| |
Ensure IAM Role does not have inline policies | New |
|
|
|
| |
Accounts - with 'root' in use | Removal |
|
|
|
|
December 22 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
S3 Buckets Secure Transport (SSL) | Modification |
|
|
|
| |
Use encryption for S3 Bucket write actions | Modification |
|
|
|
| |
Ensure that logging for Azure KeyVault is 'Enabled' | Modification |
|
|
|
| |
Ensure that 'Data encryption' is set to 'On' on a SQL Database | Modification |
|
|
|
| |
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Modification |
|
|
|
| |
Ensure API keys are rotated every 90 days | New |
|
|
|
| |
Ensure API keys are restricted to only APIs that application needs access | New |
|
|
|
| |
Ensure that 'Secure transfer required' is set to 'Enabled' | Modification |
|
|
|
| |
Ensure that the expiration date is set on all keys | Modification |
|
|
|
| |
Ensure that the expiration date is set on all Secrets | Modification |
|
|
|
| |
Ensure Azure Keyvaults are used to store secrets | Modification |
|
|
|
| |
Ensure that 'Auditing' is set to 'On' | Modification |
|
|
|
| |
Ensure that 'Auditing' Retention is 'greater than 90 days' | Modification |
|
|
|
| |
Enable role-based access control (RBAC) within Azure Kubernetes Services | Modification |
|
|
|
| |
Ensure that Azure Active Directory Admin is configured | Modification |
|
|
|
| |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Modification |
|
|
|
| |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Modification |
|
|
|
| |
Ensure Diagnostic Setting captures appropriate categories | Modification |
|
|
|
| |
Ensure FTP deployments are disabled | Modification |
|
|
|
| |
Ensure that detailed monitoring for EC2 instances is enabled | New |
|
|
|
| |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit | New |
|
|
|
| |
Ensure that every security group ingress rule has a description | New |
|
|
|
| |
Ensure that every security group egress rule has a description | New |
|
|
|
| |
Ensure that every security group ingress object has a description | New |
|
|
|
| |
Ensure that every security group egress object has a description | New |
|
|
|
| |
Ensure that Compute instances do not have public IP addresses | New |
|
|
|
| |
Ensure that instances are not configured to use the default service account | New |
|
|
|
| |
Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate | New |
|
|
|
| |
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | New |
|
|
|
|
December 15 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that IP forwarding is not enabled on Instances | Modification |
|
|
|
| |
Ensure that there is no wildcard action in an inline KMS key policy | Modification |
|
|
|
| |
Ensure that there is no wildcard principal in an inline KMS key policy | Modification |
|
|
|
| |
Ensure that there is no wildcard action in an inline KMS replica key policy | Modification |
|
|
|
| |
Ensure that there is no wildcard principal in an inline KMS replica key policy | Modification |
|
|
|
| |
Ensure that an inline IAM user policy does not allow full administrative rights | New |
|
|
|
| |
Ensure that an inline IAM role policy does not allow full administrative rights | New |
|
|
|
| |
Ensure that an inline KMS key policy does not allow full administrative rights | New |
|
|
|
| |
Ensure that an inline KMS replica key policy does not allow full administrative rights | New |
|
|
|
| |
Ensure that EC2 instance does not have public IP enabled | New |
|
|
|
| |
Ensure that EC2 is EBS optimized | New |
|
|
|
| |
Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | Modification |
|
|
|
| |
Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' | New |
|
|
|
| |
Ensure Compute instances are launched with Shielded VM enabled | New |
|
|
|
| |
Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately | New |
|
|
|
| |
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately | New |
|
|
|
| |
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'default' or stricter | New |
|
|
|
| |
Ensure that Compute instances have Confidential Computing enabled | New |
|
|
|
| |
Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately | New |
|
|
|
| |
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter | New |
|
|
|
|
December 08 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint | New |
|
|
|
| |
Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint | New |
|
|
|
| |
Ensure that the default namespace is not used | Modification |
|
|
|
| |
Ensure that there is no wildcard resources in an inline IAM group policy | New |
|
|
|
| |
Ensure that there is no wildcard action in an inline IAM user policy | New |
|
|
|
| |
Ensure that there is no wildcard resource in an inline IAM user policy | New |
|
|
|
| |
Ensure that there is no wildcard action in an inline IAM role policy | New |
|
|
|
| |
Ensure that there is no wildcard resource in an inline IAM role policy | New |
