CloudGuard Compliance Updates
April 17 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure that AWS Secrets Manager secret rotation interval is smaller than 30 days | Low | Modification |
|
|
|
| |
Ensure that SQS policy does not allow all actions from all principals | High | Modification |
|
|
|
| |
Ensure that DAX Parameter Group does not require reboot | High | Modification |
|
|
|
| |
Ensure SNS Topics administrative actions are not publicly executable without a condition | Critical | Modification |
|
|
|
| |
Ensure that AlloyDB cluster is encrypted using CMEK | High | New |
|
|
|
| |
Ensure that AlloyDB cluster continuous backup is encrypted using CMEK | High | New |
|
|
|
| |
Ensure that AlloyDB backup is encrypted | High | New |
|
|
|
| |
Ensure that AlloyDB cluster has backup policy enabled | High | New |
|
|
|
| |
Ensure that AlloyDB cluster is healthy | High | New |
|
|
|
| |
Ensure that AlloyDB instance is healthy | High | New |
|
|
|
| |
Ensure that AlloyDB instance enforces using connectors | Low | New |
|
|
|
| |
Ensure AlloyDB cluster version is latest | Informational | New |
|
|
|
|
April 10 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices | Low | Modification |
|
|
|
| |
EksCluster endpoint should not be publicly accessible | Medium | Modification |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995) | High | Modification |
|
|
|
|
April 04 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
D9.AWS.LOG.04 | Ensure AWS Config is enabled in all regions | Low | Removal |
|
|
|
|
April 03 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure that Media Package Channel should have tags | Low | New |
|
|
|
| |
Ensure that MediaLive Channel should have Log level | Medium | New |
|
|
|
| |
Ensure that Username is set for AWS MediaLive Channel Output Destination Settings | High | New |
|
|
|
| |
Ensure that Password parameter is set for AWS MediaLive Channel Output Destination Settings | High | New |
|
|
|
| |
Ensure that MediaLive Input should have tags | Low | New |
|
|
|
| |
Ensure that MediaLive Reservation should have tags | Low | New |
|
|
|
| |
Ensure that MediaLive Input SecurityGroup should have tags | Low | New |
|
|
|
| |
Ensure that MediaLive Input Security Groups do not implicitly whitelist all public IP addresses. | High | New |
|
|
|
| |
Ensure that MediaPackage Channel should have tags | Low | New |
|
|
|
| |
Ensure that ingress access logs is enabled for MediaPackage Channel | High | New |
|
|
|
| |
Ensure that egress access logs is enabled for MediaPackage Channel | High | New |
|
|
|
| |
Ensure that only successful MediaPackage Harvest jobs are available | Low | New |
|
|
|
| |
Ensure that MediaPackage Origin Endpoint should have tags | Low | New |
|
|
|
| |
Ensure that authorization is set for MediaPackage Origin Endpoint | High | New |
|
|
|
| |
Ensure that Amazon Elastic Transcoder Pipelines are encrypted | High | New |
|
|
|
| |
Ensure that a notification is configured for Amazon Elastic Transcoder Pipelines | Medium | New |
|
|
|
| |
Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on' | Medium | Modification |
|
|
|
| |
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' | Medium | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
| |
Ensure that VPC Endpoint policy does not provide excessive permissions | High | Modification |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP etcd port (2379) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP CouchDB port (5984) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Kibana port (5601) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP LDAP port (389) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP MaxDB port (7210) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP MSSQL port (1434) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP NFS port (2049) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP SQL Analysis Services port (2383) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP VNC port (5500) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP/UDP ArangoDB port (8529) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP/UDP Mini SQL port (4333) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Cassandra ports (7000, 7001, 7199, 9042, 9142, 9160) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP ElasticSearch ports (9200, 9300) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP MongoDB ports (27017-27020) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Oracle DB ports (1521, 1830, 2483, 8098) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Riak ports (8087, 8098) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Solr ports (7574, 8983) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP VNC ports (5800, 5900) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP RethinkDB ports (8080, 28015, 29015) or UDP ports (28015, 29015) | High | New |
|
|
|
| |
Ensure no security group allows unrestricted inbound access to TCP Neo4J ports (7473, 7474), or UDP port (7473) | High | New |
|
|
|
| |
Ensure Logging is enabled for HTTP(S) Load Balancer | Low | Modification |
|
|
|
| |
Ensure that only usable Instances are available in BigTable | Low | New |
|
|
|
| |
Ensure Lambda Functions are Not Using Deprecated Runtime | High | Modification |
|
|
|
| |
Ensure that only operational Firebase Realtime Databases are available. | Low | New |
|
|
|
| |
Ensure that Split Health Check is enabled for App Engine services | Medium | New |
|
|
|
| |
Enable Identity-Aware Proxy (IAP) for App Engine Services | High | New |
|
|
|
|
March 27 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure that Azure Network Watcher is Enabled | Low | New |
|
|
|
| |
Ensure to update the Security Policy of the Network Load Balancer | High | Modification |
|
|
|
| |
Ensure that Automatic Rotation is Enabled for KMS | High | Modification |
|
|
|
| |
D9.AZU.NET.28 | Ensure that Network Watcher is 'Enabled' | Low | Removal |
|
|
|
|
March 20 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure Resource Access Manager customer managed permissions should have tags | Informational | New |
|
|
|
| |
Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery | High | Modification |
|
|
|
| |
Ensure that Lightsail Relational Database has a recent snapshot | High | Modification |
|
|
|
| |
Ensure that Access Logging should be enabled for AWS Elemental MediaStore Container | Medium | New |
|
|
|
| |
Ensure that AWS Elemental MediaStore Container should be ACTIVE | Low | New |
|
|
|
| |
Ensure that only usable Instance are available in Filestore | Low | New |
|
|
|
| |
Ensure Apsara File Storage NAS are encrypted | High | New |
|
|
|
| |
Ensure Apsara File Storage NAS should have Encryption Type selected | High | New |
|
|
|
| |
Ensure that Automatic Rotation is enabled for KMS | High | New |
|
|
|
| |
Ensure that Deletion Protection is Enabled for KMS | High | New |
|
|
|
| |
Ensure only usable Keys are in the KMS | Low | New |
|
|
|
| |
Ensure that Apsara File Storage NAS should have tags | Low | New |
|
|
|
| |
Ensure that a newly created region subscription's status is ready | Informational | New |
|
|
|
| |
Container Image – ScanSummary | Critical | New |
|
|
|
| |
D9.AWS.OPE.131 | Ensure Resource Access Manager customer managed permissions should have tags | Informational | Removal |
|
|
|
|
March 13 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | Medium | Modification |
|
|
|
| |
Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None | High | Modification |
|
|
|
| |
Ensure that AppFlow should have tags | Low | New |
|
|
|
| |
Ensure that MediaStoreContainer should have tags | Low | New |
|
|
|
| |
Ensure that DataSyncStorage should have tags | Low | New |
|
|
|
| |
Ensure that CloudTrail should have tags | Low | New |
|
|
|
| |
Ensure that EksCluster should have tags | Low | New |
|
|
|
| |
Ensure AWS Verified Access should have FIPS status enabled | High | New |
|
|
|
| |
Ensure AWS Verified Access should have tags | Low | New |
|
|
|
| |
Cloud Armor Security Policy Default Rule Action should be 'Deny' | High | New |
|
|
|
| |
Ensure that DnsManagedZone should have tags | Low | New |
|
|
|
| |
Ensure that PubSubTopic should have tags | Low | New |
|
|
|
| |
Ensure that VMInstance should have tags | Low | New |
|
|
|
| |
