CloudGuard Compliance Updates - January 2023 - December 2023

December 27 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.100

Ensure that the AWS region's Amazon Glue Data Catalog objects and connection passwords are encrypted

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS APRA 234

D9.AWS.CRY.117

Ensure HealthLake Datastore has data-at-rest encryption using KMS CMKs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.123

Ensure that Amazon Translate custom terminology is encrypted using KMS CMKs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.23

Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS Cognito User Pool

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.124

Ensure that Gateway Load Balancer should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.125

Ensure cross-zone load balancing is enabled for Gateway Load Balancer

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.138

Ensure that the Gateway Load Balancers status is Available

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.131

Ensure Resource Access Manager customer managed permissions should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.132

Ensure shared AWS resources under Resource Access Manager should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.134

Ensure Amazon Outposts should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.135

Serverless Application Repositories should have labels

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.136

Ensure Cognito Identity Pool should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.137

Ensure Cognito User Pool should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.133

Ensure HealthLake Datastore should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.AS.04

Ensure that a NetApp Files Account has an associated tag

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.67

Synapse Workspace should have double encryption enabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.68

Encryption in transit is enabled for HD Insight clusters

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.69

Ensure that Enable Infrastructure Encryption is set for Azure Databricks workspace

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.70

Ensure that NetApp account active directories are using LDAP signing

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.71

Ensure that Azure Log Analytics Cluster has double encryption enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.72

Ensure that Azure Log Analytics Cluster is encrypted using a CMK

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.73

Ensure that in Azure NetApp Files 'AES encryption' is set to 'Enabled' on any active directories

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.74

Ensure that in Azure NetApp Files 'encryptDCConnections' is not disabled on any active directories

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.75

Ensure that in Azure NetApp Files 'ldapOverTLS' is not disabled on amy active directories

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.103

SynapseWorkspace should not allow public network access

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.104

Ensure that Load Balancer should have tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.105

Ensure that Load Balancer should not have Public IP

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.106

Ensure that Regional WAF should have Tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.107

Ensure that Regional Web Application Firewall (WAF) is Enabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.108

Ensure that Global Web Application Firewall (WAF) is Enabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.109

Ensure that Azure SQL Managed Instance public access is disabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.19

Ensure that Synapse Workspace should have tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.20

Ensure that HD Insight should have Tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.21

Ensure that Azure SQL Managed Instance should have tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.22

Ensure that Azure Databricks workspace should have a name tag

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.23

Ensure that Azure Virtual Network Manager should have tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.24

Ensure that Azure Orbital Spacecraft has locks

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.25

Ensure that Azure Orbital Spacecraft has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.26

Ensure that Azure Dedicated Host Group has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.27

Ensure that Azure Orbital Spacecraft's status is not failed

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.28

Ensure that NetApp Account active directories are in an operational state

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.29

Ensure that Azure Log Analytics Cluster has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

December 20 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.63

Ensure that AWS Elastic Container Registry (ECR) image scanning is enabled

High

Modification

  • Name

  • Logic

  • Ensure that ECR image scan on push is enabled.

  • EcrRepository should have imageScanningConfiguration.scanOnPush=true

  • Ensure that AWS Elastic Container Registry (ECR) image scanning is enabled

  • EcrRepository should have repositoryScanningConfiguration.scanFrequency in ('SCAN_ON_PUSH','CONTINUOUS_SCAN')

  • AWS Security Risk Management

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.AS.43

Ensure that Amazon S3 Glacier should have tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.106

Ensure X-Ray Encryption using KMS

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.113

Ensure AWS Code Artifact Domain is using Customer managed key (CMK) KMS encryption

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.149

Ensure that CodeStar user profile should have SSH public key

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.56

Ensure that your Amazon ECS instances are using the latest ECS container agent version

Medium

Modification

  • Logic

  • EcsCluster should have containerInstances contain-all [ versionInfo.agentVersion in ($CloudGuard_ECS_Cluster_Latest_Agent_Versions) ]

  • EcsCluster where containerInstances length() should have containerInstances contain-all [ versionInfo.agentVersion in ($CloudGuard_ECS_Cluster_Latest_Agent_Versions) ]

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.117

Ensure AWS Transcribe Job has tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.118

Ensure AWS Medical Transcribe Job has tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.119

Ensure AWS X-Ray Group has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.122

Ensure that CodeStar should have tags

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.126

Endure AWS Code Artifact Repository has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.127

Ensure AWS Code Artifact Domain has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.129

Ensure AWS Global Accelerator has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.130

Ensure AWS Global Custom Accelerator has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.NET.04

Ensure Azure Firewall SKU is configured to Premium

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.10

Ensure Azure Firewall has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.13

Ensure that Azure Compute Gallery has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.14

Ensure that Azure Compute Gallery has locks

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.15

Ensure that Azure Compute Gallery's status is not failed

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.16

Ensure that Azure Compute Gallery's Image has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.17

Ensure that Azure Compute Gallery Image's status is not failed

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.18

Ensure that Azure Data Share Account has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

December 13 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.AS.42

Ensure that AWS Firewall Manager Policy has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.56

Ensure Managed Streaming for Apache Kafka (MSK) clusters have in-transit encryption enabled within the cluster and between clients and brokers

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.75

Ensure AWS MemoryDB for Redis clusters have Customer Managed CMK at-rest encryption

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.87

Ensure AWS MemoryDB for Redis manual snapshots have Customer Managed CMK encryption

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.102

Ensure AWS MemoryDB for Redis clusters have in-transit encryption enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.15

Ensure MemoryDB for Redis clusters have automatic snapshots enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.21

Ensure Managed Streaming for Apache Kafka (MSK) clusters have only authenticated access

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.22

Ensure Managed Streaming for Apache Kafka (MSK) clusters do not allow public access

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.11

Ensure Managed Streaming for Apache Kafka (MSK) clusters have log delivery configured

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.26

Ensure AWS WAFv2 Web ACL logging should be enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.18

Ensure Managed Streaming for Apache Kafka (MSK) clusters have enhanced monitoring configured

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.18

Ensure Managed Streaming for Apache Kafka (MSK) clusters have tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.43

Ensure that AWS MemoryDB for Redis snapshot has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.49

Ensure MemoryDB for Redis cluster is updated

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.58

Ensure that AWS MemoryDB for Redis clusters have tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.111

Ensure AWS SimSpace Weaver Simulation have tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.112

Ensure AWS WAFv2 Web ACL has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.113

Ensure that the AWS Firewall Manager Policy removes protection from unused resources

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.114

Ensure that the AWS Firewall Manager Account is in a Healthy State

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.115

Ensure that the AWS Firewall Manager Policy automatically remediates non-compliant resources

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.116

Ensure that the AWS Firewall Manager Policy is in a healthy state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.AS.03

Ensure that an Event Grid namespace has an associated tag

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.02

Ensure that Event Grid Namespace's minimum TLS version is set to 1.2

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.101

Ensure that Event Grid Namespace is not open to public IPs

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.102

Ensure that Event Grid Namespace does not allow public network access

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.07

Ensure that Azure Stream Analytics Cluster has locks

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.08

Ensure that Azure Stream Analytics Cluster has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.09

Ensure that Azure Stream Analytics Cluster's status is not failed

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.11

Ensure that Event Grid Namespace's private endpoint connections are not in a failed state

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.12

Ensure Event Grid Namespace is not in Failed state

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AWS.NET.60

Ensure that NAT gateway is not associated in a private subnet

Medium

Removal

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS ENS 2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

December 06 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.01

Eliminate use of the 'root' user for administrative and daily tasks

High

Modification

  • Logic

  • IamUser where name regexMatch /^<root_account>$/i should not have passwordLastUsed after(-90, 'days')

  • IamUser where name like '%root_account%' should not have passwordLastUsed after(-90, 'days')

  • AWS HIPAA

  • CloudGuard AWS Dashboards

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS ENS 2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.16

Ensure no 'root' user account access key exists

High

Modification

  • Logic

  • IamUser where name regexMatch /^<root_account>$/ should have firstAccessKey.isActive=false and secondAccessKey.isActive=false

  • IamUser where name like '%root_account%' should have firstAccessKey.isActive=false and secondAccessKey.isActive=false

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS APRA 234

  • AWS ENS 2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.NET.66

Ensure that 'Public access level' is disabled for storage accounts with blob containers

Critical

Modification

  • Logic

  • StorageAccount should not have allowBlobPublicAccess=true

  • StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccess like 'Disabled'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • CloudGuard Azure Default Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.IAM.149

Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account

High

Modification

  • Logic

  • IamUser where name regexMatch /^<root_account>$/i should have mfaActive=true

  • IamUser where name like '%root_account%' should have mfaActive=true

  • AWS Security Risk Management

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.101

Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement

Critical

Modification

  • Logic

  • Workspace should not have userVolumeEncryptionEnabled=false and rootVolumeEncryptionEnabled=false or rootVolumeEncryptionEnabled isEmpty() and userVolumeEncryptionEnabled isEmpty()

  • Workspace should have userVolumeEncryptionEnabled=true and rootVolumeEncryptionEnabled=true

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

  • AWS CloudGuard Best Practices

D9.AWS.CRY.146

Ensure that FinSpace Environment is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.22

Ensure Elastic Disaster Recovery Replication status is not giving any error

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.146

Ensure that root account credentials have not been used recently to access your AWS account

High

Modification

  • Logic

  • IamUser where name regexMatch /^<root_account>$/i should not have passwordLastUsed after(-7, 'days')

  • IamUser where name like '%root_account%' should not have passwordLastUsed after(-7, 'days')

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.MON.47

Ensure Email Address is added for each Amazon Detective's Member

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.48

Ensure Amazon QuickSight has Termination Protection Enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.140

Ensure VPN Gateway is Available

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.15

Ensure that AWS Timestream Database has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.17

Ensure that AWS Timestream Table has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.110

Ensure that AWS Personalize has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.OPE.06

Ensure that Azure Power BI Embedded Capacity has tags

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AWS.CRY.73

Ensure that user Volume Encryption is enabled for AWS Workspace

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

  • AWS CloudGuard Best Practices

D9.AWS.CRY.74

Ensure that root Volume Encryption is enabled for AWS Workspace

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

  • AWS CloudGuard Best Practices

D9.AWS.OPE.53

Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization

Medium

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.59

Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices

Low

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.NET.67

Ensure that Containers and its blobs are not exposed publicly

Critical

Removal

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • CloudGuard Azure Default Ruleset

  • Azure ISO 27001:2022

  • Azure ENS 2022

  • Azure CloudGuard Best Practices

November 29 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.189

Ensure that Authorization Type in API Gateway is not set to None

High

New

 

 

 

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.103

Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys

High

Modification

  • Logic

  • KinesisFirehose should have deliveryStreamEncryptionConfiguration.keyType.value='AWS_OWNED_CMK'

  • KinesisFirehose should have (getResources('Kinesis', source.kinesisStreamSourceDescription.kinesisStreamARN, 'id') contain [$.encrypted = true]) or (deliveryStreamEncryptionConfiguration.keyType.value in ('CUSTOMER_MANAGED_CMK','AWS_OWNED_CMK'))

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.OPE.107

Ensure that DAX Parameter Group doesn't require reboot

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.108

Ensure that Compute Optimizer has no high performance risk ratings

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.109

Ensure that AWS Data Exchange Dataset has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.OPE.05

Ensure that Chaos Studio Experiment's status is not failed

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AWS.NET.67

Ensure that all authorization Type in API Gateway are not set to None

High

Removal

 

 

 

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.146

Ensure that FinSpace Environment is encrypted using CMK

Low

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

November 22 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.LOG.17

Ensure that Endpoint Protection for all Windows Virtual Machines is installed

High

Modification

  • Name

  • Logic

  • Ensure that Endpoint Protection for all Virtual Machines is installed

  • VirtualMachine should have extensions contain [ virtualMachineExtensionType='IaaSAntimalware' and provisioningState='Succeeded' ]

  • Ensure that Endpoint Protection for all Windows Virtual Machines is installed

  • VirtualMachine where operatingSystem='Windows' should have extensions contain [ virtualMachineExtensionType='IaaSAntimalware' and provisioningState='Succeeded' ]

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • CloudGuard Azure Default Ruleset

  • CIS Microsoft Azure Compute Services Benchmark v1.0.0

  • Azure APRA 234

  • Azure ISO 27001:2022

  • AZURE MLPS 2.0

  • Azure ENS 2022

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AWS.IAM.185

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

Low

New

 

 

 

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS ENS 2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.90

Ensure that EC2 Metadata Service only allows IMDSv2

High

Modification

  • Severity

  • Medium

  • High

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS ENS 2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.IAM.186

Ensure that Data Lake's 'allowFullTableExternalDataAccess' setting is disabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.K8S.IAM.93

Ensure that a limit is set on pod PIDs (Kubelet)

High

New

 

 

 

  • CIS Kubernetes Benchmark v1.8.0

D9.AWS.CRY.56

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

Low

Removal

 

 

 

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

November 15 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.NET.95

Ensure API Gateway has WAF

Low

Modification

  • Name

  • Logic

  • Ensure API gateway has WAF

  • ApiGateway should have wafRegional

  • Ensure API Gateway has WAF

  • ApiGateway should have stages contain-all [ wafRegional or wafRegionalV2 ]

  • CloudGuard AWS Default Ruleset

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.AS.38

Ensure that FinSpace Environment has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.39

Ensure that Comprehend Flywheel has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.40

Ensure that Comprehend Endpoint has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.41

Ensure that AWS Config Rule has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.148

Ensure that Forecast Predictor is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.147

Ensure that Forecast Dataset is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.142

Ensure that Comprehend Flywheel's model is encrypted with CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.143

Ensure that Comprehend Flywheel's volume is encrypted with CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.144

Ensure that CloudSearch Domain enforces HTTPS

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.145

Ensure that your CloudSearch Domain is enforcing a minimum TLS security policy of version 1.2

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.146

Ensure that FinSpace Environment is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.184

Ensure unused IAM users are removed from AWS account to follow security best practice

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.NET.139

Ensure that your Amazon Comprehend Flywheel uses a VPC

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.91

Ensure that FinSpace Environment status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.104

Ensure that Forecast Predictor has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.105

Ensure that Forecast Predictor status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.103

Ensure that Forecast Dataset has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.93

Ensure that Verified Permissions Policy Store has validation enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.94

Ensure that Comprehend Flywheel's status is not failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.95

Ensure that Comprehend Endpoint's status is not failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.96

Ensure that the status of the CloudSearch Domain is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.99

Ensure that Forecast Monitor has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.102

Ensure that Forecast Monitor status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.97

Ensure that Forecast Explainability has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.98

Ensure that Forecast has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.100

Ensure that Forecast Explainability status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.101

Ensure that Forecast status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.106

Ensure that Forecast Dataset Group has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.K8S.AC.24

CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =

Critical

Modification

  • Logic

  • KubernetesPod should not have spec.securityContext.sysctls contain-any [ value like '%+%' or value like '%=%' ]

  • KubernetesPod should not have spec.securityContext.sysctls contain-any [ value like '%\+%' or value like '%=%' ]

  • Container Admission Control

  • Container Admission Control 1.0

D9.K8S.IA.21

Package of Unknown Severity

Informational

Modification

  • Logic

  • Package should not have cves contain [ severity='Unknown' ]

  • Package should not have cves contain [ severity isEmpty() or severity='Unknown' ]

  • Container Image Assurance 1.0

D9.AWS.CRY.106

Ensure unused IAM users are removed from AWS account to follow security best practice

Medium

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

November 08 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.NET.01

Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH (TCP:22)

Critical

New

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CIS Controls V 8

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.NET.02

Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to RDP (TCP:3389)

Critical

New

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CIS Controls V 8

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.NET.91

Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports

Critical

Modification

  • Name

  • Logic

  • Ensure no security groups allow ingress from ::/0 to remote server administration ports

  • SecurityGroup should not have inboundRules with [ (scope='::/0') and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]

  • Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports

  • SecurityGroup should not have inboundRules with [ (scope='::/0' or scope='0.0.0.0/0') and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]

  • AWS CIS Foundations v. 1.5.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CIS Controls V 8

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.AS.30

Ensure that Lightsail Distribution has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.32

Ensure that Nimble Studio has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.34

Ensure that Lightsail Relational Database has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.35

Ensure that AppRunner Autoscaling Configuration has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.36

Ensure that CloudHSM Cluster has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.37

Ensure that CloudHSM Backup has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.140

Ensure that Nimble Studio is encrypted

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.141

Ensure that Nimble Studio is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.19

Ensure that Lightsail Relational Database has a recent snapshot

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.20

Ensure that Lightsail Relational Database has Backup Retention enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.21

Ensure that CloudHSM Cluster has a backup retention of at least 30 days

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.137

Ensure that Lightsail Distribution doesn't allow unrestricted operations via HTTP requests

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.138

Ensure that Lightsail Relational Database is not publicly accessible

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.86

Ensure that AWS account's Support Level is 'Business' or 'Enterprise'

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.88

Ensure that Nimble Studio status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.89

Ensure that Connect Instance status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.90

Ensure that CloudHSM Cluster is in an operational state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.92

Ensure that the CloudHSM Cluster does not have any Hardware Security Modules (HSMs) in a degraded state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.IAM.59

Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication.

Low

Modification

  • Severity

  • Critical

  • Low

  • CloudGuard Azure All Rules Ruleset

  • Azure ISO 27001:2022

D9.AWS.NET.77

Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

Critical

Removal

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

D9.AWS.CRY.100

Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

November 01 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.175

MFA should be Active for All IAM Users

High

New

 

 

 

  • AWS Security Risk Management

  • CloudGuard AWS All Rules Ruleset

  • AWS Dashboard System Ruleset

D9.AZU.IAM.46

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

High

Modification

  • Logic

  • User where assignedRoles contain [displayName regexMatch /.*Administrator|Creator|Global.*/] should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • User where assignedRoles with [displayName like '%admin%' or displayName like '%contributor%' or displayName like '%creator%' or displayName like '%manage%' or displayName like '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • CloudGuard Azure Default Ruleset

  • Azure ISO 27001:2022

  • AZURE MLPS 2.0

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.47

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

High

Modification

  • Logic

  • User should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • User where assignedRoles with [displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • CloudGuard Azure Default Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.AS.20

Ensure AppRunner Service has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.21

Ensure that Lightsail Domain has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.25

Ensure that MWAA Environment has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.27

Ensure that ACM Private Certificate Authority has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.28

Ensure that Directory Service Directories have an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.29

Ensure that AppRunner Connection has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.31

Ensure that AppRunner VPC Connector has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.136

Ensure that AppRunner Service is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.137

Ensure that the ACM Private Certificate Authority is not set to expire within the next 7 days

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.138

Ensure that AppFabric App Bundle is encrypted using CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.139

Ensure that MWAA Environment is encrypted with CMK

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.180

Ensure that Single Sign-On (SSO) is enabled for DS Directory

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.182

Ensure that DS Directory's RADIUS server is configured and in healthy state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.183

Ensure that DS Directory RADIUS authentication protocol is configured and not set to 'PAP'

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.45

Ensure that MWAA Environment's status is healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.46

Ensure that AWS Lightsail Domain's name server update state is not failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.134

Ensure that AppRunner Service not publicly accessible through the internet

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.135

Ensure that AppRunner Service outgoing traffic is not routed directly to public internet

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.136

Ensure that MWAA Environment webserver access mode is set to private only

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.73

Ensure AppRunner Service has observability enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.74

Make sure the AppRunner Service was created without any issues.

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.75

Ensure that the common name for your ACM Private Certificate Authority is a Fully Qualified Domain Name (FQDN)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.76

Ensure that AppFabric App Bundle has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.77

Ensure that AppRunner Connection is in healthy state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.78

Ensure that Support Case status is not 'pending-customer-action'

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.79

Ensure AWS MWAA Environment's last-update status is not failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.80

Ensure that the Private Certificate Authority's status is not expired or failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.81

Ensure that MWAA Environment DagProcessingLogs are enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.82

Ensure that MWAA Environment SchedulerLogs are enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.83

Ensure that MWAA Environment TaskLogs are enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.84

Ensure that MWAA Environment WebserverLogs are enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.85

Ensure that AWS MWAA Environment WorkerLogs are enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.87

Ensure that the DS Directory is in healthy state

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.K8S.IA.21

Package of Unknown Severity

Informational

Modification

  • Logic

  • Package where not severity isEmpty() should have severity in('Low','Medium','High','Critical')

  • Package should not have cves contain [ severity='Unknown' ]

  • Container Image Assurance 1.0

October 25 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.DR.03

Ensure AWS RDS retention policy is at least 7 days

High

Modification

  • Logic

  • Severity

  • RDS should have backupRetentionPeriod>6

  • Medium

  • RDS should have backupRetentionPeriod!=0 and backupRetentionPeriod>6

  • High

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.AS.24

Ensure that AWS MediaTailor Source Location has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.26

Ensure Lightsail Disk has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.179

Ensure MediaTailor Source Location has access authentication configured

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.43

Ensure AWS Lightsail Disk's state is not error or unknown

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.44

Ensure AWS Lightsail Disk's auto-mount status is not failed

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.127

Ensure no security group allows inbound access on a range of ports

High

Modification

  • Logic

  • SecurityGroup should have inboundRules contain-all [$.port = $.portTo]

  • SecurityGroup where not inboundRules isEmpty() should have inboundRules contain-all [$.port = $.portTo]

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.129

Ensure AWS VPC does not allow unauthorized peering

High

Modification

  • Logic

  • VPC should have vpcPeeringConnections with [ targetVpc.ownerId = ~.accountNumber ]

  • VPC where vpcPeeringConnections length()>0 should have vpcPeeringConnections with [ targetVpc.ownerId = ~.accountNumber ]

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.67

Ensure that Batch Job Compute Environment has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.68

Ensure that Batch Job Definition has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.69

Ensure that Batch Job Compute Environment's state is not 'INVALID'

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.70

Ensure that Signer Job status is not 'Failed'

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.71

Ensure that your AWS AppStream 2.0 Usage Report Subscriptions are healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.72

Ensure that your AWS AppStream 2.0 Usage Report was generated in the last 30 days

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.14

Ensure AWS RDS instances have Automated Backups feature enabled

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

October 18 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.LOG.24

Ensure Object-level Logging of Read Events is Enabled for S3 Buckets

High

Modification

  • Name

  • Logic

  • Severity

  • Ensure that Object-level logging for read events is enabled for S3 bucket

  • CloudTrail should have (eventSelectors contain [ dataResources contain [type like 'AWS::S3::Object' ] ]) and (eventSelectors contain [ readWriteType = 'ReadOnly' or readWriteType = 'All'])

  • Low

  • Ensure Object-level Logging of Read Events is Enabled for S3 Buckets

  • List<CloudTrail> should have ( items with [ status.isLogging=true and isOrganizationTrail=true and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' and values contain ['arn:aws:s3:::' ] ] ] length()>0 ] ) or ( items with [ status.isLogging=true and isOrganizationTrail=false and eventSelectors contain [ dataResources contain [ type='AWS::S3::Object' and (eventSelectors contain [ readWriteType = 'ReadOnly' or readWriteType = 'All'] ) length()>0 ] ] ] )

  • High

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS APRA 234

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

D9.AWS.AS.12

Ensure Lightsail Load Balancer has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.13

Ensure Lightsail Instance has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.16

Ensure CodePipeline Webhook has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.17

Ensure that AWS MediaTailor Playback Configuration has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.18

Ensure that AWS MediaTailor Channel has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.19

Ensure KeySpace has an associated tag

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.22

Ensure that Signer Profile has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.23

Ensure that DAX Cluster has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.128

Ensure that Amazon Lightsail Load Balancer has HTTPS redirection enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.130

Ensure Lightsail instances are have a user generated SSH keys in order to have full control over the authentication process

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.131

Ensure that Amazon Lightsail Load Balancer SSL/TLS certificate exists and is attached

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.132

Ensure that CodePipeline Webhooks require authentication to be triggered

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.133

Ensure DevOps Guru Service Integration is encrypted with CMK

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.134

Ensure that DAX Cluster encryption type should be TLS

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.CRY.135

Ensure that DAX Cluster has server side encryption enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.IAM.167

Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic

High

Modification

  • Name

  • Logic

  • Ensure that AWS Lambda IAM policy should not overly permissive to all traffic

  • Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action in ['*'] ] ] ]

  • Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic

  • Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action ='*' ] ] ]

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.IAM.176

EC2 with IAM role attached should not have iam:PassRole and ec2:RunInstances permissions

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.IAM.177

There should be no AWS role having iam:PassRole and lambda:InvokeFunction permissions attached to an EC2 instance

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.IAM.178

There should not be any AWS Lambda having an IAM role with Amazon RDS database SQL query execution permissions

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.LOG.56

Ensure that AWS MediaTailor Playback Configuration has 100% logging enabled.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.LOG.57

Ensure DevOps Guru Service Integration has Anomaly Detection logging enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS APRA 234

D9.AWS.NET.1027

Ensure that Lightsail Instances isn't exposed to the public internet

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.62

Ensure that your AWS Lightsail Load Balancers are healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.63

Ensure that your AWS Lightsail Load Balanced Instances are healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.64

Ensure that Batch Job Queue has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.65

Ensure that Kinesis Analytics Application has tags

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.66

Ensure that DevOps Guru Service Integration has the OpsCenter feature enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1014

Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit

Critical

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

October 11 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.CRY.33

Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

High

Modification

  • Logic

  • MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value='TLSv1.2' ]

  • MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value like 'TLSv1.2' ]

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.66

Ensure Azure groups are Security Enabled

Low

New

 

 

 

  • Azure Security Risk Management

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.67

Ensure App Registration has Expiration Date set for all Client Secrets

Low

New

 

 

 

  • Azure Security Risk Management

  • CloudGuard Azure All Rules Ruleset

D9.AWS.CRY.86

Connections to Amazon Redshift clusters should be encrypted in transit

Medium

Modification

  • Logic

  • Redshift should have parametersGroup contain [ parameters with [ parameterName='require_ssl' and parameterValue='true' ] ]

  • Redshift where status='available' should have parametersGroup contain [ parameters with [ (parameterName='require_ssl' and parameterValue='true') or (parameterName like 'use_fips_ssl' and parameterValue='true')] ]

  • AWS NIST 800-53 Rev 5

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS CloudGuard Best Practices

D9.AWS.AS.15

ECS Task Definitions should Limit Memory Usage for Containers

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.14

ECS Task Definitions should Mount the Root File System as Read-only

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.129

EKS Cluster should have Secrets Encrypted

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.174

Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1011

Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets

High

Modification

  • Logic

  • CloudFront should have distributionConfig.origins.items contain [ s3OriginConfig.originAccessIdentity ]

  • CloudFront where distributionConfig.origins.items contain [ s3OriginConfig ] should have distributionConfig.origins.items contain [ s3OriginConfig.originAccessIdentity ]

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.NET.122

Instances should have Source/Destination Check Enabled when Not Using NAT

High

Modification

  • Name

  • Logic

  • Severity

  • Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice

  • IamUser should not have sshPublicKeys with [ uploadDate before(-30, 'days') ]

  • Low

  • Instances should have Source/Destination Check Enabled when Not Using NAT

  • Instance should have nics with [ ( subnet.routeTable.routes with [ natGatewayId ] ) or ( securityGroups contain-none [ networkInterfaces ] ) or ( securityGroups contain [ networkInterfaces contain-all [ sourceDestCheck = true ] ] ) ]

  • High

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.133

Ensure that your Amazon RDS database cluster snapshots are not accessible to all AWS accounts

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.CRY.66

Ensure that Private Key Vaults are used for Encryption at Rest in Azure Kubernetes Service (AKS)

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.68

Ensure that System-Assigned Managed Identities are used for AKS Clusters

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.69

Ensure that the Network Contributor Role is used for managing Azure Network Resources

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.100

Ensure that the Kubernetes API version for AKS clusters is the latest

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AWS.NET.01

Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)

Critical

Removal

 

 

 

  • AWS HIPAA

  • CloudGuard AWS Dashboards

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.02

Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)

Critical

Removal

 

 

 

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

October 04 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.NET.23

Ensure to filter source IP addresses for Cosmos DB Account

Medium

Modification

  • Name

  • Logic

  • Ensure to filter source Ips for Cosmos DB Account

  • CosmosDbAccount should have ipRangeFilter

  • Ensure to filter source IP addresses for Cosmos DB Account

  • CosmosDbAccount where publicNetworkAccess='Enabled' should have ipRangeFilter

  • Azure CloudGuard CheckUp

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.IAM.173

API Gateway Routes should Specify an Authorization Type

High

New

 

 

 

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.GCP.NET.68

Ensure there are no VPC firewall rules that allow unrestricted inbound access to Cassandra ports (TCP - 7000, 7001, 7199, 8888, 9042, 9160, 61620 and 61621)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.69

Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP port 9090 (Ciscosecure websm)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.70

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP ports 9200 and 9300 (Elasticsearch)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.71

Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP ports 636 and 389 and UDP port 389 (LDAP)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.72

Ensure there are no VPC firewall rules that allow unrestricted inbound access to TCP or UDP on ports 11211, 11214 and 11215 (Memcached)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.73

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 6379 (Redis)

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • CloudGuard GCP All Rules Ruleset

D9.AWS.OPE.60

Ensure that Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.OPE.61

Ensure that all instances in the Auto Scaling Group are Healthy

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.14

Ensure that EC2 instances do not have critical vulnerabilities

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Vulnerabilities Detection

D9.AWS.VLN.15

Ensure that EC2 instances do not have high-severity vulnerabilities

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Vulnerabilities Detection

D9.AWS.ERM.01

Exposed workload with critical/high severity vulnerability and elevated privileges (EC2 Instance)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AWS.ERM.02

Exposed storage asset with sensitive data (S3 bucket)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AWS.ERM.03

Third party with elevated privileges

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AWS.ERM.04

Exposed workload with elevated privileges (ECS Service)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AWS.ERM.05

Exposed workload with elevated privileges (EC2 Instance)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AWS.ERM.06

Exposed workload with elevated privileges (Lambda Function)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Security Controls

D9.AZU.CRY.65

Ensure that Automation account variables are encrypted

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.65

Ensure that AKS local accounts are disabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.99

Ensure that Data Factory public access is disabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.VLN.03

Ensure that VirtualMachines do not have critical vulnerabilities

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure Vulnerabilities Detection

D9.AZU.VLN.04

Ensure that VirtualMachines do not have high-severity vulnerabilities

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure Vulnerabilities Detection

D9.AZU.ERM.01

Exposed workload with critical/high severity vulnerability and elevated privileges (Virtual Machine)

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure Security Controls

D9.AZU.ERM.02

Exposed workload with elevated privileges (Virtual Machine)

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure Security Controls

D9.GCP.IAM.45

Ensure that IAM permission are not assigned to users

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

September 27 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.LOG.55

Ensure AppSync should have request-level and field-level logging turned on

Low

New

 

 

 

  • AWS Security Risk Management

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.NET.60

Ensure that NAT gateway is not associated in a private subnet

Medium

Modification

  • Logic

  • NatGateway should have getResource('Subnet', subnetId) contain [routeTable.routes contain-any [gatewayId like '%igw%']]

  • NatGateway where isPublic=true should have getResource('Subnet', subnetId) contain [routeTable.routes contain-any [gatewayId like '%igw%']]

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.127

Ensure Athena workgroups should be encrypted at rest

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.IAM.151

Ensure that AWS CloudTrail should not have delete or full permission

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.172

Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.132

Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.130

Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.CRY.64

Ensure to enable infrastructure double encryption for Data Explorer clusters

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.GCP.IAM.44

Ensure the 'cloudsql_iam_authentication' is enabled for your MySQL and PostgreSQL instances

Medium

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.MON.03

Ensure GKE Cloud Monitoring is enabled for your clusters

Medium

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.14

Ensure VM instances have secure boot enabled

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.15

Ensure your DataProc clusters don't use outdated images

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.OCI.CRY.06

Ensure OCI Kubernetes Engine Cluster boot volume is configured with in-transit data encryption

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.AWS.LOG.26

Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)

Low

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.124

Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.GCP.NET.66

Ensure that your backend services are enforcing HTTPS

High

Removal

 

 

 

  • CloudGuard GCP All Rules Ruleset

September 20 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.NET.04

Ensure the default security group of every VPC restricts all traffic

Critical

Modification

  • Logic

  • SecurityGroup where name like 'default' should have inboundRules isEmpty() and outboundRules isEmpty()

  • SecurityGroup where name='default' should have inboundRules isEmpty() and outboundRules isEmpty()

  • AWS HIPAA

  • CloudGuard AWS Dashboards

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.36

Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)

High

Modification

  • Name

  • Logic

  • Severity

  • Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled

  • SageMakerNotebook where kmsKey should have kmsKey.isCustomerManaged=true

  • Low

  • Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)

  • SageMakerNotebook should have kmsKeyId

  • High

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.DR.03

Ensure AWS RDS retention policy is at least 7 days

Medium

Modification

  • Severity

  • High

  • Medium

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.VLN.03

Amazon GuardDuty service is enabled in the region

Low

Modification

  • Name

  • Amazon GuardDuty service is enabled

  • Amazon GuardDuty service is enabled in the region

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.GCP.IAM.08

Ensure Kubernetes Cluster is created with Client Certificate disabled

High

Modification

  • Name

  • Logic

  • Ensure Kubernetes Cluster is created with Client Certificate enabled

  • GkeCluster should have isClientCertificateIssued=true

  • Ensure Kubernetes Cluster is created with Client Certificate disabled

  • GkeCluster should have isClientCertificateIssued=false

  • GCP NIST 800-53 Rev 5

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Foundations v. 1.0.0

  • GCP CloudGuard Best Practices

D9.AWS.CRY.116

Ensure that Amazon Neptune graph database instances are encrypted

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.119

Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.122

Ensure IAM SSH public keys used for AWS CodeCommit are rotated on a periodic basis to adhere to AWS security best practices (45 days)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.124

Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.125

Ensure AWS Glue connection has SSL configured

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.126

Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DNS.09

Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.06

Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion

Critical

Modification

  • Logic

  • KMS where keyState='PendingDeletion' should have keyState='Disabled'

  • KMS where keyState='PendingDeletion' should have enabled=false

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.IAM.164

Ensure that your AWS root account is not using access keys as a security best practice

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.165

Ensure IAM Roles should not have Administrator Access Permissions

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.166

Ensure that AWS resources are not publicly accessible through IAM policies.

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.167

Ensure that AWS Lambda IAM policy should not overly permissive to all traffic

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.168

Ensure that AWS Secrets Manager Secrets are not publicly accessible through IAM policies

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.169

Ensure AWS IAM User's SSH public key is rotated every 90 days or less

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.170

Detect when a canary token access key has been used

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.171

Ensure AWS KMS Key should not be publicly accessible through IAM policies

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.41

Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.42

Ensure that at-rest encryption is enabled when writing Amazon Glue logs to CloudWatch Logs

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.43

Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.44

Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.45

Ensure Root Account Usage is being monitored using CloudWatch alarms

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.46

Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.47

Ensure your AWS Console authentication process is being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.48

Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.49

Monitor for AWS Console Sign-In Requests Without MFA

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.50

Ensure ElasticSearch domain Index slow logs should be enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.51

Ensure ElasticSearch domain Search Slow Logs should be enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.52

Ensure Amazon Config log files are delivered as expected

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.53

Ensure AWS VPC configuration changes are being monitored using CloudWatch alarms

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.54

Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.31

Ensure there are no empty AWS Auto Scaling Groups (ASGs)

Medium

Modification

  • Logic

  • AutoScalingGroup should not have elasticLoadBalancers isEmpty() and instances isEmpty()

  • AutoScalingGroup where targetGroups isEmpty() should not have elasticLoadBalancers isEmpty() and instances isEmpty()

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.33

Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer

Low

Modification

  • Logic

  • AutoScalingGroup should not have elasticLoadBalancers isEmpty() and targetGroups isEmpty()

  • AutoScalingGroup where instances isEmpty() should not have elasticLoadBalancers isEmpty() and targetGroups isEmpty()

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.41

Ensure that a data repository bucket is defined for Amazon Macie within each AWS region

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.42

Ensure AWS AppSync attached WAFv2 ACL configured with AMR to mitigate Log4j Vulnerability

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1019

Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS

High

Modification

  • Logic

  • NetworkLoadBalancer should have listeners contain-any [ protocol='TLS' ]

  • NetworkLoadBalancer should have listeners contain-all [ protocol='TLS' ]

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1026

Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.110

Ensure no security group allows unrestricted inbound access to TCP port 1521

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.111

Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.112

Ensure that no Amazon EC2 security group allows unrestricted outbound access

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.113

Ensure that Amazon Security Hub findings are analyzed and resolved

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.114

Ensure that Amazon Macie was run in the last 30 days and its security findings are highlighted, analyzed, and resolved

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.115

Ensure no security group allows unrestricted inbound access to TCP port 5432

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.117

Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.118

Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.119

Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.122

Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.123

Ensure that AWS route tables with VPC peering are not excessively permissive to all traffic

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.124

Ensure appropriate subscribers to all your AWS Simple Notification Service (SNS) topics

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.125

Ensure that your AWS SES identities (domains and/or email addresses) are not exposed to everyone

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.126

Ensure AWS EMR Cluster's Master Security Group does not allow all traffic to port 8088

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.127

Ensure no security group allows inbound access on a range of ports

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.128

Ensure EC2 instances are launched using the EC2-VPC platform instead of the EC2-Classic outdated platform

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.129

Ensure AWS VPC does not allow unauthorized peering

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.27

Ensure that the latest version of Redis is used for your AWS ElastiCache clusters

Low

Modification

  • Logic

  • ElastiCache where engine='redis' should have engineVersion>='7.0.7'

  • ElastiCache where engine='redis' should have engineVersion in ($CloudGuard_Latest_Redis_Cluster_Versions)

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.28

Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters

Low

Modification

  • Logic

  • ElastiCache where engine='memcached' should have engineVersion>='1.6.17'

  • ElastiCache where engine='memcached' should have engineVersion in ($CloudGuard_Latest_Memcached_Cluster_Versions)

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.55

Ensure SNS topics do not allow Everyone to publish

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.56

Ensure that your Amazon ECS instances are using the latest ECS container agent version

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.57

Ensure AWS Elastic IPs are in use.

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.59

Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.10

Ensure that Amazon GuardDuty detectors are configured (non-empty list of GuardDuty detectors)

Low

Modification

  • Name

  • Severity

  • Ensure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats

  • Medium

  • Ensure that Amazon GuardDuty detectors are configured (non-empty list of GuardDuty detectors)

  • Low

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

D9.AWS.VLN.11

Ensure that Amazon Inspector Findings are analyzed and resolved (EC2)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.12

Ensure that Amazon Inspector Findings are analyzed and resolved (ECR)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.13

Ensure that Amazon Inspector Findings are analyzed and resolved (Lambda)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.CRY.63

Ensure there is a sufficient period configured for the SSL certificates auto-renewal

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.60

Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.61

Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.62

Ensure that your Azure Key Vault secrets are renewed prior to their expiration date

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.64

Ensure there is more than one owner assigned to your Microsoft Azure subscription

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.GCP.CRY.25

Ensure that Google Cloud backend services enforce HTTPS to handle encrypted web traffic

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.DR.04

GKE Cluster should have Redundant Zones

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.DR.05

GKE Clusters with Auto-upgrade Enabled should be Adequately Sized to have at least Three Nodes

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.39

Users should not be Granted Write Permissions without a Valid Business Justification

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.36

IAM Policies should Restrict Public Access to GCP Resources

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.37

IAM Users should not have Service Account Privileges

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.38

Logs related to storage buckets should not be publicly accessible

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.40

Ensure Compute Engine does not have Permissions to Destroy Data

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.41

Ensure Compute Engine does not have Write Permissions on Database Management Service

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.42

Ensure Compute Engine does not have Permissions to Impersonate Service Accounts

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.43

Ensure Compute Engine does not have Write Permissions on any Deny Policy

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.36

Google Cloud Kubernetes Engine Clusters should have Logging Enabled

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.37

Ensure Logging is enabled for your Kubernetes engine clusters

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.MON.02

Google Cloud Kubernetes Engine Clusters should have Monitoring Enabled

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.64

Google Cloud SQL Instances should not be Configured with Overly Permissive Authorized Networks

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.65

Ensure IP forwarding is disabled for all instance templates

Medium

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.66

Ensure that your backend services are enforcing HTTPS

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.67

Ensure that no VPC firewall rules allow unrestricted outbound access on TCP or UDP

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.13

Redis instances should use Standard Tier for High Availability

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.ALI.DR.02

Ensure that ECS data disk is not configured with 'release disk with instance feature'

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.DR.03

Ensure that Alibaba Cloud disk automatic snapshot policy is Enabled

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.LOG.28

Ensure that ActionTrail logging is enabled

Low

Modification

  • Logic

  • ActionTrail should havet railStatus.isLogging=true

  • ActionTrail should have railStatus.isLogging=true

  • CloudGuard Alibaba All Rules Ruleset

D9.OCI.MON.01

Ensure OCI Compute Instances have monitoring enabled

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.MON.02

Ensure OCI Object Storage buckets are enabled to emit object events

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.24

Ensure OCI VCN has inbound security lists

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.25

Ensure OCI VCN Security list has no stateful security rules

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.26

Ensure Network Security Groups (NSG) has no stateful security rules

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.27

Ensure OCI Kubernetes Engine Cluster pod security policy is enforced

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.28

Ensure OCI Kubernetes Engine Cluster endpoint is configured with Network Security Groups

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.OPE.03

Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.AWS.NET.1001

Default Security Groups - with network policies

Medium

Removal

 

 

 

  • CloudGuard AWS Dashboards

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.104

Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.107

Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption

Low

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.112

Ensure AWS S3 buckets enforce SSL to secure data in transit

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1009

Ensure that OpenSearch domains are accessible from a Virtual Private Cloud

Critical

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.50

Ensure RDS instances have Multi-AZ enabled

Informational

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

September 13 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.GCP.VLN.08

Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on'

Medium

Modification

  • Name

  • Logic

  • Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'

  • CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like '3625' and value like 'off' ]

  • Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on'

  • CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like '3625' and value like 'on' ]

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.AWS.MON.16

Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel

Low

Modification

  • Logic

  • ConfigSetting where recordingIsOn=true should have deliveryChannel.s3BucketName and deliveryChannel.snsTopicARN

  • ConfigSetting should have recordingIsOn=true and deliveryChannel.s3BucketName and deliveryChannel.snsTopicARN

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.109

Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.114

Ensure that Firehose delivery stream data records are encrypted at destination

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.115

Ensure that AWS Neptune instances enforce data-at-rest encryption using KMS CMKs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.118

Ensure AWS Database Migration Service endpoints have SSL configured

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.120

Ensure IAM User does not have more than one active SSH public key

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.121

Ensure AWS Secrets Manager is in use

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.150

IAM policy overly permissive to Lambda service

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.149

Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.152

Ensure RDS instance has IAM authentication enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.153

Ensure Additional Controls for External AWS Account Role Mapping and Approval for Cross-Account Access

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.156

Ensure AWS RDS cluster has IAM authentication enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.159

Ensure there is at least one IAM user currently used to access your AWS account

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.160

Mapping and Approval of Roles Accessible by External Federated Accounts

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.161

Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions for AWS Key Management Service (KMS)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.162

Restrict IamRole Assume Role Policies with Principal, in Order for Enhanced Security

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.154

Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.157

Ensure that AWS Lambda function should not have org write access level

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.158

Ensure that AWS Lambda function should not have IAM write access level

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.163

Ensure no AWS IAM users have been inactive for a long (specified) period of time

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.39

Ensure that DNS query logging is enabled for your Amazon Route 53 hosted zones

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.40

Ensure that your AWS Elasticsearch domains publish slow logs to AWS CloudWatch Logs

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.39

AWS RDS event subscription should be enabled for DB instance

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.40

Ensure SNS topics do not allow Everyone to subscribe

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1020

Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 (CIFS)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1021

Ensure that Amazon ALBs are using the latest predefined security policy for their SSL/TLS negotiation configuration

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1022

Ensure that Classic Load Balancers are using one of the latest predefined security policies

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1023

Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1024

Ensure that the access to your REST APIs is allowed to trusted IP addresses only

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1025

Ensure that no security group allows unrestricted inbound access on TCP port 6379

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.98

Ensure ELB listener uses a secure HTTPS or SSL protocol

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.99

Ensure no security group contains RFC 1918 CIDRs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.100

Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.107

Ensure no security group allows unrestricted inbound access to TCP port 1433 and 3306 (MSSQL)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.101

Ensure no security group allows unrestricted inbound access to TCP port 9200

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.102

Make certain that unrestricted inbound access to TCP ports 20 and 21 is disallowed for all EC2 security groups

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.103

Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.105

Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.106

Ensure no security group allows unrestricted inbound access to ICMP

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.108

Ensure that AWS Lambda function should not communicating with ports known to mine Monero

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.109

Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137, 138

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.42

Ensure that your Amazon WorkSpaces instances are healthy

High

Modification

  • Logic

  • Workspace should have state='HEALTHY'

  • Workspace where state unlike 'STOPPED' should have state='HEALTHY'

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.47

Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.46

Ensure RDS event subscriptions are enabled for DB security groups

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.52

Ensure that AWS Neptune cluster deletion protection is enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.48

Ensure that RDS cluster delete protection is enabled

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.50

Ensure RDS instances have Multi-AZ enabled

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.51

Ensure that DocumentDB delete protection is enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.53

Ensure Amazon Organizations is in use to consolidate all your AWS accounts into an organization

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.54

Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.10

Ensure Amazon GuardDuty is enabled to help you protect your AWS accounts and workloads against security threats

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.CRY.59

Ensure Azure Container Instance environment variable

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.DR.05

Ensure to activate geo-redundant backup for MariaDB

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.62

Ensure to audit role assignments that have risky permissions

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.63

Ensure there are no Microsoft Azure Active Directory guest users if they are not needed

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.90

Ensure Azure Container registries do not have Public access to All networks enabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.97

Ensure that MariaDB is not publicly accessible

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.98

Ensure Host-Level Encryption is Enabled for VMSS Instances

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.GCP.CRY.21

Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.22

Ensure that your virtual machine (VM) instance disks are encrypted using Customer-Managed Keys (CMKs)

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.23

Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.33

Ensure that the use of Cloud Identity and Access Management (IAM) primitive roles is limited within your Google Cloud projects

Medium

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.35

Ensure that your API key usage is restricted to trusted hosts and applications only

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.35

Ensure that data access audit logs are enabled for all critical service APIs within your GCP project

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.10

Ensure Kubernetes Cluster has No Client Certificate Issued

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.11

Ensure that there is at least one sink configuration that has no inclusions or exclusion filters.

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.12

Ensure that critical service APIs are enabled for your GCP projects

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.OCI.NET.18

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3306

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.OCI.NET.19

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1521

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.OCI.NET.20

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5432

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.OCI.NET.21

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 5900

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.OCI.NET.22

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 25

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.OCI.NET.23

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 7001

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

  • OCI CloudGuard Network Security Alerts

D9.AWS.CRY.91

Ensure that node-to-node encryption is enabled for your OpenSearch clusters

High

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.95

To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted

Low

Removal

 

 

 

  • CloudGuard AWS All Rules Ruleset

September 06 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.GCP.NET.20

Ensure that the default VPC network is not being used within your GCP projects

Medium

Modification

  • Name

  • Ensure That the Default Network Does Not Exist in a Project

  • Ensure that the default VPC network is not being used within your GCP projects

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.AWS.NET.73

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

High

Modification

  • Logic

  • NACL should not have inbound with [ source='0.0.0.0/0' and action='ALLOW' and ( ( destinationPort<=22 and destinationPortTo>=22 ) or ( destinationPort<=3389 and destinationPortTo>=3389 ) ) ]

  • NACL should not have inbound with [ source='0.0.0.0/0' and action='ALLOW' and (( protocol in ('6','17','-1','TCP','UDP','ALL') and ( ( destinationPort<=22 and destinationPortTo>=22 ) or ( destinationPort<=3389 and destinationPortTo>=3389 ) ) ) )]

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.110

Ensure that encryption at rest is enabled for Amazon Glue job bookmarks

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.101

Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.103

Ensure that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-managed Customer Master Keys

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.104

Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.105

Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.106

Ensure unused IAM users are removed from AWS account to follow security best practice

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.107

Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.108

Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.111

Ensure rotation for customer created CMKs is enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.112

Ensure AWS S3 buckets enforce SSL to secure data in transit

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.16

Ensure that Amazon Aurora MySQL database clusters have backtracking enabled

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.17

Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.18

Ensure on-demand backup and restore functionality is in use for AWS DynamoDB tables

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.119

Ensure IAM User is Restrained from Wildcard Access to All Resources

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.120

Ensure AWS EC2 Instance Lacks IAM Write Access Level

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.125

Ensure IAM policy does not allow privilege escalation via Codestar create project and associate team member permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.126

Ensure AWS IAM policy does not allow privilege escalation via EC2 Instance Connect permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.127

Ensure AWS IAM policy prevents privilege escalation via EC2 and SSM permissions.

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.128

Ensure AWS IAM policy prevents escalation via EC2 describe and SSM session permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.129

Ensure AWS IAM policy prevents escalation via Glue Dev Endpoint permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.130

Ensure AWS IAM policy prevents escalation via PassRole & CodeBuild permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.131

Ensure AWS IAM policy prevents escalation via PassRole & CreateProject permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.132

Ensure AWS IAM policy prevents escalation via PassRole & Data Pipeline permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.133

Ensure AWS IAM policy prevents escalation via PassRole & EC2 permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.134

Ensure AWS IAM policy prevents escalation via PassRole & Glue create job permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.135

Ensure AWS IAM policy prevents escalation via PassRole & Glue development endpoint permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.136

Ensure AWS IAM policy prevents escalation via PassRole & Glue update job permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.137

Ensure AWS IAM policy prevents escalation via PassRole & Lambda create and invoke function permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.138

Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and event source mapping permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.139

Ensure AWS IAM policy prevents escalation via PassRole, Lambda create function, and add permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.140

Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create notebook permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.141

Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create processing job permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.142

Ensure AWS IAM policy prevents escalation via PassRole & SageMaker create training job permissions

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.144

Ensure there are no Lambda functions with admin privileges within your AWS account

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.145

Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.146

Ensure that root account credentials have not been used recently to access your AWS account

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.28

Ensure cloud trail capturing management events

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.29

Ensure AWS ACM Certificates Have Valid Logging and Status

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.37

Enable user activity logging for your Amazon Redshift clusters to track who has accessed your clusters and what activities they have performed.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.38

Ensure that AWS CloudWatch logging is enabled for Amazon Transfer for SFTP user activity

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.37

Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.38

Ensure that Amazon MQ brokers are using the network of brokers configuration

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1014

Ensure AWS Redshift non-default parameter groups require SSL to secure data in transit

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1015

Ensure that EKS cluster's Kubernetes API endpoints are not publicly accessible

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1016

Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1017

Ensure that Amazon Transfer for SFTP servers are using AWS PrivateLink for their endpoints

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1018

Ensure that Drop Invalid Header Fields feature is enabled for your Application Load Balancers to remove non-standard headers

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1019

Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.25

Ensure EKS cluster version is up to date

Informational

Modification

  • Name

  • Logic

  • Ensure EKS cluster version is up-to-date

  • EksCluster should have version split('.') getValue(1) >= 25

  • Ensure EKS cluster version is up to date

  • EksCluster should have version split('.') getValue(1) >= 27

  • CloudGuard AWS All Rules Ruleset

  • AWS Foundational Security Best Practices (FSBP) standard

  • AWS CloudGuard Best Practices

D9.AWS.OPE.36

Ensure RDS event subscriptions are enabled for instance level events

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.37

Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.38

Ensure that REST APIs created with Amazon API Gateway have response caching enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.41

Ensure EC2 instances are not too old

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.39

Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.40

Ensure that AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.42

Ensure that your Amazon WorkSpaces instances are healthy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.44

Ensure all Elastic Network Interfaces are in use

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.45

Ensure EC2 Instances are Protected against Termination Actions

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.CRY.56

Ensure no Azure Data Explorer cluster is configured without disk encryption

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.57

Ensure Azure Function App use HTTP 2.0

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.58

Ensure Service Fabric cluster is configured with cluster protection level security

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.56

Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification

High

Modification

  • Logic

  • StorageAccount where blobContainers should have contain-all [ hasLegalHold=true or hasImmutabilityPolicy=true ]

  • StorageAccount where blobContainers should have $ contain-all [ hasLegalHold=true or hasImmutabilityPolicy=true ]

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.60

Ensure that Azure Recovery Services vault is configured with managed identity

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.61

Ensure that a resource locking administrator role is available for each Azure subscription

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.88

Ensure that an activity log alert is created for Delete PostgreSQL Database events

High

Modification

  • Logic

  • ActivityLogAlertRule should have condition.allOf contain [ equals='Microsoft.DBforPostgreSQL/servers/delete' ]

  • List<ActivityLogAlertRule> should have items with [condition.allOf contain [ field='operationName' and equals='Microsoft.DBforPostgreSQL/servers/delete'] and enabled=true and not condition.allOf contain [ field='level' ] and not condition.allOf contain [ field='status' ] ]

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.90

Ensure that the health of your Microsoft Azure scale set instances is being monitored

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.91

Ensure that an activity log alert is created for Delete MySQL Database events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.92

Ensure that an activity log alert is created for Create/Update PostgreSQL Database events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.93

Ensure that an activity log alert is created for Create/Update MySQL Database events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.94

Ensure that an activity log alert is created for Update Key Vault MicrosoftKeyVault/vaults events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.95

Ensure that an activity log alert exists for Power Off Virtual Machine events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.96

Ensure that an activity log alert exists for Delete Virtual Machine events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.97

Ensure that an activity log alert exists for Delete Storage Account events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.98

Ensure there is an Azure activity log alert created for Delete Load Balancer events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.99

Ensure there is an activity log alert created for the Delete Key Vault events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.100

Ensure that an activity log alert is created for Delete Azure SQL Database (MicrosoftSql/servers/databases) events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.101

Ensure that an activity log alert is created for the Deallocate Virtual Machine (MicrosoftCompute/virtualMachines) events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.102

Ensure there is an activity log alert created for the Create/Update Storage Account events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.103

Ensure that an activity log alert is created for Create/Update Azure SQL Database events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.104

Ensure that an activity log alert is created for Create or Update Virtual Machine (MicrosoftCompute/virtualMachines) events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.105

Ensure that an activity log alert is created for Rename Azure SQL Database events

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.106

Ensure that Microsoft Defender for Cloud plans are subscribed for all resources

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.87

Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive

Medium

Modification

  • Logic

  • Severity

  • PostgreSQLFlexibleServer where properties.publicNetworkAccess='Enabled' should not have firewallRules contain [ properties.startIpAddress='0.0.0.0' or properties.endIpAddress like '255.255.255.255' ]

  • Low

  • PostgreSQLFlexibleServer where properties.publicNetworkAccess='Enabled' should not have firewallRules contain [ properties.startIpAddress='0.0.0.0' and properties.endIpAddress like '255.255.255.255' ]

  • Medium

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.88

Identify and remove empty virtual machine scale sets from your Azure cloud account

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.89

Ensure Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.91

Ensure Azure Virtual Machine (Windows) secure boot feature is Enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.92

Ensure Azure Virtual Machine vTPM feature is enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.93

Ensure Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.94

Ensure Azure Front Door Web application firewall (WAF) is enabled

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.95

Ensure that FTP-Control (TCP:21) is restricted from the Internet

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.96

Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.04

Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.GCP.AS.16

Ensure that MySQL database servers are using the latest major version of MySQL database

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.AS.17

Ensure that your production Google Cloud virtual machine instances are not preemptible

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.17

SSL Policy Profile should be Restricted for HTTPS Load Balancer

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.18

TLS Version should be v1.2 or Later for SSL Policy on HTTPS Load Balancer

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.19

Default SSL Policy should be Replaced by a Stricter Policy for HTTPS Load Balancer Target Proxy

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.CRY.20

SQL Instances should have Valid SSL Configurations

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.34

Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.51

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database)

Critical

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '3306' ] or ( ports contain [ $ split('-') getValue(0) <= 3306 and $ split('-') getValue(1) >= 3306] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '3306' ] or ( ports contain [ $ split('-') getValue(0) <= 3306 and $ split('-') getValue(1) >= 3306] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.52

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server)

Critical

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '5432' ] or ( ports contain [ $ split('-') getValue(0) <= 5432 and $ split('-') getValue(1) >= 5432] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '5432' ] or ( ports contain [ $ split('-') getValue(0) <= 5432 and $ split('-') getValue(1) >= 5432] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.53

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server)

Critical

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '1433' ] or ( ports contain [ $ split('-') getValue(0) <= 1433 and $ split('-') getValue(1) >= 1433] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '1433' ] or ( ports contain [ $ split('-') getValue(0) <= 1433 and $ split('-') getValue(1) >= 1433] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.54

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS)

High

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ (ipProtocol='udp' or ipProtocol='tcp') and (ports contain [ '53' ] or ( ports contain [ $ split('-') getValue(0) <= 53 and $ split('-') getValue(1) >= 53] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ (ipProtocol='udp' or ipProtocol='tcp') and (ports contain [ '53' ] or ( ports contain [ $ split('-') getValue(0) <= 53 and $ split('-') getValue(1) >= 53] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.55

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP)

High

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '3389 ' ] or ( ports contain [ $ split('-') getValue(0) <= 3389 and $ split('-') getValue(1) >= 3389 ] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '3389' ] or ( ports contain [ $ split('-') getValue(0) <= 3389 and $ split('-') getValue(1) >= 3389] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.56

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP)

High

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '25' ] or ( ports contain [ $ split('-') getValue(0) <= 25 and $ split('-') getValue(1) >= 25] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '25' ] or ( ports contain [ $ split('-') getValue(0) <= 25 and $ split('-') getValue(1) >= 25] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.57

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH)

High

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '22' ] or ( ports contain [ $ split('-') getValue(0) <= 22 and $ split('-') getValue(1) >= 22] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '22' ] or ( ports contain [ $ split('-') getValue(0) <= 22 and $ split('-') getValue(1) >= 22] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.58

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database)

High

Modification

  • Logic

  • Network should not have firewallRules contain [ allowed contain [ ipProtocol='tcp' and (ports contain [ '1521' ] or ( ports contain [ $ split('-') getValue(0) <= 1521 and $ split('-') getValue(1) >= 1521] )) ] and sourceRanges with [ '0.0.0.0/0' ] ]

  • Network should not have firewallRules contain [ direction ='Ingress' and allowed contain [ ipProtocol='tcp' and (ports contain [ '1521' ] or ( ports contain [ $ split('-') getValue(0) <= 1521 and $ split('-') getValue(1) >= 1521] )) ] and (sourceRanges with [ '0.0.0.0/0' ] or sourceRanges with ['::/0'])]

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.59

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.60

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP ports 20 or 21 (File Transfer Protocol FTP)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.61

Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.63

HTTPS Load Balancer should have QUIC Enabled

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.09

Ensure VM instance has custom metadata

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.ALI.DR.01

Ensure that ECS data disk is configured with delete automatic snapshots feature

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.IAM.20

Ensure RAM password policy won't allow login after the password expires

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.IAM.21

Ensure ECS Instances release protection is enabled

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.NET.32

Ensure SLB delete protection is enabled

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.OCI.NET.09

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 53

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.10

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 2483

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.11

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 27017

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.12

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 6379

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.13

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 80

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.14

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 20

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.15

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 21

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.16

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1434

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.17

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 1433

High

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

August 30 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.IAM.57

Ensure that admin user is disabled for Container Registry

Low

New

 

 

 

  • Azure CloudGuard CheckUp

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.OPE.01

Ensure Container Registry has locks

Low

New

 

 

 

  • Azure CloudGuard CheckUp

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.58

Enable role-based access control (RBAC) within Azure Kubernetes Services

Low

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AWS.OPE.21

Ensure Auto Scaling group have scaling cooldown higher than a minute

Low

Modification

  • Name

  • Ensure Auto Scaling group have scaling cooldown configured

  • Ensure Auto Scaling group have scaling cooldown higher than a minute

  • AWS NIST 800-53 Rev 5

  • AWS HITRUST v11.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

D9.AWS.CRY.91

Ensure that node-to-node encryption is enabled for your OpenSearch clusters

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.92

Ensure that at-rest encryption is enabled when writing AWS Glue data to Amazon S3

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.93

Ensure that ECR Registry-level configuration is enabled for image scanning

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.94

Ensure that your OpenSearch domains are encrypted using KMS Customer Master Keys

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.95

To adhere to security and compliance standards, it is essential to guarantee that AWS RDS instances are encrypted

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.96

Ensure ElastiCache AUTH feature enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.97

Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.98

Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (7 Days)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.99

Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration (45 Days)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.100

Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.12

Ensure high availability for your OpenSearch clusters by enabling the Zone Awareness feature

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.13

Ensure that OpenSearch clusters are using dedicated master nodes to increase the production environment stability

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.14

Ensure AWS RDS instances have Automated Backups feature enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.116

Follow proper naming conventions for Virtual Private Clouds

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.118

Ensure IAM User Write Access is Prohibited

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.117

Ensure IAM User Organization Write Access is Prohibited

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.121

Ensure AWS EC2 Instance is Devoid of Data Destruction Permissions

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.122

Ensure AWS EC2 Instance is Devoid of Database Management Write Access Permissions

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.123

Ensure EC2 Instances do not have S3 Access

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.124

Ensure AWS EC2 instance does not have the permission to create a new Group with an attached policy

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.31

Ensure CloudTrail trails are configured to log Data events

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.32

Ensure alert notifications for important events within your Amazon Elastic Beanstalk environment

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.33

Ensure that access logging is enabled for your Elastic Beanstalk environment load balancer

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.34

Ensure persistent logs are enabled for your Amazon Elastic Beanstalk environments

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.35

Ensure AWS RDS utilizes secure and unique master usernames for database security

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.36

Ensure that CloudTrail trails record API calls for global services such as IAM, STS, and CloudFront

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.30

Check for any AMIs older than 180 days available within your AWS account

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.31

Ensure there are no empty AWS Auto Scaling Groups (ASGs)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.33

Ensure that each AWS Auto Scaling Group has an associated Elastic Load Balancer

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.32

Ensure Amazon CloudTrail trail log files are delivered as expected

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.34

Ensure that X-Ray tracing is enabled for your Amazon Elastic Beanstalk environments

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.35

Ensure Enhanced Health Reporting is enabled for your AWS Elastic Beanstalk environments

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.36

Ensure your AWS CloudFormation stacks are integrated with Simple Notification Service (SNS)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1006

Ensure unused Virtual Private Gateways are removed

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1007

Ensure that only approved IP addresses can access your Amazon OpenSearch domains

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1008

Ensure Amazon Redshift clusters are launched within a Virtual Private Cloud

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1009

Ensure that OpenSearch domains are accessible from a Virtual Private Cloud

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1010

Enforce HTTPS for Amazon Elastic Beanstalk environment load balancers

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1011

Ensure that your CloudFront distributions are using an origin access identity for their origin S3 buckets

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1012

Instance should not have a public IP address

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1013

Ensure that security groups are using proper naming conventions.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.29

Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.30

Ensure Amazon Auto Scaling Groups have cooldown periods enabled

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.31

Ensure that your OpenSearch domains are using the latest version of the TLS security policy

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.32

Verify that Redshift clusters are utilizing the most up-to-date node generations to enhance performance

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.33

Ensure managed platform updates are enabled for your AWS Elastic Beanstalk environments

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.34

Ensure that AWS Cloudfront web distributions are configured to compress objects (files) automatically

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.35

Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.NET.84

Ensure that a network policy is in place to secure traffic between pods

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CloudGuard Best Practices

D9.AZU.NET.83

Ensure that Azure CNI Networking is enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CloudGuard Best Practices

D9.AZU.CRY.52

Ensure 'Enforce SSL connection' is set to 'Enabled' for Azure MariaDB database Server

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.53

Ensure Azure AKS cluster HTTP application routing is disabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.54

Ensure no Azure AKS cluster is configured without disk encryption

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.CRY.55

Ensure Azure MySQL Database Server is using a secure TLS version

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.55

Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.56

Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.59

Configure your Microsoft Azure virtual machines to use Azure Active Directory credentials for secure authentication.

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.LOG.19

Ensure that Diagnostic Logs are enabled for the supported Azure cloud resources

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.LOG.20

Ensure Azure AKS cluster monitoring is enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.89

Ensure that a security contact phone number is provided in the Microsoft Defender for Cloud settings

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.78

Ensure that default network access rule is set to 'Deny' within your Azure Key Vaults configuration

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.79

Ensure that Private Endpoints are Used for Azure MariaDb database Server

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.80

Ensure that Azure Storage account access is limited only to specific IP addresses

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.81

Ensure that MariaDB database servers are using the latest version of the TLS protocol

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.82

Ensure Azure Database for MySQL server is configured with private endpoint

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.85

Ensure PostgreSQL database server is not allowed public network access

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.86

Ensure that Private Endpoints are Used for Azure PostgreSQL database Server

Medium

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.87

Ensure that Azure Postgre SQL Flexible Server access is limited and not allowed overly permissive

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.OPE.02

Ensure that your Cluster Pool contains at least 3 Nodes

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.OPE.03

Ensure to not use the deprecated Classic registry

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.GCP.AS.12

Ensure that PostgreSQL database instances have the appropriate configuration set for the 'max_connections' flag

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.AS.13

Ensure that automatic storage increase is enabled for your Cloud SQL database instances

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.AS.14

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.AS.15

Ensure that the Auto-Delete feature is disabled for the disks attached to your VM instances

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.DR.03

Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.31

Ensure Compute Engine does not have predefined Admin roles

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.32

Ensure Compute Engine does not have IAM Write access level

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.31

Ensure that logging is enabled for Google Cloud load balancing backend services

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.32

Ensure that MySQL database instances have the 'slow_query_log' flag set to On (enabled)

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.LOG.33

Ensure storage bucket does not send logs to itself

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.39

Ensure Firewall default rules are not overly permissive

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.40

Ensure Firewall rule does not allow all traffic on port 21 - FTP

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.41

Ensure Firewall rule does not allow all traffic on port 80 - HTTP

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.42

Ensure Firewall rule does not allow all traffic on port 445 - Microsoft-DS

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.43

Ensure Firewall rule does not allow all traffic on port 27017 - MongoDB

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.44

Ensure Firewall rule does not allow all traffic on port 139 - NetBIOS-SSN

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.45

Ensure Firewall rule does not allow all traffic on port 1521 - Oracle DB

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.46

Ensure Firewall rule does not allow all traffic on port 110 - POP3

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.47

Ensure Firewall rule does not allow all traffic on port 23 - Telnet

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.48

Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10250

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.49

Ensure Firewall rule does not expose GKE clusters by allowing all traffic on port 10255

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.50

Ensure no inbound rule exists that is overly permissive to allow all traffic from Internet

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.51

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database)

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.52

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server)

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.53

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server)

Critical

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.54

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP or UDP on port 53 (DNS)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.55

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.56

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.57

Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.58

Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database)

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.06

Ensure that automatic restart is enabled for your Google Cloud virtual machine (VM) instances

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.07

Ensure that deletion protection is enabled for your Google Cloud virtual machine (VM) instances

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.OPE.08

Ensure that 'On Host Maintenance' configuration setting is set to 'Migrate' for all VM instances

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.ALI.LOG.28

Ensure that ActionTrail logging is enabled

Low

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.OCI.IAM.11

Ensure IAM password policy require at least one lowercase letter

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.12

Ensure IAM password policy require at least one uppercase letter

Low

New

 

 

 

  • CloudGuard OCI All Rules Ruleset

D9.AZU.AKS.01

Ensure that admin user is disabled for Container Registry

Low

Removal

 

 

 

  • Azure CloudGuard CheckUp

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.AKS.02

Ensure Container Registry has locks

Low

Removal

 

 

 

  • Azure CloudGuard CheckUp

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.AKS.08

Enable role-based access control (RBAC) within Azure Kubernetes Services

Low

Removal

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.AKS.05

Ensure that a network policy is in place to secure traffic between pods

Low

Removal

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CloudGuard Best Practices

D9.AZU.AKS.06

Ensure that Azure CNI Networking is enabled

Low

Removal

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CSA CCM v.4.0.1

  • Azure CloudGuard Best Practices

D9.AZU.AKS.07

Ensure that your Cluster Pool contains at least 3 Nodes

Low

Removal

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.AKS.09

Ensure to not use the deprecated Classic registry

Low

Removal

 

 

 

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

August 23 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.NET.67

Ensure that all authorization Type in API Gateway are not set to None

High

Modification

  • Logic

  • ApiGateway should not have resources contain-any [ methods contain-any [ authorizationType='NONE' ] ]

  • ApiGateway where not authorizers should not have resources contain-any [ methods contain-any [ authorizationType='NONE' ] ]

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.ALI.NET.03

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 - SSH

High

Modification

  • Name

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 - SSH

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.NET.04

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 - RDP

High

Modification

  • Name

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 - RDP

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.AWS.AS.11

Identify and remove any unused AWS DynamoDB tables to optimize AWS costs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.88

Ensure that Amazon DocumentDB clusters data is encrypted at rest

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.89

Ensure API Gateway endpoints has client certificate authentication

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.CRY.90

Ensure that Amazon DocumentDB clusters are encrypted with KMS Customer Master Keys (CMKs)

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DNS.08

Ensure AWS SES identities (email addresses and/or domains) are verified

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.06

Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.07

Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled

Informational

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.09

Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless)

Medium

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.10

Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.11

Ensure AWS DocumentDB clusters have a sufficient backup retention period set for compliance purposes

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.1020

Ensure IAM Database Authentication feature is enabled for Amazon Neptune clusters

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.IAM.115

Ensure that Amazon Lambda functions are referencing active execution roles

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.25

Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.26

Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.LOG.27

Ensure CloudTrail Logging is Enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.28

Ensure DKIM signing is enabled in AWS SES to protect email senders and receivers against phishing.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.MON.29

Enable AWS DocumentDB Log Exports

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1003

Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC).

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1004

Ensure that your Amazon Lambda functions have access to VPC-only resources.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1005

Ensure Amazon MQ brokers are not publicly accessible and prone to security risks

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.96

Ensure AppSync has WAF

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.97

Ensure IMDS Response Hop Limit is Set to One

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.26

Make certain your AWS MQ brokers are running on the most up-to-date version of the Apache ActiveMQ engine.

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.27

Ensure that the latest version of Redis is used for your AWS ElastiCache clusters

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.OPE.28

Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.VLN.09

Ensure Aurora PostgreSQL is not exposed to local file read vulnerability

Critical

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.MON.88

Ensure that an activity log alert is created for Delete PostgreSQL Database events

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.74

Ensure that HTTP protocol (TCP:80) is restricted from the Internet

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.75

Ensure that HTTPS protocol (TCP:443) is restricted from the Internet

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.76

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.77

Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol

Critical

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.GCP.AS.10

Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances

Low

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.AS.11

Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.IAM.30

Ensure GCP IAM user does not have permissions to deploy all resources

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.GCP.NET.38

Ensure Google Cloud Function is configured with a VPC connector

High

New

 

 

 

  • CloudGuard GCP All Rules Ruleset

D9.ALI.NET.17

Ensure no security groups allow ingress from 0.0.0.0/0 to port 53 - DNS

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.NET.18

Ensure no security groups allow ingress from 0.0.0.0/0 to port 2483 - unencrypted Oracle DB

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.19

Ensure no security groups allow ingress from 0.0.0.0/0 to port 27017 - unencrypted Mongo DB

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.20

Ensure no security groups allow ingress from 0.0.0.0/0 to port 6379 - unencrypted Redis

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.21

Ensure no security groups allow ingress from 0.0.0.0/0 to port 80 - HTTP

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.22

Ensure no security groups allow ingress from 0.0.0.0/0 to port 20 - FTP-Data

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.23

Ensure no security groups allow ingress from 0.0.0.0/0 to port 21 - FTP

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.24

Ensure no security groups allow ingress from 0.0.0.0/0 to port 1434 - MSSQL Admin

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.25

Ensure no security groups allow ingress from 0.0.0.0/0 to port 1433 - MSSQL Server

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.26

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3306 - MySQL

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.27

Ensure no security groups allow ingress from 0.0.0.0/0 to port 1521 - unencrypted Oracle DB

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.28

Ensure no security groups allow ingress from 0.0.0.0/0 to port 5432 - Postgres SQL

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.29

Ensure no security groups allow ingress from 0.0.0.0/0 to port 5900 - VNC Server

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.30

Ensure no security groups allow ingress from 0.0.0.0/0 to port 25 - SMTP

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

D9.ALI.NET.31

Ensure no security groups allow ingress from 0.0.0.0/0 to port 7001 - Cassandra

High

New

 

 

 

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba CloudGuard Network Security Alerts

August 16 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.K8S.CRY.19

Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift)

Low

Modification

  • