CloudGuard Compliance Updates - January 2023 - December 2023
- Guy Shteinberg
- 1 December 27 2023
- 2 December 20 2023
- 3 December 13 2023
- 4 December 06 2023
- 5 November 29 2023
- 6 November 22 2023
- 7 November 15 2023
- 8 November 08 2023
- 9 November 01 2023
- 10 October 25 2023
- 11 October 18 2023
- 12 October 11 2023
- 13 October 04 2023
- 14 September 27 2023
- 15 September 20 2023
- 16 September 13 2023
- 17 September 06 2023
- 18 August 30 2023
- 19 August 23 2023
- 20 August 16 2023
- 21 August 09 2023
- 22 August 02 2023
- 23 July 26 2023
- 24 July 19 2023
- 25 July 12 2023
- 26 July 05 2023
- 27 June 28 2023
- 28 June 21 2023
- 29 June 14 2023
- 30 June 07 2023
- 31 May 31 2023
- 32 May 24 2023
- 33 May 17 2023
- 34 May 10 2023
- 35 May 03 2023
- 36 April 24 2023
- 37 April 19 2023
- 38 March 29 2023
- 39 March 15 2023
- 40 March 01 2023
- 41 February 22 2023
- 42 February 15 2023
- 43 February 08 2023
- 44 February 01 2023
- 45 January 25 2023
- 46 January 18 2023
- 47 January 11 2023
- 48 January 04 2023
December 27 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that the AWS region's Amazon Glue Data Catalog objects and connection passwords are encrypted | High | New | Â | Â | Â |
| |
Ensure HealthLake Datastore has data-at-rest encryption using KMS CMKs | High | New | Â | Â | Â |
| |
Ensure that Amazon Translate custom terminology is encrypted using KMS CMKs | High | New | Â | Â | Â |
| |
Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS Cognito User Pool | High | New | Â | Â | Â |
| |
Ensure that Gateway Load Balancer should have tags | Informational | New | Â | Â | Â |
| |
Ensure cross-zone load balancing is enabled for Gateway Load Balancer | Medium | New | Â | Â | Â |
| |
Ensure that the Gateway Load Balancers status is Available | Low | New | Â | Â | Â |
| |
Ensure Resource Access Manager customer managed permissions should have tags | Informational | New | Â | Â | Â |
| |
Ensure shared AWS resources under Resource Access Manager should have tags | Informational | New | Â | Â | Â |
| |
Ensure Amazon Outposts should have tags | Informational | New | Â | Â | Â |
| |
Serverless Application Repositories should have labels | Low | New | Â | Â | Â |
| |
Ensure Cognito Identity Pool should have tags | Informational | New | Â | Â | Â |
| |
Ensure Cognito User Pool should have tags | Informational | New | Â | Â | Â |
| |
Ensure HealthLake Datastore should have tags | Informational | New | Â | Â | Â |
| |
Ensure that a NetApp Files Account has an associated tag | Low | New | Â | Â | Â |
| |
Synapse Workspace should have double encryption enabled | High | New | Â | Â | Â |
| |
Encryption in transit is enabled for HD Insight clusters | High | New | Â | Â | Â |
| |
Ensure that Enable Infrastructure Encryption is set for Azure Databricks workspace | High | New | Â | Â | Â |
| |
Ensure that NetApp account active directories are using LDAP signing | High | New | Â | Â | Â |
| |
Ensure that Azure Log Analytics Cluster has double encryption enabled | Low | New | Â | Â | Â |
| |
Ensure that Azure Log Analytics Cluster is encrypted using a CMK | Low | New | Â | Â | Â |
| |
Ensure that in Azure NetApp Files 'AES encryption' is set to 'Enabled' on any active directories | High | New | Â | Â | Â |
| |
Ensure that in Azure NetApp Files 'encryptDCConnections' is not disabled on any active directories | High | New | Â | Â | Â |
| |
Ensure that in Azure NetApp Files 'ldapOverTLS' is not disabled on amy active directories | High | New | Â | Â | Â |
| |
SynapseWorkspace should not allow public network access | High | New | Â | Â | Â |
| |
Ensure that Load Balancer should have tags | Low | New | Â | Â | Â |
| |
Ensure that Load Balancer should not have Public IP | High | New | Â | Â | Â |
| |
Ensure that Regional WAF should have Tags | Low | New | Â | Â | Â |
| |
Ensure that Regional Web Application Firewall (WAF) is Enabled | High | New | Â | Â | Â |
| |
Ensure that Global Web Application Firewall (WAF) is Enabled | High | New | Â | Â | Â |
| |
Ensure that Azure SQL Managed Instance public access is disabled | High | New | Â | Â | Â |
| |
Ensure that Synapse Workspace should have tags | Low | New | Â | Â | Â |
| |
Ensure that HD Insight should have Tags | Low | New | Â | Â | Â |
| |
Ensure that Azure SQL Managed Instance should have tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Databricks workspace should have a name tag | Low | New | Â | Â | Â |
| |
Ensure that Azure Virtual Network Manager should have tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Orbital Spacecraft has locks | Low | New | Â | Â | Â |
| |
Ensure that Azure Orbital Spacecraft has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Dedicated Host Group has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Orbital Spacecraft's status is not failed | Low | New | Â | Â | Â |
| |
Ensure that NetApp Account active directories are in an operational state | High | New | Â | Â | Â |
| |
Ensure that Azure Log Analytics Cluster has tags | Low | New | Â | Â | Â |
|
December 20 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that AWS Elastic Container Registry (ECR) image scanning is enabled | High | Modification |
|
|
|
| |
Ensure that Amazon S3 Glacier should have tags | Low | New | Â | Â | Â |
| |
Ensure X-Ray Encryption using KMS | Low | New | Â | Â | Â |
| |
Ensure AWS Code Artifact Domain is using Customer managed key (CMK) KMS encryption | High | New | Â | Â | Â |
| |
Ensure that CodeStar user profile should have SSH public key | High | New | Â | Â | Â |
| |
Ensure that your Amazon ECS instances are using the latest ECS container agent version | Medium | Modification |
|
|
|
| |
Ensure AWS Transcribe Job has tags | Informational | New | Â | Â | Â |
| |
Ensure AWS Medical Transcribe Job has tags | Informational | New | Â | Â | Â |
| |
Ensure AWS X-Ray Group has tags | Low | New | Â | Â | Â |
| |
Ensure that CodeStar should have tags | Informational | New | Â | Â | Â |
| |
Endure AWS Code Artifact Repository has tags | Low | New | Â | Â | Â |
| |
Ensure AWS Code Artifact Domain has tags | Low | New | Â | Â | Â |
| |
Ensure AWS Global Accelerator has tags | Low | New | Â | Â | Â |
| |
Ensure AWS Global Custom Accelerator has tags | Low | New | Â | Â | Â |
| |
Ensure Azure Firewall SKU is configured to Premium | High | New | Â | Â | Â |
| |
Ensure Azure Firewall has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Compute Gallery has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Compute Gallery has locks | Low | New | Â | Â | Â |
| |
Ensure that Azure Compute Gallery's status is not failed | Low | New | Â | Â | Â |
| |
Ensure that Azure Compute Gallery's Image has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Compute Gallery Image's status is not failed | Low | New | Â | Â | Â |
| |
Ensure that Azure Data Share Account has tags | Low | New | Â | Â | Â |
|
December 13 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that AWS Firewall Manager Policy has an associated tag | Low | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters have in-transit encryption enabled within the cluster and between clients and brokers | Critical | New | Â | Â | Â |
| |
Ensure AWS MemoryDB for Redis clusters have Customer Managed CMK at-rest encryption | High | New | Â | Â | Â |
| |
Ensure AWS MemoryDB for Redis manual snapshots have Customer Managed CMK encryption | High | New | Â | Â | Â |
| |
Ensure AWS MemoryDB for Redis clusters have in-transit encryption enabled | High | New | Â | Â | Â |
| |
Ensure MemoryDB for Redis clusters have automatic snapshots enabled | Low | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters have only authenticated access | High | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters do not allow public access | High | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters have log delivery configured | Low | New | Â | Â | Â |
| |
Ensure AWS WAFv2 Web ACL logging should be enabled | Low | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters have enhanced monitoring configured | Low | New | Â | Â | Â |
| |
Ensure Managed Streaming for Apache Kafka (MSK) clusters have tags | Low | New | Â | Â | Â |
| |
Ensure that AWS MemoryDB for Redis snapshot has tags | Low | New | Â | Â | Â |
| |
Ensure MemoryDB for Redis cluster is updated | High | New | Â | Â | Â |
| |
Ensure that AWS MemoryDB for Redis clusters have tags | Low | New | Â | Â | Â |
| |
Ensure AWS SimSpace Weaver Simulation have tags | Low | New | Â | Â | Â |
| |
Ensure AWS WAFv2 Web ACL has tags | Low | New | Â | Â | Â |
| |
Ensure that the AWS Firewall Manager Policy removes protection from unused resources | Low | New | Â | Â | Â |
| |
Ensure that the AWS Firewall Manager Account is in a Healthy State | Low | New | Â | Â | Â |
| |
Ensure that the AWS Firewall Manager Policy automatically remediates non-compliant resources | Low | New | Â | Â | Â |
| |
Ensure that the AWS Firewall Manager Policy is in a healthy state | High | New | Â | Â | Â |
| |
Ensure that an Event Grid namespace has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Event Grid Namespace's minimum TLS version is set to 1.2 | High | New | Â | Â | Â |
| |
Ensure that Event Grid Namespace is not open to public IPs | High | New | Â | Â | Â |
| |
Ensure that Event Grid Namespace does not allow public network access | High | New | Â | Â | Â |
| |
Ensure that Azure Stream Analytics Cluster has locks | Low | New | Â | Â | Â |
| |
Ensure that Azure Stream Analytics Cluster has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Stream Analytics Cluster's status is not failed | Low | New | Â | Â | Â |
| |
Ensure that Event Grid Namespace's private endpoint connections are not in a failed state | High | New | Â | Â | Â |
| |
Ensure Event Grid Namespace is not in Failed state | High | New | Â | Â | Â |
| |
D9.AWS.NET.60 | Ensure that NAT gateway is not associated in a private subnet | Medium | Removal | Â | Â | Â |
|
December 06 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Eliminate use of the 'root' user for administrative and daily tasks | High | Modification |
|
|
|
| |
Ensure no 'root' user account access key exists | High | Modification |
|
|
|
| |
Ensure that 'Public access level' is disabled for storage accounts with blob containers | Critical | Modification |
|
|
|
| |
Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account | High | Modification |
|
|
|
| |
Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement | Critical | Modification |
|
|
|
| |
Ensure that FinSpace Environment is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure Elastic Disaster Recovery Replication status is not giving any error | Low | New | Â | Â | Â |
| |
Ensure that root account credentials have not been used recently to access your AWS account | High | Modification |
|
|
|
| |
Ensure Email Address is added for each Amazon Detective's Member | Low | New | Â | Â | Â |
| |
Ensure Amazon QuickSight has Termination Protection Enabled | Low | New | Â | Â | Â |
| |
Ensure VPN Gateway is Available | Low | New | Â | Â | Â |
| |
Ensure that AWS Timestream Database has tags | Low | New | Â | Â | Â |
| |
Ensure that AWS Timestream Table has tags | Low | New | Â | Â | Â |
| |
Ensure that AWS Personalize has tags | Low | New | Â | Â | Â |
| |
Ensure that Azure Power BI Embedded Capacity has tags | Low | New | Â | Â | Â |
| |
D9.AWS.CRY.73 | Ensure that user Volume Encryption is enabled for AWS Workspace | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.74 | Ensure that root Volume Encryption is enabled for AWS Workspace | High | Removal | Â | Â | Â |
|
D9.AWS.OPE.53 | Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization | Medium | Removal | Â | Â | Â |
|
D9.AWS.OPE.59 | Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices | Low | Removal | Â | Â | Â |
|
D9.AZU.NET.67 | Ensure that Containers and its blobs are not exposed publicly | Critical | Removal | Â | Â | Â |
|
November 29 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Authorization Type in API Gateway is not set to None | High | New | Â | Â | Â |
| |
Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys | High | Modification |
|
|
|
| |
Ensure that DAX Parameter Group doesn't require reboot | High | New | Â | Â | Â |
| |
Ensure that Compute Optimizer has no high performance risk ratings | Low | New | Â | Â | Â |
| |
Ensure that AWS Data Exchange Dataset has tags | Low | New | Â | Â | Â |
| |
Ensure that Chaos Studio Experiment's status is not failed | Low | New | Â | Â | Â |
| |
D9.AWS.NET.67 | Ensure that all authorization Type in API Gateway are not set to None | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.146 | Ensure that FinSpace Environment is encrypted using CMK | Low | Removal | Â | Â | Â |
|
November 22 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Endpoint Protection for all Windows Virtual Machines is installed | High | Modification |
|
|
|
| |
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Low | New | Â | Â | Â |
| |
Ensure that EC2 Metadata Service only allows IMDSv2 | High | Modification |
|
|
|
| |
Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled | High | New | Â | Â | Â |
| |
Ensure that a limit is set on pod PIDs (Kubelet) | High | New | Â | Â | Â |
| |
D9.AWS.CRY.56 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Low | Removal | Â | Â | Â |
|
November 15 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure API Gateway has WAF | Low | Modification |
|
|
|
| |
Ensure that FinSpace Environment has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Comprehend Flywheel has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Comprehend Endpoint has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AWS Config Rule has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Forecast Predictor is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure that Forecast Dataset is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure that Comprehend Flywheel's model is encrypted with CMK | Low | New | Â | Â | Â |
| |
Ensure that Comprehend Flywheel's volume is encrypted with CMK | Low | New | Â | Â | Â |
| |
Ensure that CloudSearch Domain enforces HTTPS | High | New | Â | Â | Â |
| |
Ensure that your CloudSearch Domain is enforcing a minimum TLS security policy of version 1.2 | High | New | Â | Â | Â |
| |
Ensure that FinSpace Environment is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | New | Â | Â | Â |
| |
Ensure that your Amazon Comprehend Flywheel uses a VPC | Medium | New | Â | Â | Â |
| |
Ensure that FinSpace Environment status is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast Predictor has tags | Low | New | Â | Â | Â |
| |
Ensure that Forecast Predictor status is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast Dataset has tags | Low | New | Â | Â | Â |
| |
Ensure that Verified Permissions Policy Store has validation enabled | High | New | Â | Â | Â |
| |
Ensure that Comprehend Flywheel's status is not failed | High | New | Â | Â | Â |
| |
Ensure that Comprehend Endpoint's status is not failed | High | New | Â | Â | Â |
| |
Ensure that the status of the CloudSearch Domain is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast Monitor has tags | Low | New | Â | Â | Â |
| |
Ensure that Forecast Monitor status is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast Explainability has tags | Low | New | Â | Â | Â |
| |
Ensure that Forecast has tags | Low | New | Â | Â | Â |
| |
Ensure that Forecast Explainability status is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast status is healthy | High | New | Â | Â | Â |
| |
Ensure that Forecast Dataset Group has tags | Low | New | Â | Â | Â |
| |
CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or = | Critical | Modification |
|
|
|
| |
Package of Unknown Severity | Informational | Modification |