|
|
|
| |
Ensure that there is no wildcard action in an inline KMS key policy | New |
|
|
|
| |
Ensure that there is no wildcard principal in an inline KMS key policy | New |
|
|
|
| |
Ensure that there is no wildcard action in an inline KMS replica key policy | New |
|
|
|
| |
Ensure that there is no wildcard principal in an inline KMS replica key policy | New |
|
|
|
| |
Ensure that an inline IAM group policy does not allow full administrative rights | New |
|
|
|
| |
Ensure that an application uses secrets are as files over secrets as environment variables | Modification |
|
|
|
| |
Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on' | New |
|
|
|
| |
Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | New |
|
|
|
| |
Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | New |
|
|
|
| |
Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | New |
|
|
|
| |
Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' | New |
|
|
|
| |
Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' | New |
|
|
|
| |
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | New |
|
|
|
| |
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | New |
|
|
|
| |
Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' | New |
|
|
|
| |
Ensure that Cosmos DB Account has an associated tag | Removal |
|
|
|
|
December 01 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | New |
|
|
|
| |
Ensure inactive IAM access keys are deleted | New |
|
|
|
| |
Ensure IAM users have either access key or console password enabled | New |
|
|
|
| |
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | New |
|
|
|
| |
Ensure that RDS global cluster has encryption enabled | New |
|
|
|
| |
Ensure that RDS DB cluster has encryption enabled | New |
|
|
|
| |
Ensure that RDS IAM authentication is enabled | New |
|
|
|
| |
Ensure that AWS lambda layer version permissions does not have a wildcard principal | New |
|
|
|
| |
Ensure that there is no wildcard action in an inline IAM group policy | New |
|
|
|
| |
Ensure that AWS Lambda function is configured for a Dead Letter Queue | New |
|
|
|
| |
Ensure MFA is enabled for the 'root' account | Removal |
|
|
|
|
November 24 2021
Rule ID | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) | Modification |
|
|
|
| |
Ensure that corporate login credentials are used | Modification |
|
|
|
| |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Modification |
|
|
|
| |
Ensure 'Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Modification |
|
|
|
| |
Ensure that IP forwarding is not enabled on Instances | Modification |
|
|
|
| |
Ensure VPC Flow logs is enabled for every subnet in a VPC Network | Modification |
|
|
|
| |
Ensure that the Cloud SQL database instance requires all incoming connections to use SSL | Modification |
|
|
|
| |
Ensure that Cloud SQL database instances are not open to the world | Modification |
|
|
|
| |
Ensure Virtual Network Gateway is configured with Cryptographic Algorithm | New |
|
|
|
| |
Ensure that Cloud SQL database instances are configured with automated backups | Modification |
|
|
|
| |
Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' | Modification |
|
|
|
| |
Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on' | Modification |
|
|
|
| |
Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) | Modification |
|
|
|
| |
Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) | Modification |
|
|
|
| |
Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' | Modification |
|
|
|
| |
Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | Modification |
|
|
|
| |
Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | Modification |
|
|
|
|
November 17 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure MFA Delete is enable on S3 buckets | Modification |
|
|
|
| |
Ensure a log metric filter and alarm exist for IAM policy changes | Modification |
|
|
|
| |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Modification |
|
|
|
| |
Ensure a log metric filter and alarm exist for unauthorized API calls | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for usage of 'root' account | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for IAM policy changes | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for CloudTrail configuration | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Config configuration changes | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for security group changes | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to network gateways | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for route table changes | Removal |
|
|
|
| |
Ensure a log metric filter and alarm exist for VPC changes | Removal |
|
|
|
| |
Ensure IAM instance roles are used for AWS resource access from instances | Modification |
|
|
|
| |
Ensure a log metric filter and alarm exist for IAM login profile changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for STS 'AssumeRole' action | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for SSM actions | New |
|
|
|
| |
Ensure all S3 buckets employ encryption-at-rest | New |
|
|
|
| |
Ensure that encryption is enabled for RDS Instances | New |
|
|
|
| |
Ensure ELB enforces recommended SSL/TLS protocol version | New |
|
|
|
| |
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted | New |
|
|
|
| |
Ensure that encryption of data at rest is enabled on Elasticsearch domains | New |
|
|
|
| |
Ensure that node-to-node encryption is enabled for Elasticsearch service | New |
|
|
|
| |
Ensure that the KMS key have key rotation enabled | New |
|
|
|
| |
Ensure AWS Kinesis streams are encrypted with KMS customer master keys | New |
|
|
|
| |
Ensure that the root block device has encryption enabled | New |
|
|
|
| |
Ensure that EBS volume has encryption enabled | New |
|
|
|
| |
Ensure that KMS key has key rotation enabled | New |
|
|
|
| |
Ensure that KMS key policy does not allow access to everyone | New |
|
|
|
| |
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | New |
|
|
|
| |
S3 bucket should not allow all actions from all principals | New |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | New |
|
|
|
| |
S3 bucket should not allow 'get' actions from all principals | New |
|
|
|
| |
S3 bucket should not allow list actions from all principals | New |
|
|
|
| |
S3 bucket should not allow put actions from all principals | New |
|
|
|
| |
S3 bucket should not allow restoring object actions from all principals | New |
|
|
|
| |
Ensure AWS EC2 Instances use IAM Roles to control access | New |
|
|
|
| |
Ensure that the S3 bucket is not publicly readable | New |
|
|
|
| |
Ensure that the S3 bucket is not publicly writable | New |
|
|
|
| |
Ensure that there is no wildcard action in Lambda permission | New |
|
|
|
| |
Ensure that there is no wildcard principal in Lambda permission | New |
|
|
|
| |
Ensure that there is no wildcard action in an IAM policy | New |
|
|
|
| |
Ensure that there is no wildcard action in a customer managed IAM policy | New |
|
|
|
| |
Ensure that the IAM Policy does not grant full administrative rights | New |
|
|
|
| |
Ensure that customer managed IAM policy does not grant full administrative rights | New |
|
|
|
| |
Ensure that IAM policy is not directly attached to a user | New |
|
|
|
| |
Ensure that a customer managed IAM policy is not directly attached to a user | New |
|
|
|
| |
Ensure that IAM user does not have directly embeded policy | New |
|
|
|
| |
Ensure that IAM Role cannot be assumed by anyone | New |
|
|
|
| |
Ensure that password reset is required in IAM login profile | New |
|
|
|
| |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | New |
|
|
|
| |
Ensure CloudTrail is enabled in all regions | New |
|
|
|
| |
Ensure CloudTrail logging is enabled | New |
|
|
|
| |
Ensure that S3 server access logging is enabled | New |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | New |
|
|
|
| |
Ensure that all authorization Type in API Gateway is not set to None | New |
|
|
|
| |
Ensure that an API Key is required on a Method Request | New |
|
|
|
| |
Ensure that address source/destination check is enabled on the instance | New |
|
|
|
| |
Ensure that AWS DB Security Group does not allow public access | New |
|
|
|
| |
Amazon EC2 instance must have an associated tag | New |
|
|
|
| |
Ensure AWS Lambda functions have tracing enabled | New |
|
|
|
| |
Lambda Functions must have an associated tag | New |
|
|
|
| |
Ensure that S3 bucket has versioning enabled | New |
|
|
|
| |
Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true | New |
|
|
|
| |
Ensure that EC2 API termination protection is enabled | New |
|
|
|
| |
Ensure that the S3 bucket has lifecycle configuration enabled | New |
|
|
|
| |
Ensure that the S3 bucket has object lock enabled | New |
|
|
|
| |
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | New |
|
|
|
| |
Ensure first access key is rotated every 90 days or less | New |
|
|
|
| |
Ensure second access key is rotated every 90 days or less | New |
|
|
|
| |
Ensure IAM password policy requires minimum length of 14 or greater | New |
|
|
|
| |
Ensure IAM password policy prevents password reuse | New |
|
|
|
| |
Ensure no root account access key exists | New |
|
|
|
| |
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account | New |
|
|
|
| |
Ensure a support role has been created to manage incidents with AWS Support | New |
|
|
|
| |
Ensure IAM policies that allow full '*:*' administrative privileges are not created | New |
|
|
|
| |
Ensure MFA Delete is enable on S3 buckets | New |
|
|
|
| |
Ensure AWS IAM users have no more than one active Access Key | New |
|
|
|
| |
Ensure IAM instance roles are used for AWS resource access from instances | New |
|
|
|
| |
Ensure credentials (with first activated acccessKey) unused for 90 days or greater are disabled | New |
|
|
|
| |
Ensure credentials (with second activated acccessKey) unused for 90 days or greater are disabled | New |
|
|
|
| |
Ensure CloudTrail is enabled in all regions | New |
|
|
|
| |
Ensure CloudTrail log file validation is enabled | New |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | New |
|
|
|
| |
Ensure AWS Config is enabled in all regions | New |
|
|
|
| |
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | New |
|
|
|
| |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | New |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for unauthorized API calls | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for usage of 'root' account | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for IAM policy changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for CloudTrail configuration changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for AWS Config configuration changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for security group changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for changes to network gateways | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for route table changes | New |
|
|
|
| |
Ensure a log metric filter and alarm exist for VPC changes | New |
|
|
|
| |
Ensure the default security group of every VPC restricts all traffic | New |
|
|
|
|
November 10 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that there is no wildcard action in an IAM policy | New |
|
|
|
| |
Ensure that there is no wildcard action in a customer managed IAM policy | New |
|
|
|
| |
Ensure that the IAM Policy does not grant full administrative rights | New |
|
|
|
| |
Ensure that customer managed IAM policy does not grant full administrative rights | New |
|
|
|
| |
Ensure that IAM policy is not directly attached to a user | New |
|
|
|
| |
Ensure that a customer managed IAM policy is not directly attached to a user | New |
|
|
|
| |
Ensure that IAM user does not have directly embeded policy | New |
|
|
|
|
November 03 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Modification |
|
|
|
| |
Ensure that Register with Azure Active Directory is enabled on App Service | Modification |
|
|
|
| |
Ensure AWS RDS instances have Multi-Availability Zone enabled | Modification |
|
|
|
| |
Enable Function App Service Authentication | Modification |
|
|
|
| |
Ensure that the root block device has encryption enabled | New |
|
|
|
| |
Ensure that EBS volume has encryption enabled | New |
|
|
|
| |
Ensure that the S3 bucket is not publicly readable | New |
|
|
|
| |
Ensure that the S3 bucket is not publicly writable | New |
|
|
|
| |
Ensure that there is no wildcard action in Lambda permission | New |
|
|
|
| |
Ensure that there is no wildcard principal in Lambda permission | New |
|
|
|
| |
Ensure that S3 server access logging is enabled | New |
|
|
|
| |
Ensure that address source/destination check is enabled on the instance | Modification |
|
|
|
| |
Ensure that S3 bucket has versioning enabled | New |
|
|
|
| |
Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true | New |
|
|
|
| |
Ensure that EC2 API termination protection is enabled | New |
|
|
|
|
October 27 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure hardware mfa is enabled for the 'root' account | Removal |
|
|
| AWS CloudGuard Best Practices AWS CloudGuard SOC2 based on AICPA TSC 2017 AWS ISO 27001:2013 AWS GDPR Readiness | |
Ensure virtual or hardware mfa is enabled for the 'root' account | Modification |
|
|
|
| |
ELB is setup with HTTPS for secure communication | Modification |
|
|
|
| |
Instances outside of Europe region | Modification |
|
|
|
| |
Ensure that an API Key is required on a Method Request | Modification |
|
|
|
| |
Ensure that 'HTTP Version' is the latest, if used to run the web app | Modification |
|
|
|
| |
Ensure that 'Number of methods required to reset' is set to '2' | Removal |
|
|
|
| |
Ensure that there are no guest users | Removal |
|
|
|
| |
Ensure that the --kubelet-https argument is set to true (API Server) | Removal |
|
|
|
| |
Function App should only be accessible over HTTPS | Modification |
|
|
|
| |
Overly Permissive Directory Access (Global Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Application Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Privileged Role Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Cloud Application Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (User Administrator) | Removal |
|
|
|
| |
Overly Permissive Directory Access (Helpdesk Administrator) | Removal |
|
|
|
| |
Ensure that auto backup is enabled for your Cloud SQL instance | Modification |
|
|
|
|
October 20 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Modification |
|
|
|
| |
Ensure GCP VM Instances have Labels | Modification |
|
|
|
| |
Default Security Groups - with network policies | Modification |
|
|
|
| |
Insecure Code of Low Severity | New |
|
|
|
| |
Insecure Code of Medium Severity | New |
|
|
|
| |
Insecure Content of Low Severity | New |
|
|
|
| |
Insecure Content of Medium Severity | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible | New |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible | New |
|
|
|
| |
Web Application should only be accessible over HTTPS | Modification |
|
|
|
| |
Ensure function app is using the latest version of TLS encryption | Modification |
|
|
|
| |
Vulnerable Source Code | New |
|
|
|
| |
Malicious URL of Critical Severity | New |
|
|
|
| |
Malicious URL of High Severity | New |
|
|
|
| |
Malicious IP of Critical Severity | New |
|
|
|
| |
Malicious IP of High Severity | New |
|
|
|
| |
Malicious file of Critical Severity | New |
|
|
|
| |
Malicious file of High Severity | New |
|
|
|
| |
Insecure Code of Critical Severity | New |
|
|
|
| |
Insecure Code of High Severity | New |
|
|
|
| |
Insecure Content of Critical Severity | New |
|
|
|
| |
Insecure Content of High Severity | New |
|
|
|
| |
Package of Critical Severity | New |
|
|
|
| |
Package of High Severity | New |
|
|
|
| |
Package of Medium Severity | New |
|
|
|
| |
Package of Low Severity | New |
|
|
|
| |
Package of Unknown Severity | New |
|
|
|
| |
Insecure Code of Low Severity | New |
|
|
|
| |
Insecure Code of Medium Severity | New |
|
|
|
| |
Insecure Content of Low Severity | New |
|
|
|
| |
Insecure Content of Medium Severity | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled' | New |
|
|
|
| |
Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied | New |
|
|
|
| |
Overly permissive NSG Inbound rule to all traffic on ANY protocol | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Network Security Group | New |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | New |
|
|
|
| |
Ensure that activity log alert exists for the Delete Network Security Group Rule | New |
|
|
|
| |
Ensure that Azure Monitor Logs is configured to export Activity Logs | New |
|
|
|
| |
Ensure that Azure Virtual Machine is assigned to an availability set | New |
|
|
|
| |
Ensure that SQL Database Auditing Retention is greater than 90 days | New |
|
|
|
| |
Ensure that 'Auditing' in SQL Servers is set to 'On' | New |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Auditing Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure that Azure Monitor Logs collects all types of activities | New |
|
|
|
| |
Ensure audit profile captures all the activities | New |
|
|
|
| |
Ensure the log profile captures activity logs for all regions including global | New |
|
|
|
| |
Ensure Cosmos DB account public network access is disabled | New |
|
|
|
| |
Ensure Cosmos DB account access is not allowed from all networks | New |
|
|
|
| |
Ensure Flow-Logs are Enabled on NSG | New |
|
|
|
| |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | New |
|
|
|
| |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | New |
|
|
|
| |
Function App should only be accessible over HTTPS | New |
|
|
|
| |
Ensure that Geo Redundant Backups is enabled on PostgreSQL | New |
|
|
|
| |
Ensure that at least one Network Security Group is attached to all VMs and subnets that are public | New |
|
|
|
| |
Key vault should have purge protection enabled | New |
|
|
|
| |
Ensure function app is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled' | New |
|
|
|
| |
Ensure that RDP access is restricted from the internet | New |
|
|
|
| |
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope | New |
|
|
|
| |
Ensure that SSH access is restricted from the internet | New |
|
|
|
| |
VirtualMachine with administrative service: SSH (TCP:22) is exposed to a wide network scope | New |
|
|
|
| |
VirtualMachine with administrative service: SSH (TCP:22) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | New |
|
|
|
| |
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled' | New |
|
|
|
| |
Ensure that Network Watcher is 'Enabled' | New |
|
|
|
| |
Ensure that the Redis Cache accepts only SSL connections | New |
|
|
|
| |
Ensure remote debugging has been disabled for your production Azure Functions | New |
|
|
|
| |
Ensure remote debugging has been disabled for your production Web App | New |
|
|
|
| |
Ensure AuditEvent logging for Azure Key Vault is enabled | New |
|
|
|
| |
Ensure that Role Based Access Control (RBAC) is enabled in your AKS Cluster | New |
|
|
|
| |
Ensure that 'Secure transfer required' (HTTPS) is enabled for Storage Accounts | New |
|
|
|
| |
Ensure SQL server's TDE protector is encrypted with Customer-managed key | New |
|
|
|
| |
Ensure default network access rule for Storage Accounts is set to deny | New |
|
|
|
| |
Ensure that Virtual Networks Subnets have Security Groups | New |
|
|
|
| |
Ensure that Azure Virtual Network subnet is configured with a Network Security Group | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled' | New |
|
|
|
| |
Ensure Transparent Data Encryption (TDE) is enabled for SQL Databases | New |
|
|
|
| |
Ensure that 'Unattached disks' are encrypted with CMK | New |
|
|
|
| |
Ensure storage for critical data are encrypted with Customer Managed Key | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled' | New |
|
|
|
| |
Ensure that 'OS and Data' disks are encrypted with CMK | New |
|
|
|
| |
Ensure ASC Default policy setting 'Storage Encryption Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled' | New |
|
|
|
| |
Web Application should only be accessible over HTTPS | New |
|
|
|
| |
Ensure entire Azure infrastructure doesn't have access to Azure SQL Server | New |
|
|
|
| |
Ensure Application Gateway is using the latest version of TLS encryption | New |
|
|
|
| |
Ensure Application Gateway is using Https protocol | New |
|
|
|
| |
Enable Incoming Client Certificates | New |
|
|
|
| |
Ensure that 'Threat Detection' is enabled for Azure SQL Database | New |
|
|
|
| |
Ensure ASC Default policy setting 'SQL Encryption Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure ASC Default policy setting 'System Configurations Monitoring Effect' is not 'Disabled' | New |
|
|
|
| |
Ensure that Activity Log Retention is set 365 days or greater | New |
|
|
|
| |
Ensure Azure Application Gateway Web application firewall (WAF) is enabled | New |
|
|
|
| |
Ensure that no SQL Server allows ingress from 0.0.0.0/0 (ANY IP) | New |
|
|
|
| |
Restrict Azure SQL Server accessibility to a minimal address range | New |
|
|
|
| |
Ensure that Key Vault is in use | New |
|
|
|
| |
Ensure expiration date is set for all keys | New |
|
|
|
| |
Ensure that the expiry date is set on all secrets | New |
|
|
|
| |
Ensure the key vault is recoverable - enable 'Soft Delete' setting for a Key Vault | New |
|
|
|
| |
Ensure that Azure SQL Server Admin is configured with AD Authentication | New |
|
|
|
| |
Ensure that Azure Active Directory Admin is configured for SQL Server | New |
|
|
|
| |
Ensure Flow-Logs Retention Policy is greater than 90 days | New |
|
|
|
| |
Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days | New |
|
|
|
| |
Ensure that 'Auditing' Retention on SQL Server is 'greater than 90 days' | New |
|
|
|
| |
Ensure that SQL Server Auditing Retention is greater than 90 days | New |
|
|
|
| |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | New |
|
|
|
| |
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | New |
|
|
|
| |
Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All' | New |
|
|
|
| |
Ensure Cosmos DB account is encrypted with customer-managed keys | New |
|
|
|
| |
Ensure that Cosmos DB Account has an associated tag | New |
|
|
|
|
October 06 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure that Key Vault is in use | Modification |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) | New |
|
|
|
| |
Ensure that the --rotate-certificates argument is not set to false (Kubelet) | New |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --kubelet-https argument is set to true (API Server) | New |
|
|
|
| |
Ensure that the --token-auth-file parameter is not set (API Server) | New |
|
|
|
| |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --etcd-cafile argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Prefer using secrets as files over secrets as environment variables | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysAdmit is not set (API Server) | New |
|
|
|
| |
Ensure that the --anonymous-auth argument is set to false (Kubelet) | New |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (API Server) | New |
|
|
|
| |
Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin PodSecurityPolicy is set (API Server) | New |
|
|
|
| |
Ensure that the --authorization-mode argument includes RBAC (API Server) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (Scheduler) | New |
|
|
|
| |
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the --profiling argument is set to false (Controller Manager) | New |
|
|
|
| |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) | New |
|
|
|
| |
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) | New |
|
|
|
| |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) | New |
|
|
|
| |
Ensure that the --peer-client-cert-auth argument is set to true (etcd) | New |
|
|
|
| |
Ensure that the --peer-auto-tls argument is not set to true (etcd) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (PSP) | New |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (PSP) | New |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (PSP) | New |
|
|
|
| |
Minimize the admission of containers with allowPrivilegeEscalation (PSP) | New |
|
|
|
| |
Minimize the admission of privileged containers (PSP) | New |
|
|
|
| |
Ensure that the --anonymous-auth argument is set to false (API Server) | New |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | New |
|
|
|
| |
The default namespace should not be used | New |
|
|
|
| |
Ensure that the cluster-admin role is only used where required (RBAC) | New |
|
|
|
| |
Minimize access to secrets (RBAC) | New |
|
|
|
| |
Minimize wildcard use in Roles and ClusterRoles (RBAC) | New |
|
|
|
| |
Minimize access to create pods (RBAC) | New |
|
|
|
| |
Ensure that default service accounts are not actively used. (RBAC) | New |
|
|
|
| |
Ensure that Service Account Tokens are only mounted where necessary (RBAC) | New |
|
|
|
| |
Ensure that the --authorization-mode argument includes Node (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server) | New |
|
|
|
| |
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC) | New |
|
|
|
| |
Ensure that the --audit-log-path argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --event-qps argument is set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --service-account-lookup argument is set to true (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin ServiceAccount is set (API Server) | New |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (Kubelet) | New |
|
|
|
| |
Ensure that the --read-only-port argument is set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet) | New |
|
|
|
| |
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --insecure-bind-address argument is not set (API Server) | New |
|
|
|
| |
Ensure that the --insecure-port argument is set to 0 (API Server) | New |
|
|
|
| |
Ensure that the --secure-port argument is not set to 0 (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin AlwaysPullImages is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin NamespaceLifecycle is set (API Server) | New |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin NodeRestriction is set (API Server) | New |
|
|
|
| |
Ensure that the admission control plugin EventRateLimit is set (API Server) | New |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | New |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) | New |
|
|
|
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) | New |
|
|
|
| |
Ensure that the --protect-kernel-defaults argument is set to true (Kubelet) | New |
|
|
|
| |
Ensure that the --hostname-override argument is not set (Kubelet) | New |
|
|
|
| |
Ensure that the --service-account-key-file argument is set as appropriate (API Server) | New |
|
|
|
| |
Apply Security Context to Your Pods and Containers | New |
|
|
|
|
October 04 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure VPC flow logging is enabled in all VPCs | New |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
| |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | Modification |
|
|
|
| |
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String | Modification |
|
|
|
|
September 29 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|
|
|
|
|
|
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ensure AuditEvent logging for Azure Key Vault is enabled | New |
|
|
|
|
|
|
|
|
|
|
| |
Ensure Transparent Data Encryption (TDE) is enabled for SQL Databases | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that logging for Azure KeyVault is 'Enabled' | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that 'Secure transfer required' (HTTPS) is enabled for Storage Accounts | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Blobs | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Storage account supports customer-managed keys encryption for Files | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure expiration date is set for all keys | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the expiry date is set on all SQL Server keys | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create Policy Assignment | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Network Security Group | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that activity log alert exists for the Delete Network Security Group Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Security Solution | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Security Solution | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert exists for Delete Policy Assignment | Modification |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that storage account access keys are periodically regenerated | Removal |
|
|
|
|
|
|
|
|
|
|
| |
Ensure that Activity Log Alert Rule is activated for New/Updated Policy Assignments | Removal |
|
|
|
|
|
|
|
|
|
|
|
September 13 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
S3 Buckets - without server-side-encryption enabled | Removal |
|
|
|
| |
Accounts - without enforced Password Policy | Removal |
|
|
|
| |
IAM Users - enabled while unused for 90 days or more | Removal |
|
|
|
| |
IAM Users - with console password without MFA enabled | Removal |
|
|
|
| |
IAM Users - with Inline IAM Policies applied | Removal |
|
|
|
| |
S3 Buckets - without CloudTrail access logging | Removal |
|
|
|
| |
S3 Buckets - without logging enabled | Removal |
|
|
|
| |
Instances - are not configured within a VPC | Removal |
|
|
|
| |
Security Groups - with SSH admin port too exposed to the public internet | Removal |
|
|
|
| |
Ensure Key Vault is in use | Modification |
|
|
|
| |
Avoid the use of the 'root' account | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Modification |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled (Scored) | Removal |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
| |
Ensure Cosmos DB account is using Private Endpoints | New |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all privileged users | Removal |
|
|
|
| |
Ensure that multi-factor authentication is enabled for all non-privileged users | Removal |
|
|
|
| |
MFA should be enabled on accounts with read permissions on your subscription | Removal |
|
|
|
| |
MFA should be enabled on accounts with write permissions on your subscription | Removal |
|
|
|
| |
Overly Permissive Scope Access of Role Assignment | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Owner over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Contributor over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (User Access Administrator over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Scope Access of Role Definition | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Authorization over the whole Subscription) | Removal |
|
|
|
| |
Overly Permissive Subscription Access (Full Access over the whole Subscription) | Removal |
|
|
|
| |
Ensure that SQL Server Auditing is Enabled | Removal |
|
|
|
| |
Ensure there is an up to date Network Diagram for your cloud network | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Removal |
|
|
|
| |
Asset is not labeled | Removal |
|
|
|
|
September 05 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Enable App Service Authentication on Azure App Service | Modification |
|
|
|
| |
Ensure Cosmos DB account is encrypted with customer-managed keys | New |
|
|
|
| |
Ensure Cosmos DB account public network access is disabled | New |
|
|
|
| |
Ensure Cosmos DB account access is not allowed from all networks | New |
|
|
|
| |
Enable WebApp Service Authentication | Removal |
|
|
|
| |
Ensure Web App is using the latest version of TLS encryption | Removal |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | Removal |
|
|
|
|
September 01, 2021
Rule ID | Rule Name | Change Type | Updated Content | Logic Before | Logic After | Affected Rulesets |
|---|---|---|---|---|---|---|
Ensure Basic Authentication is disabled on Kubernetes Engine Clusters | Removal |
|
|
|
| |
Ensure all S3 buckets employ encryption-at-rest | New |
|
|
|
| |
Ensure that encryption is enabled for RDS Instances | New |
|
|
|
| |
Ensure ELB enforces recommended SSL/TLS protocol version | New |
|
|
|
| |
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's | New |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted | New |
|
|
|
| |
Ensure that encryption of data at rest is enabled on Elasticsearch domains | New |
|
|
|
| |
Ensure that node-to-node encryption is enabled for Elasticsearch service | New |
|
|
|
| |
Ensure that the KMS key have key rotation enabled | New |
|
|
|
| |
Ensure AWS Kinesis streams are encrypted with KMS customer master keys | New |
|
|
|
| |
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | New |
|
|
|
| |
S3 bucket should not allow all actions from all principals | New |
|
|
|
| |
S3 bucket should not allow delete actions from all principals | New |
|
|
|
| |
S3 bucket should not allow 'get' actions from all principals | New |
|
|
|
| |
S3 bucket should not allow list actions from all principals | New |
|
|
|
| |
S3 bucket should not allow put actions from all principals | New |
|
|
|
| |
S3 bucket should not allow restoring object actions from all principals | New |
|
|
|
| |
Ensure AWS EC2 Instances use IAM Roles to control access | New |
|
|
|
| |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | New |
|
|
|
| |
Ensure CloudTrail is enabled in all regions | New |
|
|
|
| |
Ensure CloudTrail logging is enabled | New |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | New |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | New |
|
|
|
| |
Ensure that all authorization Type in API Gateway is not set to None | New |
|
|
|
| |
Ensure that an API Key is required on a Method Request | New |
|
|
|
| |
Ensure that S3 bucket versioning enabled | New |
|
|
|
| |
Amazon EC2 instance must have an associated tag | New |
|
|
|
| |
Ensure AWS Lambda functions have tracing enabled | New |
|
|
|
| |
Lambda Functions must have an associated tag | New |
|
|
|
|