Ensure that Filestore Instance should have tags | Low | New |
|
|
|
| |
Ensure that DataprocCluster should have tags | Low | New |
|
|
|
| |
Ensure that Secret should have tags | Low | New |
|
|
|
| |
Ensure that Disk should have tags | Low | New |
|
|
|
| |
Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' policy is enforced for Google Cloud Platform (GCP) organizations | Medium | New |
|
|
|
| |
Ensure that Auto Scaling Group should have Deletion Protection enabled | Low | New |
|
|
|
| |
Ensure Auto Scaling group have scaling cooldown higher than a minute | Low | New |
|
|
|
| |
Ensure that Tenancy should have defined tags | Low | New |
|
|
|
|
March 06 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic) | Low | Modification |
|
|
|
| |
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic) | Low | Modification |
|
|
|
| |
Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic) | Low | Modification |
|
|
|
|
February 28 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Low | Modification |
|
|
|
| |
Ensure to update the Security Policy of the Network Load Balancer | High | Modification |
|
|
|
| |
Ensure Application Gateway is using the latest version of TLS encryption | High | Modification |
|
|
|
| |
Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None | High | New |
|
|
|
| |
Ensure that the AWS Kafka Connect Connector is in a Healthy State | Low | New |
|
|
|
| |
Ensure Vertex AI Notebook Instance Have Integrity Monitoring Enabled | Low | New |
|
|
|
| |
Ensure That Vertex AI Notebook Instance is encrypted with Customer-Managed Encryption Key (CMEK) | High | New |
|
|
|
| |
Ensure GCP Vertex AI Notebook Instance secure boot feature is Enabled | High | New |
|
|
|
| |
Ensure GCP Vertex AI Notebook Instance vTPM feature is enabled | Low | New |
|
|
|
| |
Ensure Firestore Database delete protection enabled | High | New |
|
|
|
| |
Ensure that Vertex AI Notebook Instance has tags | Low | New |
|
|
|
| |
Ensure that Vertex AI Notebook Instance status is healthy | High | New |
|
|
|
| |
Ensure that Vertex AI Notebook Runtime has tags | Low | New |
|
|
|
| |
Ensure that Vertex AI Notebook Runtime status is healthy | High | New |
|
|
|
|
February 21 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure Athena Workgroups should be Encrypted at Rest | High | Modification |
|
|
|
| |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | High | Modification |
|
|
|
| |
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) | Low | Modification |
|
|
|
| |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) | Low | Modification |
|
|
|
| |
Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server | High | Modification |
|
|
|
| |
Ensure that Storage Account Access Keys are Periodically Regenerated | High | Modification |
|
|
|
| |
Ensure Security Defaults is enabled on Microsoft Entra ID | High | Modification |
|
|
|
| |
Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | High | Modification |
|
|
|
| |
[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | High | Modification |
|
|
|
| |
Ensure no security groups allow unrestricted ingress (from either IPv4 or IPv6 source IP addresses) to commonly used remote server administration ports | Critical | New |
|
|
|
|
February 14 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers | Critical | Modification |
|
|
|
| |
Ensure that Multi-Factor Authentication is Enabled for All IAM Users | High | Modification |
|
|
|
| |
Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases | High | Modification |
|
|
|
| |
Ensure that AWS Lambda function should not have org write access level | High | Modification |
|
|
|
| |
Ensure that AWS Lambda function should not have IAM write access level | High | Modification |
|
|
|
| |
Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic | High | Modification |
|
|
|
| |
Ensure that Shield Advanced is in Use | High | New |
|
|
|
| |
Ensure that a Virtual WAN P2s VPN Gateway has an associated tag | Low | New |
|
|
|
| |
Ensure that VMware Solution has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure VMware Solution has encryption enabled | Low | New |
|
|
|
| |
Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts | High | New |
|
|
|
| |
Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations have Internet Security enabled | High | New |
|
|
|
| |
Ensure that DevTest Lab has Tags | Low | New |
|
|
|
| |
Ensure that a Virtual WAN P2s VPN Gateway is not in a 'Failed' state | High | New |
|
|
|
| |
Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations are not in a 'Failed' state | High | New |
|
|
|
| |
Ensure that VMware Solution's status is not failed | High | New |
|
|
|
| |
Ensure that Virtual WAN VPN Server has Tags | Low | New |
|
|
|
| |
Ensure that Provisioning Status of Configuration Policy Group for Virtual WAN VPN Server is not Failed | High | New |
|
|
|
| |
Ensure that P2S VPN Gateways's Provisioning Status for Virtual WAN VPN Server is not Failed | High | New |
|
|
|
| |
Ensure that Provisioning Status of P2S Connection Configuration for Virtual WAN VPN Server is not Failed | High | New |
|
|
|
| |
Ensure that Virtual WAN VPN Server's Status is not Failed | High | New |
|
|
|
|
February 07 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure rotation for customer-created symmetric CMKs is enabled | High | Modification |
|
|
|
| |
ALB secured listener certificate expires in one week | High | Modification |
|
|
|
| |
Ensure that Object-level logging for read events is Enabled for S3 bucket | High | Modification |
|
|
|
| |
Ensure usage of 'root' account is monitored | High | Modification |
|
|
|
| |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | Critical | New |
|
|
|
| |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Critical | Modification |
|
|
|
| |
Ensure Azure Container Instance should use Secure Values for environment variables | Low | Modification |
|
|
|
| |
Ensure that Log groups in AWS Cloud Watch are encrypted using Customer Managed Keys | Low | New |
|
|
|
| |
Ensure CloudWatch Logs is enabled for Prometheus Workspace | Low | New |
|
|
|
| |
Ensure that Log groups in AWS Cloud Watch should have tags | Informational | New |
|
|
|
| |
Ensure that Prometheus Workspace should have tags | Low | New |
|
|
|
| |
Ensure that Grafana Workspace should have tags | Low | New |
|
|
|
| |
Ensure that Azure Virtual Desktop App Group has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure Virtual Desktop App Group has locks | Low | New |
|
|
|
| |
Ensure that Azure Private Link Service's status is not failed | High | New |
|
|
|
| |
Ensure that Azure Private Link Service has tags | Low | New |
|
|
|
| |
Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled | Informational | New |
|
|
|
| |
Ensure Public NAT Gateway should have dynamic port allocation enabled | Informational | New |
|
|
|
| |
Ensure Encryption in Transit is Enabled for Custom Images in Oracle Cloud | High | New |
|
|
|
| |
Ensure Automated Backups are Enabled for MySQL Database Systems | Low | New |
|
|
|
| |
Ensure that Backup Retention Period is Set for Oracle MySQL Database | Low | New |
|
|
|
| |
Ensure Load Balancer should have Delete Protection Enabled | Low | New |
|
|
|
| |
Ensure that Custom Images in Oracle Cloud should have Tags | Low | New |
|
|
|
| |
Ensure Detector Recipe should contain Detector's Rules | Low | New |
|
|
|
| |
Ensure Responder Recipe should contain Responder's Rules | Low | New |
|
|
|
|
January 31 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts | Critical | Modification |
|
|
|
| |
Ensure that Bedrock Custom Model is encrypted using CMK | Low | New |
|
|
|
| |
Ensure that Bedrock Model Customization Job is using a VPC | Low | New |
|
|
|
| |
Ensure that Bedrock Custom Model has tags | Low | New |
|
|
|
| |
Ensure that Bedrock Model Customization Job has tags | Low | New |
|
|
|
| |
Ensure that Azure Confidential Ledger has an associated tag | Low | New |
|
|
|
| |
Ensure that Video Indexer has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure Confidential Ledger certificate exists and is attached | Low | New |
|
|
|
| |
Ensure Azure Event Hub Namespace is zone redundant | Low | New |
|
|
|
| |
Ensure Azure cognitive services (AI Service) should use managed identity | Low | New |
|
|
|
| |
Ensure that 'Public network access' is set to 'Disabled' for Event Hubs Namespace | Low | New |
|
|
|
| |
Ensure Azure Route Table does not utilise default route | Low | New |
|
|
|
| |
Ensure that Azure Cognitive Service (AI Service), does not allow public network access | High | New |
|
|
|
| |
Ensure that the status of Azure Confidential Ledger is healthy | High | New |
|
|
|
| |
Ensure that Azure Confidential Ledger has locks | Low | New |
|
|
|
| |
Ensure that Video Indexer Experiment's status is not failed | High | New |
|
|
|
| |
Ensure that Route Table should have tags | Low | New |
|
|
|
| |
Ensure that Event Hubs Namespace should have tags | Low | New |
|
|
|
| |
Container Image - Malware | High | Modification |
|
|
|
| |
Container Image – Insecure Content | Low | Modification |
|
|
|
| |
D9.K8S.IA.UN.5 | Container Image - Insecure Content of Critical Severity | Critical | Removal |
|
|
|
|
D9.K8S.IA.UN.6 | Container Image - Insecure Content of High Severity | High | Removal |
|
|
|
|
January 24 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | High | Modification |
|
|
|
| |
Ensure that Azure Cassandra Cluster has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure DDoS Protection Plan has an associated tag | Low | New |
|
|
|
| |
Ensure that Logs are enabled for Azure Cassandra Cluster | Low | New |
|
|
|
| |
Ensure that the status of Azure Cassandra Cluster is not failed | High | New |
|
|
|
| |
Ensure that Azure Cassandra Cluster is authenticated properly | High | New |
|
|
|
| |
Ensure that Azure DDoS Protection Plan has locks | Low | New |
|
|
|
| |
Ensure that the status of Azure DDoS Protection Plan is not failed | High | New |
|
|
|
| |
Ensure GCP Private Service Connect Network Attachment only accept allowed connections | High | New |
|
|
|
| |
Ensure that Google Cloud VPN tunnels use IKE version 2 protocol | Low | New |
|
|
|
| |
Ensure Google Folder is not unused in last 180 days | Low | New |
|
|
|
| |
Container Image - Package of Critical Severity | Critical | New |
|
|
|
| |
Container Image - Package of High Severity | High | New |
|
|
|
| |
Container Image - Malware of Critical Severity | Critical | New |
|
|
|
| |
Container Image - Malware of High Severity | High | New |
|
|
|
| |
Container Image - Insecure Content of Critical Severity | Critical | New |
|
|
|
| |
Container Image - Insecure Content of High Severity | High | New |
|
|
|
|
January 17 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure user API keys rotate within 90 days | High | Modification |
|
|
|
| |
Ensure user customer secret keys rotate every 90 days or less | Low | Modification |
|
|
|
| |
Ensure a notification is configured for network security group changes | Low | Modification |
|
|
|
| |
Ensure a notification is configured for changes to network gateways | Low | Modification |
|
|
|
| |
Identify and remove any unused AWS DynamoDB tables to optimize AWS costs | High | Modification |
|
|
|
| |
Ensure that Nimble Studio status is healthy | High | Modification |
|
|
|
| |
Ensure that Data Migration has an associated tag | Low | New |
|
|
|
| |
Ensure that Data Migration Classic has an associated tag | Low | New |
|
|
|
| |
Ensure that Virtual WAN has an associated tag | Low | New |
|
|
|
| |
Ensure that Static Web App Site has an associated tag | Low | New |
|
|
|
| |
Ensure that a DNS Zone has an associated tag | Low | New |
|
|
|
| |
Ensure that Virtual WAN should have VPN encryption | High | New |
|
|
|
| |
Ensure that HPC Cache rotates to latest key version | Medium | New |
|
|
|
| |
Ensure that Static Web App Site template properties are private | Medium | New |
|
|
|
| |
Ensure that Static Web App Site is limited to use selected networks based on trust instead of all networks | Medium | New |
|
|
|
| |
Ensure that Data Migration's status is not failed | Low | New |
|
|
|
| |
Ensure that Data Migration Classic's status is not failed | Low | New |
|
|
|
| |
Ensure that Virtual WAN Experiment's status is not failed | High | New |
|
|
|
| |
Ensure that Static Web App Site config file cannot be updated | Low | New |
|
|
|
| |
Ensure that Static Web App Site private endpoint connections have no errors | High | New |
|
|
|
| |
Ensure that Static Web App Site Enterprise Grade CDN Status is Enabled | Low | New |
|
|
|
| |
Ensure that HPC Cache's state is healthy | High | New |
|
|
|
| |
Ensure that HPC Cache's provisioning state is healthy | High | New |
|
|
|
| |
Ensure that HPC Cache has tags | Low | New |
|
|
|
| |
Ensure LoadTest has tags | Low | New |
|
|
|
| |
Ensure Load Test is in healthy state | High | New |
|
|
|
| |
Ensure that Azure Email Communication has tags | Low | New |
|
|
|
| |
Ensure that Azure Email Communication Domain has tags | Low | New |
|
|
|
| |
Ensure that Azure Virtual Machine Image Template has tags | Low | New |
|
|
|
|
January 10 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Ensure that S3 Buckets are encrypted with CMK | Medium | Modification |
|
|
|
| |
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs | High | Modification |
|
|
|
| |
Ensure that public network access to Cosmos DB accounts is disabled | High | Modification |
|
|
|
| |
Ensure Termination Protection feature is enabled for CloudFormation Stack | High | New |
|
|
|
| |
Ensure that Storage Mover has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure Elastic Monitor has an associated tag | Low | New |
|
|
|
| |
Ensure that Elastic SAN has an associated tag | Low | New |
|
|
|
| |
Ensure that the encryption key for the batch account comes from Microsoft KeyVault | Low | New |
|
|
|
| |
Ensure that Elastic SAN volume is encrypted with Customer Managed Key (CMK) | Low | New |
|
|
|
| |
Ensure that the authentication mode for the batch account is set to 'AAD' and no other modes are allowed | Low | New |
|
|
|
| |
Ensure that public network access is disabled for batch account | Medium | New |
|
|
|
| |
Ensure that public IP addresses are not assigned to batch pools | Medium | New |
|
|
|
| |
Ensure that Azure Batch Account is in a healthy state | Low | New |
|
|
|
| |
Ensure that Azure Batch Account has tags | Low | New |
|
|
|
| |
Ensure that the status of Azure Storage Mover is not failed | High | New |
|
|
|
| |
Ensure that the status of Azure Storage Mover's Endpoint is not failed | High | New |
|
|
|
| |
Ensure that the status of Azure Elastic Monitor is not failed | High | New |
|
|
|
| |
Ensure that the monitoring status of Azure Elastic Monitor is not disabled | Low | New |
|
|
|
| |
Ensure that Elastic SAN is in operational state | High | New |
|
|
|
| |
Ensure that Elastic SAN volumes do not have failed network ACL rules | High | New |
|
|
|
| |
Ensure that Elastic SAN volumes are operational | High | New |
|
|
|
|
January 03 2024
Rule ID | Rule Name | Severity | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
ALB secured listener certificate expires in one week | High | Modification |
|
|
|
| |
Ensure that ECR Registry-level configuration is enabled for image scanning | High | Modification |
|
|
|
| |
Ensure that Virtual Machine Image has an associated tag | Low | New |
|
|
|
| |
Ensure that Azure Cognitive Search, or Azure AI Search Service, is enforcing encryption with Customer Managed Key (CMK) | Low | New |
|
|
|
| |
Ensure that Virtual Machine Image is using hyper-V Generation V2 | Low | New |
|
|
|
| |
Ensure that Virtual Machine Image OS Disk is encrypted with Customer Managed Key (CMK) | High | New |
|
|
|
| |
Ensure that Virtual Machine Image is zone resilient | Low | New |
|
|
|
| |
Ensure that Cognitive Search, or AI Search Service, does not allow public network access | High | New |
|
|
|
| |
Ensure that Azure Cognitive Search, or Azure AI Search Service, has tags | Low | New |
|
|
|
| |
Ensure that Azure Cognitive Search, or Azure AI Search Service, has locks | Low | New |
|
|
|
| |
Ensure that the status of Azure Cognitive Search, or Azure AI Search Service, is not failed | High | New |
|
|
|
| |
Ensure statuses for Azure Cognitive Search, or Azure AI Search, Service's privateEndpointConnections and sharedPrivateLinks are not failed | High | New |
|
|
|
| |
Ensure that Virtual Machine Image is in succeeded state | High | New |
|
|
|
| |
Ensure that Virtual Machine Image OS Disk caching is enabled | Low | New |
|
|
|
| |
Ensure that Virtual Machine Image Data Disk caching is enabled | Low | New |
|
|
|
|