D9.AWS.CAM.253

Ensure that AWS Lookout for Metrics Anomaly Detector should have tags

Informational

Removal

D9.AWS.IAM.72

Ensure un-dedicated AWS IAM managed policies do not have full action permissions

High

Modify

• Logic

• IamPolicy where name regexMatch /AWS/ should not have document.Statement contain [ Effect='Allow' and Action='*' ]

• IamPolicy where name regexMatch /AWS/ and isAttachable=true should not have document.Statement contain [ Effect='Allow' and Action='*' and ( not (Condition.Bool.aws:IsMcpServiceAction) ) ]

D9.AWS.OPE.01

Ensure continuous monitoring of CodeGuru Scan state

Low

Removal

D9.GCP.IAM.25

Ensure that IAM Users are not assigned the Service Account User or Service Account Token Creator roles at Project level

High

Modify

• Logic

• GcpIamPolicy where ( bindings contain-any [ members with [ $ like '%user%' ] ] ) should not have bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

• GcpIamPolicy where ( bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ] ) should not have bindings with [ members with [ $ like '%user:%' ] and role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

D9.GCP.IAM.25

Ensure that IAM Users are not assigned the Service Account User or Service Account Token Creator roles at Project level

High

Modify

• Logic

• GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

• GcpIamPolicy where ( bindings contain-any [ members with [ $ like '%user%' ] ] ) should not have bindings contain-any [ role in ('roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

D9.AZU.AAA.28

Ensure that Microsoft Defender for Cloud plans are subscribed for all resources

High

Modify

• Logic

• DefenderPlans should have properties.pricingTier='Standard'

• DefenderPlans where not properties.deprecated should have properties.pricingTier='Standard'

D9.AWS.NET.52

Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public Internet

Critical

Modify

• Logic

• ApiGateway should have endpointConfiguration.types contain-all [ 'Private' ]

• ApiGateway where not (securityPolicy in('TLS_1_2','TLS_1_3')) should have endpointConfiguration.types contain-all [ 'PRIVATE' ]

D9.AWS.CRY.50

Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs

High

Modify

• Logic

• SecretManager should have encryptionKey.isCustomerManaged=true

• SecretManager where owningService isEmpty() should have encryptionKey.isCustomerManaged=true

D9.GCP.VTM.03

Ensure Google Folder is not unused in last 180 days

Informational

Modify

• Severity

• Low

• Informational

D9.AWS.IAM.149

Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account

High

Modify

• Logic

• IamUser where name like '%root_account%' should have mfaActive=true

• IamUser where ( name like '%root_account%' and passwordEnabled=true ) should have mfaActive=true

D9.AWS.CRY.03

Ensure that S3 Buckets are encrypted with customer-managed KMS Keys

Medium

Modify

• Logic

• S3Bucket should have encryption.serverSideEncryptionRules contain [ getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('isCustomerManaged') and getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('enabled' )

• S3Bucket should have encryption.serverSideEncryptionRules contain [ serverSideEncryptionByDefault.kmsKey.keyManager like '%customer%' or serverSideEncryptionByDefault.kmsKey.isCustomerManaged ]

D9.GCP.CRY.07

Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

High

Modify

• Logic

• CloudSql should have settings.ipConfiguration.requireSsl=true

• CloudSql should not have settings.ipConfiguration.sslMode='ALLOW_UNENCRYPTED_AND_ENCRYPTED'

D9.GCP.NET.86

Ensure the 'cloudsql_iam_authentication' is enabled for your MySQL and PostgreSQL instances

Medium

Modify

• Logic

• CloudSql where databaseVersion regexMatch /POSTGRES./ or databaseVersion regexMatch /MYSQL./ should have ( settings.databaseFlags contain [ name='cloudsql.iam_authentication' and value='on' ] )

• CloudSql where databaseVersion regexMatch /POSTGRES./ or databaseVersion regexMatch /MYSQL./ should have ( settings.databaseFlags contain [ name='cloudsql_iam_authentication' and value='on' ] or settings.databaseFlags contain [ name='cloudsql.iam_authentication' and value='on' ] )

D9.AWS.IAM.121

Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions

Medium

Modify

• Logic

• Severity

• Instance should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in ( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster', 'ec2:DeleteSnapshot', 'ec2:DeleteVolume' ) ] ] ] ]

• High

• Instance should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Effect like 'Allow' and Action contain [ $ in ( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster', 'ec2:DeleteSnapshot', 'ec2:DeleteVolume' ) ] ] ] ]

• Medium

D9.GCP.BDR.08

Ensure that Vertex AI Notebook Runtime status is healthy

Medium

Modify

• Logic

• Medium

• VertexAINotebookRuntime should have healthState='HEALTHY'

• High

• VertexAINotebookRuntime where healthState should have healthState like 'HEALTHY'

• Medium

D9.GCP.BDR.13

Ensure that Vertex AI Notebook Instance status is healthy

Low

Modify

• Logic

• Severity

• VertexAINotebookInstance should have healthState='HEALTHY'

• High

• VertexAINotebookInstance where healthState should have healthState like 'HEALTHY'

• Low

D9.AWS.AAA.22

Ensure that object-level logging for read events is enabled for S3 buckets

High

Modify

• Logic

• List<CloudTrail> should have ( items with [ status.isLogging=true and isOrganizationTrail=true and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' and values contain[ 'arn:aws:s3:::'] ] ] length()>0 ] ) or ( items with [ status.isLogging=true and isOrganizationTrail=false and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' ] and ( readWriteType='ReadOnly' or readWriteType='All' ) ] length()>0 ] )

• List<CloudTrail> should have ( items with [ status.isLogging=true and isOrganizationTrail=true and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' and values contain [ $ like '%arn:aws:s3:%' ] ] ] length()>0 ] ) or ( items with [ status.isLogging=true and isOrganizationTrail=false and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' ] and ( readWriteType='ReadOnly' or readWriteType='All' ) ] length()>0 ] )

D9.AWS.CAM.53

Ensure that Account should have tags

Informational

Modify

• Logic

• Account should have tags

• Account where ( arn split(':') getValue(2) = 'organizations' ) should have tags

D9.AWS.OPE.22

Ensure security contact information is registered

Low

Modify

• Logic

• Account should have alternateContacts with [ alternateContactType='SECURITY' ]

• Account where ( arn split(':') getValue(4) = arn split('/') getValue(2) ) should have alternateContacts with [ alternateContactType='SECURITY' ]

D9.GCP.IAM.15

Ensure permissions to impersonate a service account are not granted at project level

Critical

Modify

• Logic

• GcpIamPolicy should not have bindings contain-any [ role in ('roles/iam.workloadIdentityUser', 'roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator') ]

• GcpIamPolicy where ( ( bindings contain-any [ role = 'roles/iam.workloadIdentityUser' ] ) or ( bindings contain-any [ role = 'roles/iam.serviceAccountTokenCreator' ] ) or ( bindings contain-any [ role = 'roles/iam.serviceAccountUser' ] ) ) should have $ contain-none [ members with [ $ unlike '%@cloudservices%' ] ]

D9.GCP.VTM.01

Ensure GCP Vertex AI Notebook Instance secure boot feature is Enabled

High

Modify

• Logic

• VertexAINotebookInstance should have gceSetup.shieldedInstanceConfig.enableSecureBoot='true'

• VertexAINotebookInstance should have (gceSetup.shieldedInstanceConfig.enableSecureBoot=true or gceSetup.metadata.enable_secure_boot='True')

D9.AWS.AAA.22

Ensure that object-level logging for read events is enabled for S3 buckets