|
|
|
| |
D9.AWS.CRY.106 | Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | Removal | Â | Â | Â |
|
November 08 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH (TCP:22) | Critical | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to RDP (TCP:3389) | Critical | New | Â | Â | Â |
| |
Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure that Lightsail Distribution has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Nimble Studio has tags | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Relational Database has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AppRunner Autoscaling Configuration has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that CloudHSM Cluster has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that CloudHSM Backup has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Nimble Studio is encrypted | High | New | Â | Â | Â |
| |
Ensure that Nimble Studio is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Relational Database has a recent snapshot | High | New | Â | Â | Â |
| |
Ensure that Lightsail Relational Database has Backup Retention enabled | High | New | Â | Â | Â |
| |
Ensure that CloudHSM Cluster has a backup retention of at least 30 days | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Distribution doesn't allow unrestricted operations via HTTP requests | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Relational Database is not publicly accessible | High | New | Â | Â | Â |
| |
Ensure that AWS account's Support Level is 'Business' or 'Enterprise' | Low | New | Â | Â | Â |
| |
Ensure that Nimble Studio status is healthy | High | New | Â | Â | Â |
| |
Ensure that Connect Instance status is healthy | High | New | Â | Â | Â |
| |
Ensure that CloudHSM Cluster is in an operational state | High | New | Â | Â | Â |
| |
Ensure that the CloudHSM Cluster does not have any Hardware Security Modules (HSMs) in a degraded state | High | New | Â | Â | Â |
| |
Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication. | Low | Modification |
|
|
|
| |
D9.AWS.NET.77 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Removal | Â | Â | Â |
|
D9.AWS.CRY.100 | Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted | High | Removal | Â | Â | Â |
|
November 01 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
MFA should be Active for All IAM Users | High | New | Â | Â | Â |
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
| |
Ensure AppRunner Service has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Domain has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that ACM Private Certificate Authority has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Directory Service Directories have an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AppRunner Connection has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AppRunner VPC Connector has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AppRunner Service is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure that the ACM Private Certificate Authority is not set to expire within the next 7 days | High | New | Â | Â | Â |
| |
Ensure that AppFabric App Bundle is encrypted using CMK | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment is encrypted with CMK | High | New | Â | Â | Â |
| |
Ensure that Single Sign-On (SSO) is enabled for DS Directory | Low | New | Â | Â | Â |
| |
Ensure that DS Directory's RADIUS server is configured and in healthy state | High | New | Â | Â | Â |
| |
Ensure that DS Directory RADIUS authentication protocol is configured and not set to 'PAP' | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment's status is healthy | High | New | Â | Â | Â |
| |
Ensure that AWS Lightsail Domain's name server update state is not failed | High | New | Â | Â | Â |
| |
Ensure that AppRunner Service not publicly accessible through the internet | High | New | Â | Â | Â |
| |
Ensure that AppRunner Service outgoing traffic is not routed directly to public internet | Medium | New | Â | Â | Â |
| |
Ensure that MWAA Environment webserver access mode is set to private only | Critical | New | Â | Â | Â |
| |
Ensure AppRunner Service has observability enabled | Low | New | Â | Â | Â |
| |
Make sure the AppRunner Service was created without any issues. | High | New | Â | Â | Â |
| |
Ensure that the common name for your ACM Private Certificate Authority is a Fully Qualified Domain Name (FQDN) | Low | New | Â | Â | Â |
| |
Ensure that AppFabric App Bundle has tags | Low | New | Â | Â | Â |
| |
Ensure that AppRunner Connection is in healthy state | High | New | Â | Â | Â |
| |
Ensure that Support Case status is not 'pending-customer-action' | Low | New | Â | Â | Â |
| |
Ensure AWS MWAA Environment's last-update status is not failed | High | New | Â | Â | Â |
| |
Ensure that the Private Certificate Authority's status is not expired or failed | High | New | Â | Â | Â |
| |
Ensure that MWAA Environment DagProcessingLogs are enabled | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment SchedulerLogs are enabled | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment TaskLogs are enabled | Low | New | Â | Â | Â |
| |
Ensure that MWAA Environment WebserverLogs are enabled | Low | New | Â | Â | Â |
| |
Ensure that AWS MWAA Environment WorkerLogs are enabled | Low | New | Â | Â | Â |
| |
Ensure that the DS Directory is in healthy state | High | New | Â | Â | Â |
| |
Package of Unknown Severity | Informational | Modification |
|
|
|
|
October 25 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure AWS RDS retention policy is at least 7 days | High | Modification |
|
|
|
| |
Ensure that AWS MediaTailor Source Location has tags | Low | New | Â | Â | Â |
| |
Ensure Lightsail Disk has an associated tag | Low | New | Â | Â | Â |
| |
Ensure MediaTailor Source Location has access authentication configured | High | New | Â | Â | Â |
| |
Ensure AWS Lightsail Disk's state is not error or unknown | High | New | Â | Â | Â |
| |
Ensure AWS Lightsail Disk's auto-mount status is not failed | High | New | Â | Â | Â |
| |
Ensure no security group allows inbound access on a range of ports | High | Modification |
|
|
|
| |
Ensure AWS VPC does not allow unauthorized peering | High | Modification |
|
|
|
| |
Ensure that Batch Job Compute Environment has tags | Low | New | Â | Â | Â |
| |
Ensure that Batch Job Definition has tags | Low | New | Â | Â | Â |
| |
Ensure that Batch Job Compute Environment's state is not 'INVALID' | Low | New | Â | Â | Â |
| |
Ensure that Signer Job status is not 'Failed' | High | New | Â | Â | Â |
| |
Ensure that your AWS AppStream 2.0 Usage Report Subscriptions are healthy | High | New | Â | Â | Â |
| |
Ensure that your AWS AppStream 2.0 Usage Report was generated in the last 30 days | High | New | Â | Â | Â |
| |
D9.AWS.DR.14 | Ensure AWS RDS instances have Automated Backups feature enabled | High | Removal | Â | Â | Â |
|
October 18 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure Object-level Logging of Read Events is Enabled for S3 Buckets | High | Modification |
|
|
|
| |
Ensure Lightsail Load Balancer has an associated tag | Low | New | Â | Â | Â |
| |
Ensure Lightsail Instance has an associated tag | Low | New | Â | Â | Â |
| |
Ensure CodePipeline Webhook has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that AWS MediaTailor Playback Configuration has tags | Low | New | Â | Â | Â |
| |
Ensure that AWS MediaTailor Channel has tags | Low | New | Â | Â | Â |
| |
Ensure KeySpace has an associated tag | Low | New | Â | Â | Â |
| |
Ensure that Signer Profile has tags | Low | New | Â | Â | Â |
| |
Ensure that DAX Cluster has tags | Low | New | Â | Â | Â |
| |
Ensure that Amazon Lightsail Load Balancer has HTTPS redirection enabled | High | New | Â | Â | Â |
| |
Ensure Lightsail instances are have a user generated SSH keys in order to have full control over the authentication process | Low | New | Â | Â | Â |
| |
Ensure that Amazon Lightsail Load Balancer SSL/TLS certificate exists and is attached | High | New | Â | Â | Â |
| |
Ensure that CodePipeline Webhooks require authentication to be triggered | High | New | Â | Â | Â |
| |
Ensure DevOps Guru Service Integration is encrypted with CMK | Low | New | Â | Â | Â |
| |
Ensure that DAX Cluster encryption type should be TLS | High | New | Â | Â | Â |
| |
Ensure that DAX Cluster has server side encryption enabled | High | New | Â | Â | Â |
| |
Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic | High | Modification |
|
|
|
| |
EC2 with IAM role attached should not have iam:PassRole and ec2:RunInstances permissions | Low | New | Â | Â | Â |
| |
There should be no AWS role having iam:PassRole and lambda:InvokeFunction permissions attached to an EC2 instance | Low | New | Â | Â | Â |
| |
There should not be any AWS Lambda having an IAM role with Amazon RDS database SQL query execution permissions | Low | New | Â | Â | Â |
| |
Ensure that AWS MediaTailor Playback Configuration has 100% logging enabled. | Low | New | Â | Â | Â |
| |
Ensure DevOps Guru Service Integration has Anomaly Detection logging enabled | Low | New | Â | Â | Â |
| |
Ensure that Lightsail Instances isn't exposed to the public internet | High | New | Â | Â | Â |
| |
Ensure that your AWS Lightsail Load Balancers are healthy | High | New | Â | Â | Â |
| |
Ensure that your AWS Lightsail Load Balanced Instances are healthy | High | New | Â | Â | Â |
| |
Ensure that Batch Job Queue has tags | Low | New | Â | Â | Â |
| |
Ensure that Kinesis Analytics Application has tags | Low | New | Â | Â | Â |
| |
Ensure that DevOps Guru Service Integration has the OpsCenter feature enabled | Low | New | Â | Â | Â |
| |
D9.AWS.NET.1014 | Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit | Critical | Removal | Â | Â | Â |
|
October 11 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | High | Modification |
|
|
|
| |
Ensure Azure groups are Security Enabled | Low | New | Â | Â | Â |
| |
Ensure App Registration has Expiration Date set for all Client Secrets | Low | New | Â | Â | Â |
| |
Connections to Amazon Redshift clusters should be encrypted in transit | Medium | Modification |
|
|
|
| |
ECS Task Definitions should Limit Memory Usage for Containers | High | New | Â | Â | Â |
| |
ECS Task Definitions should Mount the Root File System as Read-only | High | New | Â | Â | Â |
| |
EKS Cluster should have Secrets Encrypted | Critical | New | Â | Â | Â |
| |
Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice | Low | New | Â | Â | Â |
| |
Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets | High | Modification |
|
|
|
| |
Instances should have Source/Destination Check Enabled when Not Using NAT | High | Modification |
|
|
|
| |
Ensure that your Amazon RDS database cluster snapshots are not accessible to all AWS accounts | Critical | New | Â | Â | Â |
| |
Ensure that Private Key Vaults are used for Encryption at Rest in Azure Kubernetes Service (AKS) | High | New | Â | Â | Â |
| |
Ensure that System-Assigned Managed Identities are used for AKS Clusters | High | New | Â | Â | Â |
| |
Ensure that the Network Contributor Role is used for managing Azure Network Resources | High | New | Â | Â | Â |
| |
Ensure that the Kubernetes API version for AKS clusters is the latest | High | New | Â | Â | Â |
| |
D9.AWS.NET.01 | Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | Critical | Removal | Â | Â | Â |
|
D9.AWS.NET.02 | Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | Critical | Removal | Â | Â | Â |
|
October 04 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure to filter source IP addresses for Cosmos DB Account | Medium | Modification |
|
|
|
| |
API Gateway Routes should Specify an Authorization Type | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access to Cassandra ports (TCP - 7000, 7001, 7199, 8888, 9042, 9160, 61620 and 61621) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP port 9090 (Ciscosecure websm) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP ports 9200 and 9300 (Elasticsearch) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP ports 636 and 389 and UDP port 389 (LDAP) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP or UDP on ports 11211, 11214 and 11215 (Memcached) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 6379 (Redis) | High | New | Â | Â | Â |
| |
Ensure that Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates | Medium | New | Â | Â | Â |
| |
Ensure that all instances in the Auto Scaling Group are Healthy | Medium | New | Â | Â | Â |
| |
Ensure that EC2 instances do not have critical vulnerabilities | Critical | New | Â | Â | Â |
| |
Ensure that EC2 instances do not have high-severity vulnerabilities | High | New | Â | Â | Â |
| |
Exposed workload with critical/high severity vulnerability and elevated privileges (EC2 Instance) | High | New | Â | Â | Â |
| |
Exposed storage asset with sensitive data (S3 bucket) | High | New | Â | Â | Â |
| |
Third party with elevated privileges | High | New | Â | Â | Â |
| |
Exposed workload with elevated privileges (ECS Service) | Medium | New | Â | Â | Â |
| |
Exposed workload with elevated privileges (EC2 Instance) | Medium | New | Â | Â | Â |
| |
Exposed workload with elevated privileges (Lambda Function) | Medium | New | Â | Â | Â |
| |
Ensure that Automation account variables are encrypted | Critical | New | Â | Â | Â |
| |
Ensure that AKS local accounts are disabled | Low | New | Â | Â | Â |
| |
Ensure that Data Factory public access is disabled | High | New | Â | Â | Â |
| |
Ensure that VirtualMachines do not have critical vulnerabilities | Critical | New | Â | Â | Â |
| |
Ensure that VirtualMachines do not have high-severity vulnerabilities | High | New | Â | Â | Â |
| |
Exposed workload with critical/high severity vulnerability and elevated privileges (Virtual Machine) | High | New | Â | Â | Â |
| |
Exposed workload with elevated privileges (Virtual Machine) | Medium | New | Â | Â | Â |
| |
Ensure that IAM permission are not assigned to users | Low | New | Â | Â | Â |
|
September 27 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure AppSync should have request-level and field-level logging turned on | Low | New | Â | Â | Â |
| |
Ensure that NAT gateway is not associated in a private subnet | Medium | Modification |
|
|
|
| |
Ensure Athena workgroups should be encrypted at rest | High | New | Â | Â | Â |
| |
Ensure that AWS CloudTrail should not have delete or full permission | High | New | Â | Â | Â |
| |
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | New | Â | Â | Â |
| |
Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy | High | New | Â | Â | Â |
| |
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA) | Medium | New | Â | Â | Â |
| |
Ensure to enable infrastructure double encryption for Data Explorer clusters | Critical | New | Â | Â | Â |
| |
Ensure the 'cloudsql_iam_authentication' is enabled for your MySQL and PostgreSQL instances | Medium | New | Â | Â | Â |
| |
Ensure GKE Cloud Monitoring is enabled for your clusters | Medium | New | Â | Â | Â |
| |
Ensure VM instances have secure boot enabled | Low | New | Â | Â | Â |
| |
Ensure your DataProc clusters don't use outdated images | Low | New | Â | Â | Â |
| |
Ensure OCI Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Low | New | Â | Â | Â |
| |
D9.AWS.LOG.26 | Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | Removal | Â | Â | Â |
|
D9.AWS.NET.124 | Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics | High | Removal | Â | Â | Â |
|
D9.GCP.NET.66 | Ensure that your backend services are enforcing HTTPS | High | Removal | Â | Â | Â |
|
September 20 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure the default security group of every VPC restricts all traffic | Critical | Modification |
|
|
|
| |
Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | Modification |
|
|
|
| |
Ensure AWS RDS retention policy is at least 7 days | Medium | Modification |
|
|
|
| |
Amazon GuardDuty service is enabled in the region | Low | Modification |
|
|
|
| |
Ensure Kubernetes Cluster is created with Client Certificate disabled | High | Modification |
|
|
|
| |
Ensure that Amazon Neptune graph database instances are encrypted | High | New | Â | Â | Â |
| |
Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process | High | New | Â | Â | Â |
| |
Ensure IAM SSH public keys used for AWS CodeCommit are rotated on a periodic basis to adhere to AWS security best practices (45 days) | Medium | New | Â | Â | Â |
| |
Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled | Critical | New | Â | Â | Â |
| |
Ensure AWS Glue connection has SSL configured | High | New | Â | Â | Â |
| |
Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices | High | New | Â | Â | Â |
| |
Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain | Medium | New | Â | Â | Â |
| |
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion | Critical | Modification |
|
|
|
| |
Ensure that your AWS root account is not using access keys as a security best practice | Critical | New | Â | Â | Â |
| |
Ensure IAM Roles should not have Administrator Access Permissions | High | New | Â | Â | Â |
| |
Ensure that AWS resources are not publicly accessible through IAM policies. | High | New | Â | Â | Â |
| |
Ensure that AWS Lambda IAM policy should not overly permissive to all traffic | High | New | Â | Â | Â |
| |
Ensure that AWS Secrets Manager Secrets are not publicly accessible through IAM policies | High | New | Â | Â | Â |
| |
Ensure AWS IAM User's SSH public key is rotated every 90 days or less | High | New | Â | Â | Â |
| |
Detect when a canary token access key has been used | Critical | New | Â | Â | Â |
| |
Ensure AWS KMS Key should not be publicly accessible through IAM policies | High | New | Â | Â | Â |
| |
Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level | Medium | New | Â | Â | Â |
| |
Ensure that at-rest encryption is enabled when writing Amazon Glue logs to CloudWatch Logs | Medium | New | Â | Â | Â |
| |
Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Ensure Root Account Usage is being monitored using CloudWatch alarms | High | New | Â | Â | Â |
| |
Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Ensure your AWS Console authentication process is being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Monitor for AWS Console Sign-In Requests Without MFA | Medium | New | Â | Â | Â |
| |
Ensure ElasticSearch domain Index slow logs should be enabled | Low | New | Â | Â | Â |
| |
Ensure ElasticSearch domain Search Slow Logs should be enabled | Low | New | Â | Â | Â |
| |
Ensure Amazon Config log files are delivered as expected | Medium | New | Â | Â | Â |
| |
Ensure AWS VPC configuration changes are being monitored using CloudWatch alarms | Medium | New | Â | Â | Â |
| |
Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms | High | New | Â | Â | Â |
| |
Ensure there are no empty AWS Auto Scaling Groups (ASGs) | Medium | Modification |
|
|
|
| |
Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer | Low | Modification |
|
|
|
| |
Ensure that a data repository bucket is defined for Amazon Macie within each AWS region | Medium | New | Â | Â | Â |
| |
Ensure AWS AppSync attached WAFv2 ACL configured with AMR to mitigate Log4j Vulnerability | High | New | Â | Â | Â |
| |
Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS | High | Modification |
|
|
|
| |
Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443 | Medium | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 1521 | High | New | Â | Â | Â |
| |
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices | High | New | Â | Â | Â |
| |
Ensure that no Amazon EC2 security group allows unrestricted outbound access | Low | New | Â | Â | Â |
| |
Ensure that Amazon Security Hub findings are analyzed and resolved | High | New | Â | Â | Â |
| |
Ensure that Amazon Macie was run in the last 30 days and its security findings are highlighted, analyzed, and resolved | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 5432 | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC) | High | New | Â | Â | Â |
| |
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP) | High | New | Â | Â | Â |
| |
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 | High | New | Â | Â | Â |
| |
Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice | Low | New | Â | Â | Â |
| |
Ensure that AWS route tables with VPC peering are not excessively permissive to all traffic | High | New | Â | Â | Â |
| |
Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics | High | New | Â | Â | Â |
| |
Ensure that your AWS SES identities (domains and/or email addresses) are not exposed to everyone | High | New | Â | Â | Â |
| |
Ensure AWS EMR Cluster's Master Security Group does not allow all traffic to port 8088 | High | New | Â | Â | Â |
| |
Ensure no security group allows inbound access on a range of ports | High | New | Â | Â | Â |
| |
Ensure EC2 instances are launched using the EC2-VPC platform instead of the EC2-Classic outdated platform | High | New | Â | Â | Â |
| |
Ensure AWS VPC does not allow unauthorized peering | High | New | Â | Â | Â |
| |
Ensure that the latest version of Redis is used for your AWS ElastiCache clusters | Low | Modification |
|
|
|
| |
Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters | Low | Modification |
|
|
|
| |
Ensure SNS topics do not allow Everyone to publish | Low | New | Â | Â | Â |
| |
Ensure that your Amazon ECS instances are using the latest ECS container agent version | Medium | New | Â | Â | Â |
| |
Ensure AWS Elastic IPs are in use. | Informational | New | Â | Â | Â |
| |
Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices | Low | New | Â | Â | Â |
| |
Ensure that Amazon GuardDuty detectors are configured (non-empty list of GuardDuty detectors) | Low | Modification |
|
|
|
| |
Ensure that Amazon Inspector Findings are analyzed and resolved (EC2) | High | New | Â | Â | Â |
| |
Ensure that Amazon Inspector Findings are analyzed and resolved (ECR) | High | New | Â | Â | Â |
| |
Ensure that Amazon Inspector Findings are analyzed and resolved (Lambda) | High | New | Â | Â | Â |
| |
Ensure there is a sufficient period configured for the SSL certificates auto-renewal | Low | New | Â | Â | Â |
| |
Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates | Critical | New | Â | Â | Â |
| |
Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date | High | New | Â | Â | Â |
| |
Ensure that your Azure Key Vault secrets are renewed prior to their expiration date | High | New | Â | Â | Â |
| |
Ensure there is more than one owner assigned to your Microsoft Azure subscription | High | New | Â | Â | Â |
| |
Ensure that Google Cloud backend services enforce HTTPS to handle encrypted web traffic | High | New | Â | Â | Â |
| |
GKE Cluster should have Redundant Zones | High | New | Â | Â | Â |
| |
GKE Clusters with Auto-upgrade Enabled should be Adequately Sized to have at least Three Nodes | High | New | Â | Â | Â |
| |
Users should not be Granted Write Permissions without a Valid Business Justification | High | New | Â | Â | Â |
| |
IAM Policies should Restrict Public Access to GCP Resources | Critical | New | Â | Â | Â |
| |
IAM Users should not have Service Account Privileges | High | New | Â | Â | Â |
| |
Logs related to storage buckets should not be publicly accessible | High | New | Â | Â | Â |
| |
Ensure Compute Engine does not have Permissions to Destroy Data | High | New | Â | Â | Â |
| |
Ensure Compute Engine does not have Write Permissions on Database Management Service | High | New | Â | Â | Â |
| |
Ensure Compute Engine does not have Permissions to Impersonate Service Accounts | High | New | Â | Â | Â |
| |
Ensure Compute Engine does not have Write Permissions on any Deny Policy | High | New | Â | Â | Â |
| |
Google Cloud Kubernetes Engine Clusters should have Logging Enabled | High | New | Â | Â | Â |
| |
Ensure Logging is enabled for your Kubernetes engine clusters | Low | New | Â | Â | Â |
| |
Google Cloud Kubernetes Engine Clusters should have Monitoring Enabled | High | New | Â | Â | Â |
| |
Google Cloud SQL Instances should not be Configured with Overly Permissive Authorized Networks | High | New | Â | Â | Â |
| |
Ensure IP forwarding is disabled for all instance templates | Medium | New | Â | Â | Â |
| |
Ensure that your backend services are enforcing HTTPS | High | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted outbound access on TCP or UDP | High | New | Â | Â | Â |
| |
Redis instances should use Standard Tier for High Availability | Low | New | Â | Â | Â |
| |
Ensure that ECS data disk is not configured with 'release disk with instance feature' | Low | New | Â | Â | Â |
| |
Ensure that Alibaba Cloud disk automatic snapshot policy is Enabled | Low | New | Â | Â | Â |
| |
Ensure that ActionTrail logging is enabled | Low | Modification |
|
|
|
| |
Ensure OCI Compute Instances have monitoring enabled | Low | New | Â | Â | Â |
| |
Ensure OCI Object Storage buckets are enabled to emit object events | Low | New | Â | Â | Â |
| |
Ensure OCI VCN has inbound security lists | Low | New | Â | Â | Â |
| |
Ensure OCI VCN Security list has no stateful security rules | Low | New | Â | Â | Â |
| |
Ensure Network Security Groups (NSG) has no stateful security rules | Low | New | Â | Â | Â |
| |
Ensure OCI Kubernetes Engine Cluster pod security policy is enforced | Low | New | Â | Â | Â |
| |
Ensure OCI Kubernetes Engine Cluster endpoint is configured with Network Security Groups | Low | New | Â | Â | Â |
| |
Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | High | New | Â | Â | Â |
| |
D9.AWS.NET.1001 | Default Security Groups - with network policies | Medium | Removal | Â | Â | Â |
|
D9.AWS.CRY.104 | Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.107 | Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption | Low | Removal | Â | Â | Â |
|
D9.AWS.CRY.112 | Ensure AWS S3 buckets enforce SSL to secure data in transit | High | Removal | Â | Â | Â |
|
D9.AWS.NET.1009 | Ensure that OpenSearch domains are accessible from a Virtual Private Cloud | Critical | Removal | Â | Â | Â |
|
D9.AWS.OPE.50 | Ensure RDS instances have Multi-AZ enabled | Informational | Removal | Â | Â | Â |
|
September 13 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on' | Medium | Modification |
|
|
|
| |
Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel | Low | Modification |
|
|
|
| |
Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs | High | New | Â | Â | Â |
| |
Ensure that Firehose delivery stream data records are encrypted at destination | Low | New | Â | Â | Â |
| |
Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs | High | New | Â | Â | Â |
| |
Ensure AWS Database Migration Service endpoints have SSL configured | Low | New | Â | Â | Â |
| |
Ensure IAM User does not have more than one active SSH public key | Medium | New | Â | Â | Â |
| |
Ensure AWS Secrets Manager is in use | Low | New | Â | Â | Â |
| |
IAM policy overly permissive to Lambda service | Critical | New | Â | Â | Â |
| |
Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account | High | New | Â | Â | Â |
| |
Ensure RDS instance has IAM authentication enabled | Low | New | Â | Â | Â |
| |
Ensure Additional Controls for External AWS Account Role Mapping and Approval for Cross-Account Access | High | New | Â | Â | Â |
| |
Ensure AWS RDS cluster has IAM authentication enabled | Low | New | Â | Â | Â |
| |
Ensure there is at least one IAM user currently used to access your AWS account | Medium | New | Â | Â | Â |
| |
Mapping and Approval of Roles Accessible by External Federated Accounts | High | New | Â | Â | Â |
| |
Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions for AWS Key Management Service (KMS) | Low | New | Â | Â | Â |
| |
Restrict IamRole Assume Role Policies with Principal, in Order for Enhanced Security | High | New | Â | Â | Â |
| |
Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases | High | New | Â | Â | Â |
| |
Ensure that AWS Lambda function should not have org write access level | High | New | Â | Â | Â |
| |
Ensure that AWS Lambda function should not have IAM write access level | High | New | Â | Â | Â |
| |
Ensure no AWS IAM users have been inactive for a long (specified) period of time | High | New | Â | Â | Â |
| |
Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones | High | New | Â | Â | Â |
| |
Ensure that your AWS Elasticsearch domains publish slow logs to AWS CloudWatch Logs | Medium | New | Â | Â | Â |
| |
AWS RDS event subscription should be enabled for DB instance | Low | New | Â | Â | Â |
| |
Ensure SNS topics do not allow Everyone to subscribe | High | New | Â | Â | Â |
| |
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 (CIFS) | High | New | Â | Â | Â |
| |
Ensure that Amazon ALBs are using the latest predefined security policy for their SSL/TLS negotiation configuration | Low | New | Â | Â | Â |
| |
Ensure that Classic Load Balancers are using one of the latest predefined security policies | Low | New | Â | Â | Â |
| |
Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 | High | New | Â | Â | Â |
| |
Ensure that the access to your REST APIs is allowed to trusted IP addresses only | Low | New | Â | Â | Â |
| |
Ensure that no security group allows unrestricted inbound access on TCP port 6379 | High | New | Â | Â | Â |
| |
Ensure ELB listener uses a secure HTTPS or SSL protocol | High | New | Â | Â | Â |
| |
Ensure no security group contains RFC 1918 CIDRs | High | New | Â | Â | Â |
| |
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53 | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 1433 and 3306 (MSSQL) | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 9200 | High | New | Â | Â | Â |
| |
Make certain that unrestricted inbound access to TCP ports 20 and 21 is disallowed for all EC2 security groups | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP) | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS) | High | New | Â | Â | Â |
| |
Ensure no security group allows unrestricted inbound access to ICMP | High | New | Â | Â | Â |
| |
Ensure that AWS Lambda function should not communicating with ports known to mine Monero | Low | New | Â | Â | Â |
| |
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137, 138 | High | New | Â | Â | Â |
| |
Ensure that your Amazon WorkSpaces instances are healthy | High | Modification |
|
|
|
| |
Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled | Medium | New | Â | Â | Â |
| |
Ensure RDS event subscriptions are enabled for DB security groups | Low | New | Â | Â | Â |
| |
Ensure that AWS Neptune cluster deletion protection is enabled | High | New | Â | Â | Â |
| |
Ensure that RDS cluster delete protection is enabled | Medium | New | Â | Â | Â |
| |
Ensure RDS instances have Multi-AZ enabled | Informational | New | Â | Â | Â |
| |
Ensure that DocumentDB delete protection is enabled | Low | New | Â | Â | Â |
| |
Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization | Medium | New | Â | Â | Â |
| |
Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services | Low | New | Â | Â | Â |
| |
Ensure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats | Medium | New | Â | Â | Â |
| |
Ensure Azure Container Instance environment variable | Low | New | Â | Â | Â |
| |
Ensure to activate geo-redundant backup for MariaDB | Low | New | Â | Â | Â |
| |
Ensure to audit role assignments that have risky permissions | High | New | Â | Â | Â |
| |
Ensure there are no Microsoft Azure Active Directory guest users if they are not needed | High | New | Â | Â | Â |
| |
Ensure Azure Container registries do not have Public access to All networks enabled | High | New | Â | Â | Â |
| |
Ensure that MariaDB is not publicly accessible | High | New | Â | Â | Â |
| |
Ensure Host-Level Encryption is Enabled for VMSS Instances | Medium | New | Â | Â | Â |
| |
Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration | Low | New | Â | Â | Â |
| |
Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs) | Low | New | Â | Â | Â |
| |
Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account | Critical | New | Â | Â | Â |
| |
Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects | Medium | New | Â | Â | Â |
| |
Ensure that your API key usage is restricted to trusted hosts and applications only | High | New | Â | Â | Â |
| |
Ensure that data access audit logs are enabled for all critical service APIs within your GCP project | Low | New | Â | Â | Â |
| |
Ensure Kubernetes Cluster has No Client Certificate Issued | High | New | Â | Â | Â |
| |
Ensure that there is at least one sink configuration that has no inclusions or exclusion filters. | High | New | Â | Â | Â |
| |
Ensure that critical service APIs are enabled for your GCP projects | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3306 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1521 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5432 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5900 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 25 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 7001 | High | New | Â | Â | Â |
| |
D9.AWS.CRY.91 | Ensure that node-to-node encryption is enabled for your OpenSearch clusters | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.95 | To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted | Low | Removal | Â | Â | Â |
|
September 06 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that the default VPC network is not being used within your GCP projects | Medium | Modification |
|
|
|
| |
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | High | Modification |
|
|
|
| |
Ensure that encryption at rest is enabled for Amazon Glue job bookmarks | High | New | Â | Â | Â |
| |
Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement | Critical | New | Â | Â | Â |
| |
Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys | High | New | Â | Â | Â |
| |
Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs) | High | New | Â | Â | Â |
| |
Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data | Critical | New | Â | Â | Â |
| |
Ensure unused IAM users are removed from AWS account to follow security best practice | Medium | New | Â | Â | Â |
| |
Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption | Low | New | Â | Â | Â |
| |
Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs | High | New | Â | Â | Â |
| |
Ensure rotation for customer created CMKs is enabled | High | New | Â | Â | Â |
| |
Ensure AWS S3 buckets enforce SSL to secure data in transit | High | New | Â | Â | Â |
| |
Ensure that Amazon Aurora MySQL database clusters have backtracking enabled | Informational | New | Â | Â | Â |
| |
Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery | High | New | Â | Â | Â |
| |
Ensure on-demand backup and restore functionality is in use for AWS DynamoDB tables | High | New | Â | Â | Â |
| |
Ensure IAM User is Restrained from Wildcard Access to All Resources | Low | New | Â | Â | Â |
| |
Ensure AWS EC2 Instance Lacks IAM Write Access Level | Medium | New | Â | Â | Â |
| |
Ensure IAM policy does not allow privilege escalation via Codestar create project and associate team member permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy does not allow privilege escalation via EC2 Instance Connect permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents privilege escalation via EC2 and SSM permissions. | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via EC2 describe and SSM session permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via Glue Dev Endpoint permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & CodeBuild permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & CreateProject permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & Data Pipeline permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & EC2 permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & Glue create job permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & Glue development endpoint permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & Glue update job permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & Lambda create and invoke function permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and event source mapping permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and add permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create notebook permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create processing job permissions | Medium | New | Â | Â | Â |
| |
Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create training job permissions | Medium | New | Â | Â | Â |
| |
Ensure there are no Lambda functions with admin privileges within your AWS account | High | New | Â | Â | Â |
| |
Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice | Low | New | Â | Â | Â |
| |
Ensure that root account credentials have not been used recently to access your AWS account | High | New | Â | Â | Â |
| |
Ensure cloud trail capturing management events | Low | New | Â | Â | Â |
| |
Ensure AWS ACM Certificates Have Valid Logging and Status | Low | New | Â | Â | Â |
| |
Enable user activity logging for your Amazon Redshift clusters to track who has accessed your clusters and what activities they have performed. | Low | New | Â | Â | Â |
| |
Ensure that AWS CloudWatch logging is enabled for Amazon Transfer for SFTP user activity | Low | New | Â | Â | Â |
| |
Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly | Low | New | Â | Â | Â |
| |
Ensure that Amazon MQ brokers are using the network of brokers configuration | High | New | Â | Â | Â |
| |
Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit | Critical | New | Â | Â | Â |
| |
Ensure that EKS cluster's Kubernetes API endpoints are not publicly accessible | Critical | New | Â | Â | Â |
| |
Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts | Critical | New | Â | Â | Â |
| |
Ensure that Amazon Transfer for SFTP servers are using AWS PrivateLink for their endpoints | High | New | Â | Â | Â |
| |
Ensure that Drop Invalid Header Fields feature is enabled for your Application Load Balancers to remove non-standard headers | High | New | Â | Â | Â |
| |
Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS | High | New | Â | Â | Â |
| |
Ensure EKS cluster version is up to date | Informational | Modification |
|
|
|
| |
Ensure RDS event subscriptions are enabled for instance level events | Low | New | Â | Â | Â |
| |
Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account | Low | New | Â | Â | Â |
| |
Ensure that REST APIs created with Amazon API Gateway have response caching enabled | Low | New | Â | Â | Â |
| |
Ensure EC2 instances are not too old | Medium | New | Â | Â | Â |
| |
Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements | Medium | New | Â | Â | Â |
| |
Ensure that AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime | Low | New | Â | Â | Â |
| |
Ensure that your Amazon WorkSpaces instances are healthy | High | New | Â | Â | Â |
| |
Ensure all Elastic Network Interfaces are in use | Low | New | Â | Â | Â |
| |
Ensure EC2 Instances are Protected against Termination Actions | High | New | Â | Â | Â |
| |
Ensure no Azure Data Explorer cluster is configured without disk encryption | Low | New | Â | Â | Â |
| |
Ensure Azure Function App use HTTP 2.0 | High | New | Â | Â | Â |
| |
Ensure Service Fabric cluster is configured with cluster protection level security | Low | New | Â | Â | Â |
| |
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | High | Modification |
|
|
|
| |
Ensure that Azure Recovery Services vault is configured with managed identity | Low | New | Â | Â | Â |
| |
Ensure that a resource locking administrator role is available for each Azure subscription | High | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Delete PostgreSQL Database events | High | Modification |
|
|
|
| |
Ensure that the health of your Microsoft Azure scale set instances is being monitored | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Delete MySQL Database events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Create/Update PostgreSQL Database events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Create/Update MySQL Database events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Update Key Vault MicrosoftKeyVault/vaults events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert exists for Power Off Virtual Machine events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert exists for Delete Virtual Machine events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert exists for Delete Storage Account events | Low | New | Â | Â | Â |
| |
Ensure there is an Azure activity log alert created for Delete Load Balancer events | Low | New | Â | Â | Â |
| |
Ensure there is an activity log alert created for the Delete Key Vault events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Delete Azure SQL Database (MicrosoftSql/servers/databases) events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for the Deallocate Virtual Machine (MicrosoftCompute/virtualMachines) events | Low | New | Â | Â | Â |
| |
Ensure there is an activity log alert created for the Create/Update Storage Account events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Create/Update Azure SQL Database events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Create or Update Virtual Machine (MicrosoftCompute/virtualMachines) events | Low | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Rename Azure SQL Database events | Low | New | Â | Â | Â |
| |
Ensure that Microsoft Defender for Cloud plans are subscribed for all resources | High | New | Â | Â | Â |
| |
Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive | Medium | Modification |
|
|
|
| |
Identify and remove empty virtual machine scale sets from your Azure cloud account | Low | New | Â | Â | Â |
| |
Ensure Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is enabled | Low | New | Â | Â | Â |
| |
Ensure Azure Virtual Machine (Windows) secure boot feature is Enabled | Low | New | Â | Â | Â |
| |
Ensure Azure Virtual Machine vTPM feature is enabled | Low | New | Â | Â | Â |
| |
Ensure Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is enabled | Low | New | Â | Â | Â |
| |
Ensure Azure Front Door Web application firewall (WAF) is enabled | High | New | Â | Â | Â |
| |
Ensure that FTP-Control (TCP:21) is restricted from the Internet | Critical | New | Â | Â | Â |
| |
Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution | Medium | New | Â | Â | Â |
| |
Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets | High | New | Â | Â | Â |
| |
Ensure that MySQL database servers are using the latest major version of MySQL database | Low | New | Â | Â | Â |
| |
Ensure that your production Google Cloud virtual machine instances are not preemptible | Low | New | Â | Â | Â |
| |
SSL Policy Profile should be Restricted for HTTPS Load Balancer | High | New | Â | Â | Â |
| |
TLS Version should be v1.2 or Later for SSL Policy on HTTPS Load Balancer | High | New | Â | Â | Â |
| |
Default SSL Policy should be Replaced by a Stricter Policy for HTTPS Load Balancer Target Proxy | High | New | Â | Â | Â |
| |
SQL Instances should have Valid SSL Configurations | High | New | Â | Â | Â |
| |
Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules | Low | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database) | Critical | Modification |
|
|
|
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server) | Critical | Modification |
|
|
|
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server) | Critical | Modification |
|
|
|
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS) | High | Modification |
|
|
|
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP) | High | Modification |
|
|
|
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP) | High | Modification |
|
|
|
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH) | High | Modification |
|
|
|
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database) | High | Modification |
|
|
|
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call) | High | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP ports 20 or 21 (File Transfer Protocol FTP) | High | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP) | High | New | Â | Â | Â |
| |
HTTPS Load Balancer should have QUIC Enabled | Low | New | Â | Â | Â |
| |
Ensure VM instance has custom metadata | Low | New | Â | Â | Â |
| |
Ensure that ECS data disk is configured with delete automatic snapshots feature | Low | New | Â | Â | Â |
| |
Ensure RAM password policy won't allow login after the password expires | Low | New | Â | Â | Â |
| |
Ensure ECS Instances release protection is enabled | Low | New | Â | Â | Â |
| |
Ensure SLB delete protection is enabled | Low | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 53 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 2483 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 27017 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 6379 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 80 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 20 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 21 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1434 | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1433 | High | New | Â | Â | Â |
|
August 30 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that admin user is disabled for Container Registry | Low | New | Â | Â | Â |
| |
Ensure Container Registry has locks | Low | New | Â | Â | Â |
| |
Enable role-based access control (RBAC) within Azure Kubernetes Services | Low | New | Â | Â | Â |
| |
Ensure Auto Scaling group have scaling cooldown higher than a minute | Low | Modification |
|
|
|
| |
Ensure that node-to-node encryption is enabled for your OpenSearch clusters | High | New | Â | Â | Â |
| |
Ensure that at-rest encryption is enabled when writing AWS Glue data to Amazon S3 | Low | New | Â | Â | Â |
| |
Ensure that ECR Registry-level configuration is enabled for image scanning | High | New | Â | Â | Â |
| |
Ensure that your OpenSearch domains are encrypted using KMS Customer Master Keys | Low | New | Â | Â | Â |
| |
To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted | Low | New | Â | Â | Â |
| |
Ensure ElastiCache AUTH feature enabled | Low | New | Â | Â | Â |
| |
Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains | Critical | New | Â | Â | Â |
| |
Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (7 Days) | High | New | Â | Â | Â |
| |
Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (45 Days) | Low | New | Â | Â | Â |
| |
Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted | High | New | Â | Â | Â |
| |
Ensure high availability for your OpenSearch clusters by enabling the Zone Awareness feature | Low | New | Â | Â | Â |
| |
Ensure that OpenSearch clusters are using dedicated master nodes to increase the production environment stability | Low | New | Â | Â | Â |
| |
Ensure AWS RDS instances have Automated Backups feature enabled | High | New | Â | Â | Â |
| |
Follow proper naming conventions for Virtual Private Clouds | Low | New | Â | Â | Â |
| |
Ensure IAM User Write Access is Prohibited | Low | New | Â | Â | Â |
| |
Ensure IAM User Organization Write Access is Prohibited | High | New | Â | Â | Â |
| |
Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions | High | New | Â | Â | Â |
| |
Ensure AWS EC2 Instance is Devoid of Database Management Write Access Permissions | Low | New | Â | Â | Â |
| |
Ensure EC2 Instances do not have S3 Access | Low | New | Â | Â | Â |
| |
Ensure AWS EC2 instance does not have the permission to create a new Group with an attached policy | High | New | Â | Â | Â |
| |
Ensure CloudTrail trails are configured to log Data events | Low | New | Â | Â | Â |
| |
Ensure alert notifications for important events within your Amazon Elastic Beanstalk environment | Low | New | Â | Â | Â |
| |
Ensure that access logging is enabled for your Elastic Beanstalk environment load balancer | Medium | New | Â | Â | Â |
| |
Ensure persistent logs are enabled for your Amazon Elastic Beanstalk environments | High | New | Â | Â | Â |
| |
Ensure AWS RDS utilizes secure and unique master usernames for database security | High | New | Â | Â | Â |
| |
Ensure that CloudTrail trails record API calls for global services such as IAM, STS, and CloudFront | Medium | New | Â | Â | Â |
| |
Check for any AMIs older than 180 days available within your AWS account | Low | New | Â | Â | Â |
| |
Ensure there are no empty AWS Auto Scaling Groups (ASGs) | Medium | New | Â | Â | Â |
| |
Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer | Low | New | Â | Â | Â |
| |
Ensure Amazon CloudTrail trail log files are delivered as expected | Low | New | Â | Â | Â |
| |
Ensure that X-Ray tracing is enabled for your Amazon Elastic Beanstalk environments | Low | New | Â | Â | Â |
| |
Ensure Enhanced Health Reporting is enabled for your AWS Elastic Beanstalk environments | Low | New | Â | Â | Â |
| |
Ensure your AWS CloudFormation stacks are integrated with Simple Notification Service (SNS) | Medium | New | Â | Â | Â |
| |
Ensure unused Virtual Private Gateways are removed | Critical | New | Â | Â | Â |
| |
Ensure that only approved IP addresses can access your Amazon OpenSearch domains | Critical | New | Â | Â | Â |
| |
Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud | Informational | New | Â | Â | Â |
| |
Ensure that OpenSearch domains are accessible from a Virtual Private Cloud | Critical | New | Â | Â | Â |
| |
Enforce HTTPS for Amazon Elastic Beanstalk environment load balancers | High | New | Â | Â | Â |
| |
Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets | High | New | Â | Â | Â |
| |
Instance should not have a public IP address | High | New | Â | Â | Â |
| |
Ensure that security groups are using proper naming conventions. | Low | New | Â | Â | Â |
| |
Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics | High | New | Â | Â | Â |
| |
Ensure Amazon Auto Scaling Groups have cooldown periods enabled | High | New | Â | Â | Â |
| |
Ensure that your OpenSearch domains are using the latest version of the TLS security policy | Low | New | Â | Â | Â |
| |
Verify that Redshift clusters are utilizing the most up-to-date node generations to enhance performance | Low | New | Â | Â | Â |
| |
Ensure managed platform updates are enabled for your AWS Elastic Beanstalk environments | Low | New | Â | Â | Â |
| |
Ensure that AWS Cloudfront web distributions are configured to compress objects (files) automatically | Low | New | Â | Â | Â |
| |
Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains | Low | New | Â | Â | Â |
| |
Ensure that a network policy is in place to secure traffic between pods | Low | New | Â | Â | Â |
| |
Ensure that Azure CNI Networking is enabled | Low | New | Â | Â | Â |
| |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Azure MariaDB database Server | High | New | Â | Â | Â |
| |
Ensure Azure AKS cluster HTTP application routing is disabled | Low | New | Â | Â | Â |
| |
Ensure no Azure AKS cluster is configured without disk encryption | Low | New | Â | Â | Â |
| |
Ensure Azure MySQL Database Server is using a secure TLS version | High | New | Â | Â | Â |
| |
Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults | High | New | Â | Â | Â |
| |
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | High | New | Â | Â | Â |
| |
Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication. | Critical | New | Â | Â | Â |
| |
Ensure that Diagnostic Logs are enabled for the supported Azure cloud resources | High | New | Â | Â | Â |
| |
Ensure Azure AKS cluster monitoring is enabled | Low | New | Â | Â | Â |
| |
Ensure that a security contact phone number is provided in the Microsoft Defender for Cloud settings | Low | New | Â | Â | Â |
| |
Ensure that default network access rule is set to 'Deny' within your Azure Key Vaults configuration | High | New | Â | Â | Â |
| |
Ensure that Private Endpoints are Used for Azure MariaDb database Server | Medium | New | Â | Â | Â |
| |
Ensure that Azure Storage account access is limited only to specific IP addresses | Low | New | Â | Â | Â |
| |
Ensure that MariaDB database servers are using the latest version of the TLS protocol | Critical | New | Â | Â | Â |
| |
Ensure Azure Database for MySQL server is configured with private endpoint | Medium | New | Â | Â | Â |
| |
Ensure PostgreSQL database server is not allowed public network access | High | New | Â | Â | Â |
| |
Ensure that Private Endpoints are Used for Azure PostgreSQL database Server | Medium | New | Â | Â | Â |
| |
Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive | Low | New | Â | Â | Â |
| |
Ensure that your Cluster Pool contains at least 3 Nodes | Low | New | Â | Â | Â |
| |
Ensure to not use the deprecated Classic registry | Low | New | Â | Â | Â |
| |
Ensure that PostgreSQL database instances have the appropriate configuration set for the 'max_connections' flag | Low | New | Â | Â | Â |
| |
Ensure that automatic storage increase is enabled for your Cloud SQL database instances | High | New | Â | Â | Â |
| |
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database | Low | New | Â | Â | Â |
| |
Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances | High | New | Â | Â | Â |
| |
Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region | Critical | New | Â | Â | Â |
| |
Ensure Compute Engine does not have predefined Admin roles | Critical | New | Â | Â | Â |
| |
Ensure Compute Engine does not have IAM Write access level | High | New | Â | Â | Â |
| |
Ensure that logging is enabled for Google Cloud load balancing backend services | Low | New | Â | Â | Â |
| |
Ensure that MySQL database instances have the 'slow_query_log' flag set to On (enabled) | Low | New | Â | Â | Â |
| |
Ensure storage bucket does not send logs to itself | Low | New | Â | Â | Â |
| |
Ensure Firewall default rules are not overly permissive | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 21 - FTP | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 80 - HTTP | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 445 - Microsoft-DS | Critical | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 27017 - MongoDB | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 139 - NetBIOS-SSN | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 1521 - Oracle DB | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 110 - POP3 | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not allow all traffic on port 23 - Telnet | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10250 | High | New | Â | Â | Â |
| |
Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10255 | High | New | Â | Â | Â |
| |
Ensure no inbound rule exists that is overly permissive to allow all traffic from Internet | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database) | Critical | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server) | Critical | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server) | Critical | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP) | High | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP) | High | New | Â | Â | Â |
| |
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH) | High | New | Â | Â | Â |
| |
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database) | High | New | Â | Â | Â |
| |
Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances | High | New | Â | Â | Â |
| |
Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances | High | New | Â | Â | Â |
| |
Ensure that 'On Host Maintenance' configuration setting is set to 'Migrate' for all VM instances | High | New | Â | Â | Â |
| |
Ensure that ActionTrail logging is enabled | Low | New | Â | Â | Â |
| |
Ensure IAM password policy require at least one lowercase letter | Low | New | Â | Â | Â |
| |
Ensure IAM password policy require at least one uppercase letter | Low | New | Â | Â | Â |
| |
D9.AZU.AKS.01 | Ensure that admin user is disabled for Container Registry | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.02 | Ensure Container Registry has locks | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.08 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.05 | Ensure that a network policy is in place to secure traffic between pods | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.06 | Ensure that Azure CNI Networking is enabled | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.07 | Ensure that your Cluster Pool contains at least 3 Nodes | Low | Removal | Â | Â | Â |
|
D9.AZU.AKS.09 | Ensure to not use the deprecated Classic registry | Low | Removal | Â | Â | Â |
|
August 23 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that all authorization Type in API Gateway are not set to None | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 - SSH | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 - RDP | High | Modification |
|
|
|
| |
Identify and remove any unused AWS DynamoDB tables to optimize AWS costs | High | New | Â | Â | Â |
| |
Ensure that Amazon DocumentDB clusters data is encrypted at rest | High | New | Â | Â | Â |
| |
Ensure API Gateway endpoints has client certificate authentication | Low | New | Â | Â | Â |
| |
Ensure that Amazon DocumentDB clusters are encrypted with KMS Customer Master Keys (CMKs) | High | New | Â | Â | Â |
| |
Ensure AWS SES identities (email addresses and/or domains) are verified | Low | New | Â | Â | Â |
| |
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion | Critical | New | Â | Â | Â |
| |
Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled | Informational | New | Â | Â | Â |
| |
Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless) | Medium | New | Â | Â | Â |
| |
Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs | High | New | Â | Â | Â |
| |
Ensure AWS DocumentDB clusters have a sufficient backup retention period set for compliance purposes | Low | New | Â | Â | Â |
| |
Ensure IAM Database Authentication feature is enabled for Amazon Neptune clusters | High | New | Â | Â | Â |
| |
Ensure that Amazon Lambda functions are referencing active execution roles | Low | New | Â | Â | Â |
| |
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days) | Low | New | Â | Â | Â |
| |
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days) | Low | New | Â | Â | Â |
| |
Ensure CloudTrail Logging is Enabled | Low | New | Â | Â | Â |
| |
Ensure DKIM signing is enabled in AWS SES to protect email senders and receivers against phishing. | Low | New | Â | Â | Â |
| |
Enable AWS DocumentDB Log Exports | Low | New | Â | Â | Â |
| |
Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC). | Low | New | Â | Â | Â |
| |
Ensure that your Amazon Lambda functions have access to VPC-only resources. | Low | New | Â | Â | Â |
| |
Ensure Amazon MQ brokers are not publicly accessible and prone to security risks | High | New | Â | Â | Â |
| |
Ensure AppSync has WAF | Low | New | Â | Â | Â |
| |
Ensure IMDS Response Hop Limit is Set to One | Low | New | Â | Â | Â |
| |
Make certain your AWS MQ brokers are running on the most up-to-date version of the Apache ActiveMQ engine. | Low | New | Â | Â | Â |
| |
Ensure that the latest version of Redis is used for your AWS ElastiCache clusters | Low | New | Â | Â | Â |
| |
Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters | Low | New | Â | Â | Â |
| |
Ensure Aurora PostgreSQL is not exposed to local file read vulnerability | Critical | New | Â | Â | Â |
| |
Ensure that an activity log alert is created for Delete PostgreSQL Database events | High | New | Â | Â | Â |
| |
Ensure that HTTP protocol (TCP:80) is restricted from the Internet | High | New | Â | Â | Â |
| |
Ensure that HTTPS protocol (TCP:443) is restricted from the Internet | High | New | Â | Â | Â |
| |
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database | High | New | Â | Â | Â |
| |
Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol | Critical | New | Â | Â | Â |
| |
Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances | Low | New | Â | Â | Â |
| |
Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag | High | New | Â | Â | Â |
| |
Ensure GCP IAM user does not have permissions to deploy all resources | High | New | Â | Â | Â |
| |
Ensure Google Cloud Function is configured with a VPC connector | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 53 - DNS | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 2483 - unencrypted Oracle DB | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 27017 - unencrypted Mongo DB | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 6379 - unencrypted Redis | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 80 - HTTP | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 20 - FTP-Data | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 21 - FTP | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 1434 - MSSQL Admin | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 1433 - MSSQL Server | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3306 - MySQL | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 1521 - unencrypted Oracle DB | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 5432 - Postgres SQL | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 5900 - VNC Server | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 25 - SMTP | High | New | Â | Â | Â |
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 7001 - Cassandra | High | New | Â | Â | Â |
|
August 16 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
| |
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift) | Low | Modification |
|
|
|
| |
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift) | Low | Modification |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift) | Informational | Modification |
|
|
|
| |
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift) | Medium | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift) | High | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift) | High | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift) | High | Modification |
|
|
|
| |
Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift) | Low | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (SCC) (Openshift) | High | Modification |
|
|
|
| |
Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
| |
Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift) | Low | Modification |
|
|
|
| |
Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift) | High | Modification |
|
|
|
| |
Ensure that your Amazon MQ brokers are using the active/standby deployment mode | Low | New | Â | Â | Â |
| |
Ensure AWS MQ brokers have the Auto Minor Version Upgrade feature enabled | Low | New | Â | Â | Â |
| |
Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled | Low | New | Â | Â | Â |
| |
Ensure AWS Neptune clusters have a sufficient backup retention period set | High | New | Â | Â | Â |
| |
Ensure CloudFront origins don't use insecure SSL protocols | High | New | Â | Â | Â |
| |
Ensure that Oracle Database (TCP:1521) is restricted from the Internet | High | New | Â | Â | Â |
| |
Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019 | High | New | Â | Â | Â |
| |
Ensure that the healthz endpoints for the scheduler are protected by RBAC (OpenShift) | High | New | Â | Â | Â |
| |
Verify that the scheduler API service is protected by RBAC (OpenShift) | High | New | Â | Â | Â |
| |
Use https for kubelet connections (OpenShift) | Critical | New | Â | Â | Â |
| |
Ensure that the kubelet uses certificates to authenticate (OpenShift) | Critical | New | Â | Â | Â |
| |
Ensure that the --request-timeout argument is set (OpenShift) | High | New | Â | Â | Â |
| |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (OpenShift) | Critical | New | Â | Â | Â |
| |
Ensure that encryption providers are appropriately configured (OpenShift) | High | New | Â | Â | Â |
| |
Ensure unsupported configuration overrides are not used (OpenShift) | Critical | New | Â | Â | Â |
| |
Ensure that the admission control plugin SecurityContextConstraint is set (SCC)(Openshift) | High | New | Â | Â | Â |
| |
Ensure that a minimal audit policy is created | High | New | Â | Â | Â |
| |
Ensure that the --insecure-port argument is set to 0 (OpenShift) | Critical | New | Â | Â | Â |
| |
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)(OpenShift) | Critical | New | Â | Â | Â |
| |
Limit binding of Anonymous User | Critical | New | Â | Â | Â |
|
August 09 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account | Critical | Modification |
|
|
|
| |
Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions) | High | Modification |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port | Medium | Modification |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port | Medium | Modification |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port | High | Modification |
|
|
|
| |
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port | High | Modification |
|
|
|
| |
Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
| |
D9.AWS.IAM.19 | Ensure hardware MFA is enabled for the 'root' user account | Critical | Removal | Â | Â | Â |
|
August 02 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | High | Modification |
|
|
|
| |
Ensure Oslogin Is Enabled for a Project | Medium | Modification |
|
|
|
| |
Ensure that Corporate Login Credentials are Used | High | Modification |
|
|
|
| |
Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | High | Modification |
|
|
|
| |
Ensure That Service Account Has No Admin Privileges | High | Modification |
|
|
|
| |
Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | Critical | Modification |
|
|
|
| |
Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance | High | Modification |
|
|
|
| |
Ensure That the Default Network Does Not Exist in a Project | Medium | Modification |
|
|
|
| |
Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances | High | Modification |
|
|
|
| |
Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | High | Modification |
|
|
|
| |
Ensure Compute Instances Are Launched With Shielded VM Enabled | High | Modification |
|
|
|
| |
Ensure That Compute Instances Have Confidential Computing Enabled | High | Modification |
|
|
|
| |
Ensure That Compute Instances Do Not Have Public IP Addresses | High | Modification |
|
|
|
| |
Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | High | Modification |
|
|
|
| |
Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | High | Modification |
|
|
|
| |
Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | High | Modification |
|
|
|
| |
Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | High | Modification |
|
|
|
| |
Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | Low | Modification |
|
|
|
| |
Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | High | Modification |
|
|
|
| |
Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | High | Modification |
|
|
|
| |
Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | High | Modification |
|
|
|
| |
Ensure That Instances Are Not Configured To Use the Default Service Account | High | Modification |
|
|
|
| |
Ensure API Keys Are Rotated Every 90 Days | High | Modification |
|
|
|
| |
Ensure API Keys Are Restricted to Only APIs That Application Needs Access | High | Modification |
|
|
|
| |
Ensure API Keys Only Exist for Active Services | High | Modification |
|
|
|
| |
Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | High | Modification |
|
|
|
| |
Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | High | Modification |
|
|
|
| |
Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | Low | Modification |
|
|
|
| |
Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | High | Modification |
|
|
|
| |
Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Low | Modification |
|
|
|
| |
Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | Low | Modification |
|
|
|
| |
Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Low | Modification |
|
|
|
| |
Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | Low | Modification |
|
|
|
| |
Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | Low | Modification |
|
|
|
| |
Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | Low | Modification |
|
|
|
| |
Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | Low | Modification |
|
|
|
| |
Ensure That Cloud Audit Logging Is Configured Properly | Low | Modification |
|
|
|
| |
Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | Low | Modification |
|
|
|
| |
Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | Low | Modification |
|
|
|
| |
Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | Low | Modification |
|
|
|
| |
Ensure That Sinks Are Configured for All Log Entries | Low | Modification |
|
|
|
| |
Ensure That IP Forwarding Is Not Enabled on Instances | High | Modification |
|
|
|
| |
Ensure That SSH Access Is Restricted From the Internet | High | Modification |
|
|
|
| |
Ensure That RDP Access Is Restricted From the Internet | High | Modification |
|
|
|
| |
Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | Medium | Modification |
|
|
|
| |
Ensure That Cloud SQL Database Instances Do Not Have Public IPs | High | Modification |
|
|
|
| |
Ensure That DNSSEC Is Enabled for Cloud DNS | High | Modification |
|
|
|
| |
Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | High | Modification |
|
|
|
| |
Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | High | Modification |
|
|
|
| |
Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | High | Modification |
|
|
|
| |
Ensure Legacy Networks Do Not Exist for Older Projects | High | Modification |
|
|
|
| |
Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' | Medium | Modification |
|
|
|
| |
Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' | Medium | Modification |
|
|
|
| |
Ensure that 'Virtual Machine's disk' are encrypted | High | Modification |
|
|
|
| |
Ensure server-side encryption is set to 'Encrypt with BYOK' | High | Modification |
|
|
|
| |
Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key) | High | Modification |
|
|
|
| |
Ensure that 'TDE' is set to 'Enabled' on for applicable database instance | High | Modification |
|
|
|
| |
Ensure no root account access key exists | High | Modification |
|
|
|
| |
Ensure users not logged on for 90 days or longer are disabled for console logon | High | Modification |
|
|
|
| |
Ensure RAM policies that allow full '*:*' administrative privileges are not created | High | Modification |
|
|
|
| |
Ensure RAM password policy prevents password reuse | High | Modification |
|
|
|
| |
Ensure RAM password policy requires at least one uppercase letter | Low | Modification |
|
|
|
| |
Ensure RAM password policy requires at least one lowercase letter | Low | Modification |
|
|
|
| |
Ensure RAM password policy require at least one symbol | Low | Modification |
|
|
|
| |
Ensure RAM password policy require at least one number | Low | Modification |
|
|
|
| |
Ensure RAM password policy expires passwords within 90 days or less | Low | Modification |
|
|
|
| |
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour | High | Modification |
|
|
|
| |
Ensure Security Center Network, Host and Security log analysis is enabled | High | Modification |
|
|
|
| |
Ensure that 'Auditing' Retention is 'greater than 6 months' | Low | Modification |
|
|
|
| |
Ensure legacy networks does not exist | High | Modification |
|
|
|
| |
Ensure VPC flow logging is enabled in all VPCs | High | Modification |
|
|
|
| |
Ensure that Security Center is Advanced or Enterprise Edition | High | Modification |
|
|
|
| |
Ensure that all assets are installed with security agent | High | Modification |
|
|
|
| |
Ensure that Automatic Quarantine is enabled | High | Modification |
|
|
|
| |
Ensure that Webshell detection is enabled on all web servers | High | Modification |
|
|
|
| |
Ensure that notification is enabled on all high risk items | Low | Modification |
|
|
|
| |
Ensure that Config Assessment is granted with privilege | Low | Modification |
|
|
|
| |
Ensure that scheduled vulnerability scan is enabled on all servers | High | Modification |
|
|
|
| |
Ensure that the latest OS Patches for all Virtual Machines are applied | High | Modification |
|
|
|
| |
Create at least one compartment in your tenancy to store cloud resources | Low | Modification |
|
|
|
| |
Ensure no VCNs are created in the root compartment | Low | Modification |
|
|
|
| |
Ensure no instances created in the root compartment | Low | Modification |
|
|
|
| |
Ensure no volumes are created in the root compartment | Low | Modification |
|
|
|
| |
Ensure no filesystems are created in the root compartment | Low | Modification |
|
|
|
| |
Ensure no buckets are created in the root compartment | Low | Modification |
|
|
|
| |
Ensure no autonomousdatabases are created in the root compartment | Low | Modification |
|
|
|
| |
Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) | High | Modification |
|
|
|
| |
Ensure IAM password policy requires minimum length of 14 or greater | High | Modification |
|
|
|
| |
Ensure MFA is enabled for all users with a console password | Low | Modification |
|
|
|
| |
Ensure all OCI IAM user accounts have a valid and current email address | Low | Modification |
|
|
|
| |
Ensure user API keys rotate within 90 days or less | High | Modification |
|
|
|
| |
Ensure user customer secret keys rotate within 90 days or less | Low | Modification |
|
|
|
| |
Ensure user auth tokens rotate within 90 days or less | Low | Modification |
|
|
|
| |
Ensure permissions on all resources are given only to the tenancy administrator group | High | Modification |
|
|
|
| |
Ensure IAM administrators cannot update tenancy Administrators group | High | Modification |
|
|
|
| |
Ensure API keys are not created for tenancy administrator users | High | Modification |
|
|
|
| |
Ensure default tags are used on resources | Low | Modification |
|
|
|
| |
Ensure VCN flow logging is enabled for all subnets | Low | Modification |
|
|
|
| |
Ensure write level Object Storage logging is enabled for all buckets | Low | Modification |
|
|
|
| |
Create at least one notification topic and subscription to receive monitoring alerts | Low | Modification |
|
|
|
| |
Ensure a notification is configured for Identity Provider changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for IdP group mapping changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for IAM group changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for user changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for VCN changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for changes to route tables | Low | Modification |
|
|
|
| |
Ensure a notification is configured for security list changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for network security group changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for changes to network gateways | Low | Modification |
|
|
|
| |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 | Critical | Modification |
|
|
|
| |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 | Critical | Modification |
|
|
|
| |
Ensure the default security list of every VCN restricts all traffic except ICMP | High | Modification |
|
|
|
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 | Critical | Modification |
|
|
|
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 | Critical | Modification |
|
|
|
| |
Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network | High | Modification |
|
|
|
| |
Ensure Versioning is Enabled for Object Storage Buckets | Low | Modification |
|
|
|
| |
Ensure Cloud Guard is enabled in the root compartment of the tenancy | Low | Modification |
|
|
|
|
July 26 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | High | Modification |
|
|
|
| |
Ensure FTP deployments are Disabled | Low | Modification |
|
|
|
| |
Ensure that an exclusionary Geographic Access Policy is considered | Low | Modification |
|
|
|
| |
Ensure AWS Security Hub is enabled | Low | Modification |
|
|
|
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22. | Critical | Modification |
|
|
|
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389. | Critical | Modification |
|
|
|
| |
D9.AZU.NET.38 | Ensure FTP deployments are disabled | High | Removal | Â | Â | Â |
|
July 19 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
SSL/TLS certificates expire in one week | High | Modification |
|
|
|
| |
ELB secured listener certificate expires in one week | High | Modification |
|
|
|
| |
ALB secured listener certificate expires in one week | High | Modification |
|
|
|
| |
Ensure MFA is enabled for the 'root' user account | Critical | Modification |
|
|
|
| |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | High | Modification |
|
|
|
| |
Ensure that logging for Azure Key Vault is 'Enabled' | Low | Modification |
|
|
|
| |
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | High | Modification |
|
|
|
| |
Ensure Azure Application Gateway Web application firewall (WAF) is enabled | High | Modification |
|
|
|
| |
Ensure that Resource Locks are set for Mission-Critical Azure Resources | Low | Modification |
|
|
|
| |
Ensure that RDP access from the Internet is evaluated and restricted | High | Modification |
|
|
|
| |
Ensure that SSH access from the Internet is evaluated and restricted | High | Modification |
|
|
|
| |
Ensure Azure Key Vaults are Used to Store Secrets | High | Modification |
|
|
|
| |
Ensure that the Expiration Date is set for all Keys in Key Vaults | Low | Modification |
|
|
|
| |
Ensure that the Expiration Date is set for all Secrets in Key Vaults | Low | Modification |
|
|
|
| |
Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Low | Modification |
|
|
|
| |
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Low | Modification |
|
|
|
| |
Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | High | Modification |
|
|
|
| |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | High | Modification |
|
|
|
| |
Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Low | Modification |
|
|
|
| |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Low | Modification |
|
|
|
| |
Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | High | Modification |
|
|
|
| |
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | High | Modification |
|
|
|
| |
Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | High | Modification |
|
|
|
| |
Ensure That 'PHP version' is the Latest, If Used to Run the Web App | Low | Modification |
|
|
|
| |
Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | Low | Modification |
|
|
|
| |
Ensure that 'Java version' is the latest, if used to run the Web App | Low | Modification |
|
|
|
| |
Ensure App Service Authentication is set up for apps in Azure App Service - Webapp | High | Modification |
|
|
|
| |
Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp | High | Modification |
|
|
|
| |
Ensure Guest Users Are Reviewed on a Regular Basis | Low | Modification |
|
|
|
| |
Ensure That 'Number of methods required to reset' is set to '2' | Low | Modification |
|
|
|
| |
Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Low | Modification |
|
|
|
| |
Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Low | Modification |
|
|
|
| |
Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | High | Modification |
|
|
|
| |
Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Low | Modification |
|
|
|
| |
Ensure that Endpoint Protection for all Virtual Machines is installed | High | Modification |
|
|
|
| |
Ensure that 'Auditing' is set to 'On' | Low | Modification |
|
|
|
| |
Ensure that 'Auditing' Retention is 'greater than 90 days' | Low | Modification |
|
|
|
| |
Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Low | Modification |
|
|
|
| |
Ensure that a 'Diagnostic Setting' exists | Low | Modification |
|
|
|
| |
Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Low | Modification |
|
|
|
| |
Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Low | Modification |
|
|
|
| |
Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Low | Modification |
|
|
|
| |
Ensure That Microsoft Defender for Servers Is Set to 'On' | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for App Services Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for Storage Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for Key Vault Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | High | Modification |
|
|
|
| |
Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | High | Modification |
|
|
|
| |
Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | High | Modification |
|
|
|
| |
Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Low | Modification |
|
|
|
| |
Ensure Default Network Access Rule for Storage Accounts is Set to Deny | High | Modification |
|
|
|
| |
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Low | Modification |
|
|
|
| |
Ensure that 'Public access level' is disabled for storage accounts with blob containers | Critical | Modification |
|
|
|
| |
Ensure that Object-level logging for write events is enabled for S3 bucket | Low | Modification |
|
|
|
| |
Ensure that Azure Active Directory Admin is Configured for SQL Servers | Low | Modification |
|
|
|
| |
Ensure AWS IAM policies do not grant 'assume role' permission across all services | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
| |
Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | Low | New | Â | Â | Â |
| |
Ensure that A Multi-factor Authentication Policy Exists for All Users | Low | New | Â | Â | Â |
| |
Ensure Multi-factor Authentication is Required for Risky Sign-ins | Low | New | Â | Â | Â |
| |
Ensure Multi-factor Authentication is Required for Azure Management | Low | New | Â | Â | Â |
| |
Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | High | Modification |
|
|
|
| |
Ensure That Private Endpoints Are Used Where Possible | Medium | Modification |
|
|
|
| |
Ensure hardware MFA is enabled for the 'root' user account | Critical | New | Â | Â | Â |
|
July 12 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure FTP deployments are Disabled for FunctionApp | Low | Modification |
|
|
|
| |
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. | Critical | Modification |
|
|
|
| |
CodeBuild S3 logs should be encrypted | High | Modification |
|
|
|
| |
Ensure Trusted Locations Are Defined | Low | New | Â | Â | Â |
| |
Ensure that an exclusionary Geographic Access Policy is considered. | Low | New | Â | Â | Â |
| |
Ensure that Storage Account has Microsoft Defender for Cloud enabled | Low | New | Â | Â | Â |
|
July 05 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that encryption-at-rest is enabled for RDS Instances | High | Modification |
|
|
|
| |
Ensure that encryption is enabled for EFS file systems | High | Modification |
|
|
|
| |
Eliminate use of the 'root' user for administrative and daily tasks | High | Modification |
|
|
|
| |
Ensure no 'root' user account access key exists | High | Modification |
|
|
|
| |
Ensure IAM policies that allow full '*:*' administrative privileges are not attached | High | Modification |
|
|
|
| |
Ensure MFA Delete is enabled on S3 buckets | Low | Modification |
|
|
|
| |
Ensure CloudTrail trails are integrated with CloudWatch Logs | Low | Modification |
|
|
|
| |
Ensure unauthorized API calls are monitored | Low | Modification |
|
|
|
| |
Ensure management console sign-in without MFA is monitored | Low | Modification |
|
|
|
| |
Ensure IAM policy changes are monitored | Low | Modification |
|
|
|
| |
Ensure CloudTrail configuration changes are monitored | Low | Modification |
|
|
|
| |
Ensure disabling or scheduled deletion of customer created CMKs is monitored | Low | Modification |
|
|
|
| |
Ensure S3 bucket policy changes are monitored | Low | Modification |
|
|
|
| |
Ensure AWS Config configuration changes are monitored | Low | Modification |
|
|
|
| |
Ensure Network Access Control Lists (NACL) changes are monitored | Low | Modification |
|
|
|
| |
Ensure changes to network gateways are monitored | Low | Modification |
|
|
|
| |
Ensure route table changes are monitored | Low | Modification |
|
|
|
| |
Ensure VPC changes are monitored | Low | Modification |
|
|
|
| |
Ensure that public access is not given to RDS Instance | Critical | Modification |
|
|
|
| |
Ensure AWS Management Console authentication failures are monitored | Low | Modification |
|
|
|
| |
Ensure security group changes are monitored | Low | Modification |
|
|
|
| |
Ensure that object-level logging is enabled for S3 buckets | Low | Modification |
|
|
|
| |
Ensure there is only one active access key available for any single IAM user | High | Modification |
|
|
|
| |
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Critical | Modification |
|
|
|
| |
Ensure that EC2 Metadata Service only allows IMDSv2 | Medium | Modification |
|
|
|
| |
Ensure that sensitive parameters are encrypted | High | Modification |
|
|
|
| |
Ensure EBS Volume Encryption is Enabled in all Regions | High | Modification |
|
|
|
| |
Attached EBS volumes should be encrypted at-rest | Medium | New | Â | Â | Â |
| |
CodeBuild S3 logs should be encrypted | Low | New | Â | Â | Â |
| |
DynamoDB Accelerator (DAX) clusters should be encrypted at rest | Medium | New | Â | Â | Â |
| |
Connections to Amazon Redshift clusters should be encrypted in transit | Medium | New | Â | Â | Â |
| |
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | Low | Modification |
|
|
|
| |
Ensure AWS Organizations changes are monitored | Low | Modification |
|
|
|
| |
Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | Low | Modification |
|
|
|
| |
Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' | Low | New | Â | Â | Â |
| |
Ensure rotation for customer created symmetric CMKs is enabled | High | Modification |
|
|
|
| |
Ensure Application Insights are Configured | Low | New | Â | Â | Â |
| |
Instances outside of Europe region | Low | Modification |
|
|
|
| |
S3 Buckets outside of Europe | Low | Modification |
|
|
|
| |
Enable 2FA for VM Instances using OS Login | Medium | New | Â | Â | Â |
| |
D9.AWS.CRY.82 | S3 buckets should have server-side encryption enabled | Medium | Removal | Â | Â | Â |
|
D9.GCP.IAM.30 | Ensure Essential Contacts are defined for your Google Cloud organization | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.71 | Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot | High | Removal | Â | Â | Â |
|
D9.AWS.CRY.72 | Ensure that encryption is enabled for AWS RDS DB Snapshot | High | Removal | Â | Â | Â |
|
June 28 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
| |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | High | Modification |
|
|
|
| |
Minimize the admission of containers with added capabilities (PSP) | High | Modification |
|
|
|
| |
S3 buckets should have server-side encryption enabled | Medium | New | Â | Â | Â |
| |
AWS Cloud Front - WAF Integration | Medium | Modification |
|
|
|
| |
Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | Low | New | Â | Â | Â |
| |
Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | High | New | Â | Â | Â |
| |
Enable Role Based Access Control for Azure Key Vault | High | New | Â | Â | Â |
| |
Ensure that logging for Azure AppService 'HTTP logs' is enabled | Low | New | Â | Â | Â |
| |
Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | Low | New | Â | Â | Â |
| |
Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts | Low | New | Â | Â | Â |
| |
Ensure server-side encryption is set to 'Encrypt with BYOK'. | High | New | Â | Â | Â |
| |
Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key). | High | New | Â | Â | Â |
| |
Ensure that 'TDE' is set to 'Enabled' on for applicable database instance. | High | New | Â | Â | Â |
| |
Ensure that multi-factor authentication is enabled for all RAM users that have a console password | High | New | Â | Â | Â |
| |
Ensure access keys are rotated every 90 days or less | High | New | Â | Â | Â |
| |
Ensure that ActionTrail are configured to export copies of all Log entries | High | New | Â | Â | Â |
| |
Ensure the OSS used to store ActionTrail logs is not publicly accessible | High | New | Â | Â | Â |
| |
Ensure Security Center Network, Host and Security log analysis is enabled. | High | New | Â | Â | Â |
| |
Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database | Low | New | Â | Â | Â |
| |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Low | New | Â | Â | Â |
| |
Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server | Low | New | Â | Â | Â |
| |
Ensure that 'Auditing' is set to 'On' for applicable database instances | Low | New | Â | Â | Â |
| |
Ensure that 'Auditing' Retention is 'greater than 6 months'. | Low | New | Â | Â | Â |
| |
Ensure network access rule for storage bucket is not set to publicly accessible | High | New | Â | Â | Â |
| |
Ensure that RDS instance requires all incoming connections to use SSL | High | New | Â | Â | Â |
| |
Ensure that RDS Instances are not open to the world | High | New | Â | Â | Â |
| |
Ensure that SSH access is restricted from the internet | High | New | Â | Â | Â |
| |
Ensure VPC flow logging is enabled in all VPCs. | High | New | Â | Â | Â |
| |
Ensure that Security Center is Advanced or Enterprise Edition. | High | New | Â | Â | Â |
| |
Ensure that all assets are installed with security agent. | High | New | Â | Â | Â |
| |
Ensure that Automatic Quarantine is enabled. | High | New | Â | Â | Â |
| |
Ensure that Webshell detection is enabled on all web servers. | High | New | Â | Â | Â |
| |
Ensure that notification is enabled on all high risk items. | Low | New | Â | Â | Â |
| |
Ensure that Config Assessment is granted with privilege. | Low | New | Â | Â | Â |
| |
Ensure that scheduled vulnerability scan is enabled on all servers. | High | New | Â | Â | Â |
| |
Ensure that the latest OS Patches for all Virtual Machines are applied. | High | New | Â | Â | Â |
| |
Ensure that a Log Profile exists | Low | Removal | Â | Â | Â |
|
June 21 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
CloudFront distributions should require encryption in transit | Medium | New | Â | Â | Â |
| |
CloudFront distributions should encrypt traffic to custom origins | Medium | New | Â | Â | Â |
| |
RDS cluster snapshots should be encrypted at rest | Medium | New | Â | Â | Â |
| |
RDS database snapshots should be encrypted at rest | Medium | New | Â | Â | Â |
|
June 14 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that multi-factor authentication is enabled for all privileged users | High | New | Â | Â | Â |
| |
Ensure that multi-factor authentication is enabled for all non-privileged users | High | New | Â | Â | Â |
| |
Ensure KMS CMK have key rotation enabled | High | Modification |
|
|
|
| |
Ensure rotation for customer created CMKs is enabled | Low | Removal | Â | Â | Â |
| |
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled | Low | Removal | Â | Â | Â |
|
June 07 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that the --anonymous-auth argument is set to false (Kubelet) | High | Modification |
|
|
|
| |
Ensure that the --event-qps argument is set to 0 (Kubelet) | Low | Modification |
|
|
|
| |
Ensure that the --client-ca-file argument is set as appropriate (Kubelet) | High | Modification |
|
|
|
| |
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet) | High | Modification |
|
|
|
| |
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | Medium | Modification |
|
|
|
| |
Ensure that the --protect-kernel-defaults argument is set to true (Kubelet) | High | Modification |
|
|
|
| |
Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) | High | Modification |
|
|
|
| |
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) | High | Modification |
|
|
|
| |
Ensure that the --rotate-certificates argument is not set to false (Kubelet) | High | Modification |
|
|
|
| |
Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet) | High | Modification |
|
|
|
| |
Ensure KMS CMK have key rotation enabled | High | Modification |
|
|
|
| |
Ensure API gateway policy limits public access | High | New | Â | Â | Â |
| |
Ensure API gateway has WAF | Low | New | Â | Â | Â |
|
May 31 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that VPC Endpoint policy does not provide excessive permissions | High | Modification |
|
|
|
| |
Ensure unrestricted API keys are not available within your GCP projects | High | New | Â | Â | Â |
| |
Ensure Essential Contacts are defined for your Google Cloud organization | High | New | Â | Â | Â |
|
May 24 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK) | Low | Modification |
|
|
|
| |
Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0 | Medium | New | Â | Â | Â |
| |
Ensure EKS cluster version is up-to-date | Informational | New | Â | Â | Â |
| |
Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version | Critical | Removal | Â | Â | Â |
| |
S3 buckets should not grant any external privileges via ACL | High | Removal | Â | Â | Â |
|
May 17 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that S3 Buckets are encrypted with CMK | High | Modification |
|
|
|
| |
Ensure default network access rule for Storage Accounts is set to deny | High | Modification |
|
|
|
| |
Ensure AWS IAM policies allow only the required privileges for each role | Low | Modification |
|
|
|
| |
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Low | New | Â | Â | Â |
| |
Ensure that Activity Log Alert exists for Delete Public IP Address rule | Low | New | Â | Â | Â |
| |
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Low | New | Â | Â | Â |
| |
Ensure Private Endpoints are used to access Storage Accounts | Medium | New | Â | Â | Â |
| |
Ensure that Private Endpoints are Used for Azure Key Vault | Medium | New | Â | Â | Â |
| |
Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Low | New | Â | Â | Â |
| |
Ensure AWS Security Hub is enabled. | Low | New | Â | Â | Â |
| |
Ensure an Azure Bastion Host Exists | Medium | New | Â | Â | Â |
| |
Ensure Lambda functions are not using deprecated runtimes | High | New | Â | Â | Â |
| |
Ensure no root account access key exists. | High | Modification |
|
|
|
|
May 10 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure KMS CMK have key rotation enabled | High | New | Â | Â | Â |
| |
Amazon EBS snapshots should not be publicly accessible | High | New | Â | Â | Â |
| |
EC2 Instance - there shouldn't be any High level findings in Inspector Scans | High | Removal | Â | Â | Â |
| |
Ensure that enhance scanning is enabled for all repositories | High | Removal | Â | Â | Â |
|
May 03 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that 'Number of methods required to reset' is set to '2' | Low | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for DNS Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for Databases Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure That Microsoft Defender for Containers Is Set To 'On' | High | New | Â | Â | Â |
| |
Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot | High | New | Â | Â | Â |
| |
Ensure that encryption is enabled for AWS RDS DB Snapshot | High | New | Â | Â | Â |
| |
Ensure that encryption is enabled for AWS RDSDBCluster Storage | High | New | Â | Â | Â |
| |
Ensure that user Volume Encryption is enabled for AWS Workspace | High | New | Â | Â | Â |
| |
Ensure that root Volume Encryption is enabled for AWS Workspace | High | New | Â | Â | Â |
| |
Ensure that encryption is enabled for AWS EBS Snapshot | High | New | Â | Â | Â |
| |
Ensure server-side encryption is set to 'Encrypt with Service Key' | High | Modification |
|
|
|
| |
Ensure that 'Unattached disks' are encrypted | High | Modification |
|
|
|
| |
Ensure that Virtual Machine's Disks are encrypted | High | Modification |
|
|
|
| |
Ensure that logging is enabled for OSS buckets | Low | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | High | Modification |
|
|
|
|
April 24 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure a notification is configured for IdP group mapping changes. | Low | Modification |
|
|
|
|
April 19 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Enforce Password Policy | High | New | Â | Â | Â |
| |
Ensure a log metric filter and alarm exist for EC2 instance changes | Medium | New | Â | Â | Â |
| |
Ensure a log metric filter and alarm exist for EC2 Large instance changes | Medium | New | Â | Â | Â |
| |
Ensure EMR clusters nodes should not have public IP | High | New | Â | Â | Â |
| |
Credentials report was generated in the last 24 hours | Low | New | Â | Â | Â |
| |
Ensure customer created Customer Managed Key (CMK) is rotated at least annually | High | New | Â | Â | Â |
| |
Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images. | Low | New | Â | Â | Â |
| |
Ensure that Amazon ECR image repositories are using lifecycle policies. | Low | New | Â | Â | Â |
| |
Ensure that enhance scanning is enabled for all repositories | High | New | Â | Â | Â |
| |
Ensure that 'Secure transfer required' is set to 'Enabled' | High | Modification |
|
|
|
| |
Ensure users not logged on for 90 days or longer are disabled for console logon. | High | Modification |
|
|
|
| |
Ensure RAM policies that allow full "*:*" administrative privileges are not created | High | Modification |
|
|
|
| |
Ensure RAM password policy prevents password reuse. | High | Modification |
|
|
|
| |
Ensure RAM password policy requires at least one uppercase letter. | Low | Modification |
|
|
|
| |
Ensure RAM password policy requires at least one lowercase letter. | Low | Modification |
|
|
|
| |
Ensure RAM password policy require at least one symbol. | Low | Modification |
|
|
|
| |
Ensure RAM password policy require at least one number. | Low | Modification |
|
|
|
| |
Ensure RAM password policy expires passwords within 90 days or less. | Low | Modification |
|
|
|
| |
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour. | High | Modification |
|
|
|
| |
Ensure RAM password policy requires minimum length of 14 or greater | Low | Modification |
|
|
|
| |
Ensure legacy networks does not exist. | High | Modification |
|
|
|
| |
Enforce Password Policy | High | Removal | Â | Â | Â |
| |
Credentials report was generated in the last 24 hours | Low | Removal | Â | Â | Â |
|
March 29 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure ACM certificate was not issued before the Heartbleed security bug fix | Critical | Modification |
|
|
|
| |
Create at least one compartment in your tenancy to store cloud resources. | Low | New | Â | Â | Â |
| |
Ensure no VCNs are created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure no instances created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure no volumes are created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure no filesystems are created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure no buckets are created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure no autonomousdatabases are created in the root compartment. | Low | New | Â | Â | Â |
| |
Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). | High | New | Â | Â | Â |
| |
Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). | High | New | Â | Â | Â |
| |
Ensure boot volumes are encrypted with Customer Managed Key (CMK). | High | New | Â | Â | Â |
| |
Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK). | High | New | Â | Â | Â |
| |
Ensure no Object Storage buckets are publicly visible. | High | New | Â | Â | Â |
| |
Ensure IAM password policy requires minimum length of 14 or greater. | High | New | Â | Â | Â |
| |
Ensure MFA is enabled for all users with a console password. | Low | New | Â | Â | Â |
| |
Ensure all OCI IAM user accounts have a valid and current email address. | Low | New | Â | Â | Â |
| |
Ensure user API keys rotate within 90 days or less. | High | New | Â | Â | Â |
| |
Ensure user customer secret keys rotate within 90 days or less. | Low | New | Â | Â | Â |
| |
Ensure user auth tokens rotate within 90 days or less. | Low | New | Â | Â | Â |
| |
Ensure permissions on all resources are given only to the tenancy administrator group. | High | New | Â | Â | Â |
| |
Ensure IAM administrators cannot update tenancy Administrators group. | High | New | Â | Â | Â |
| |
Ensure API keys are not created for tenancy administrator users. | High | New | Â | Â | Â |
| |
Ensure default tags are used on resources. | Low | New | Â | Â | Â |
| |
Ensure VCN flow logging is enabled for all subnets. | Low | New | Â | Â | Â |
| |
Ensure write level Object Storage logging is enabled for all buckets. | Low | New | Â | Â | Â |
| |
Create at least one notification topic and subscription to receive monitoring alerts. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for Identity Provider changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for IdP group mapping changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for IAM group changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for IAM policy changes | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for user changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for VCN changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for changes to route tables. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for security list changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for network security group changes. | Low | New | Â | Â | Â |
| |
Ensure a notification is configured for changes to network gateways. | Low | New | Â | Â | Â |
| |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 22. | Critical | New | Â | Â | Â |
| |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389. | Critical | New | Â | Â | Â |
| |
Ensure the default security list of every VCN restricts all traffic except ICMP. | High | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22. | Critical | New | Â | Â | Â |
| |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389. | Critical | New | Â | Â | Â |
| |
Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. | High | New | Â | Â | Â |
| |
Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud. | High | New | Â | Â | Â |
| |
Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. | High | New | Â | Â | Â |
| |
Ensure Versioning is Enabled for Object Storage Buckets. | Low | New | Â | Â | Â |
| |
Ensure Cloud Guard is enabled in the root compartment of the tenancy. | Low | New | Â | Â | Â |
|
March 15 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) | Critical | Modification |
|
|
|
| |
Ensure the default security group of every VPC restricts all traffic | Critical | Modification |
|
|
|
| |
RDS should not have Public Interface | Critical | Modification |
|
|
|
| |
RDS should not have Public Interface open to a public scope | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols | Critical | Modification |
|
|
|
| |
Ensure that EC2 AMIs are not publicly accessible | Critical | Modification |
|
|
|
| |
Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380 | High | Modification |
|
|
|
| |
Ensure that EC2 instance's custom AMI is encrypted at rest | High | Modification |
|
|
|
| |
IamUser with Admin or wide permissions without MFA enabled | Critical | Modification |
|
|
|
| |
Ensure that EC2 instance's custom AMI is not publicly shared | Critical | Modification |
|
|
|
| |
Ensure that S3 Buckets are configured with Block public access (bucket/account settings) | Critical | Modification |
|
|
|
| |
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate | High | Modification |
|
|
|
| |
Ensure SNS Topics aren't publicly accessible | Critical | Modification |
|
|
|
| |
Instances with Direct Connect virtual interface should not have public interfaces | Critical | Modification |
|
|
|
| |
RDS Databases with Direct Connect virtual interface should not have public interfaces | Critical | Modification |
|
|
|
| |
Ensure AWS VPC subnets have automatic public IP assignment disabled | Critical | Modification |
|
|
|
| |
Ensure AWS Redshift clusters are not publicly accessible | Critical | Modification |
|
|
|
| |
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet | Critical | Modification |
|
|
|
| |
Ensure that Security Groups are not open to all | Critical | Modification |
|
|
|
| |
EksCluster should not be publicly accessed | Critical | Modification |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure that public System Manager Documents include parameters | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. | Critical | Modification |
|
|
|
| |
Ensure that RDS database instance enforces SSL/TLS for all connections | High | New | Â | Â | Â |
| |
Ensure that RDS database instance doesn't use its default endpoint port | Low | New | Â | Â | Â |
| |
Ensure Inspector Instances have continuous scanning active | Low | New | Â | Â | Â |
|
March 01 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that Redis is updated regularly with security and operational updates. | Low | Modification |
|
|
|
|
February 22 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that logging for Azure KeyVault is 'Enabled' | Low | Modification |
|
|
|
|
February 15 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Instances without Inspector runs in the last 30 days | Low | Removal | Â | Â | Â |
|
February 08 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
RDS should not have been open to a large scope | High | Modification |
|
|
|
| |
EksCluster should not have more than one security group | Medium | Modification |
|
|
|
| |
EksCluster should not be publicly accessed | High | Modification |
|
|
|
| |
Ensure that a unique Certificate Authority is used for etcd | High | New | Â | Â | Â |
|
February 01 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
| |
Ensure storage for critical data is encrypted with Customer Managed Key | Low | Modification |
|
|
|
| |
Ensure guest users are reviewed on a monthly basis | Low | New | Â | Â | Â |
| |
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Low | New | Â | Â | Â |
| |
Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Low | New | Â | Â | Â |
| |
Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server | High | Modification |
|
|
|
| |
Ensure Function App is using the latest version of TLS encryption | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | High | New | Â | Â | Â |
| |
Ensure that a minimal audit policy is created (API Server) | Low | New | Â | Â | Â |
| |
Ensure that encryption providers are appropriately configured (API Server) | High | New | Â | Â | Â |
| |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) | High | New | Â | Â | Â |
| |
Ensure that you are using authorized IP address ranges to secure access to the API server | High | Modification |
|
|
|
| |
Ensure VM Instance should not have public IP | High | Removal | Â | Â | Â |
|
January 25 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure AWS Kinesis Streams Keys are rotated | Low | Modification |
|
|
|
| |
AWS Kinesis streams are encrypted with customer managed CMK | Low | Modification |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | Low | Modification |
|
|
|
| |
Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters | Medium | Modification |
|
|
|
| |
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | High | Modification |
|
|
|
| |
Suspended user account unused for more than 6 months | High | Modification |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Low | Modification |
|
|
|
| |
Ensure SageMaker Notebook Instance Data Encryption is enabled | High | Modification |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | Low | Modification |
|
|
|
| |
Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes | High | Modification |
|
|
|
| |
Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled | Low | Modification |
|
|
|
| |
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible | High | Removal | Â | Â | Â |
| |
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible | High | Removal | Â | Â | Â |
| |
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible | High | Removal | Â | Â | Â |
|
January 18 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure Security Defaults is enabled on Azure Active Directory | High | New | Â | Â | Â |
| |
Ensure That 'Users Can Register Applications' Is Set to 'No' | High | New | Â | Â | Â |
| |
Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | High | New | Â | Â | Â |
| |
Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols | High | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | High | Modification |
|
|
|
| |
Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups | Low | Modification |
|
|
|
| |
Ensure that S3 buckets are not publicly accessible | High | Removal | Â | Â | Â |
| |
Ensure that S3 buckets are not publicly accessible without a condition | High | Removal | Â | Â | Â |
|
January 11 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure S3 Bucket Policy is set to deny HTTP requests | High | Modification |
|
|
|
| |
Ensure AWS Kinesis Streams Keys are rotated | Low | Modification |
|
|
|
| |
AWS Kinesis streams are encrypted with customer managed CMK | Low | Modification |
|
|
|
| |
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | Low | Modification |
|
|
|
| |
Ensure that the seccomp profile is set to docker/default in your pod definitions | High | Modification |
|
|
|
| |
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet) | Medium | Modification |
|
|
|
| |
Minimize the admission of containers with the NET_RAW capability (PSP) | High | Modification |
|
|
|
| |
Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Low | Modification |
|
|
|
| |
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | Low | Modification |
|
|
|
| |
Ensure that the --request-timeout argument is set as appropriate (API Server) | Low | New | Â | Â | Â |
| |
Ensure that the --encryption-provider-config argument is set as appropriate (API Server) | High | New | Â | Â | Â |
| |
Ensure that the --service-account-lookup argument is set to true (API Server) | High | Modification |
|
|
|
| |
Ensure that the --auto-tls argument is not set to true (etcd) | Low | Modification |
|
|
|
| |
Ensure that the pod security policy is enabled in your AKS cluster | Low | Removal | Â | Â | Â |
|
January 04 2023
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
|---|---|---|---|---|---|---|---|
Ensure that logging for Azure KeyVault is 'Enabled' | Low | Modification |
|
|
|
| |
Ensure audit profile captures all the activities | Low | Modification |
|
|
|
|
Â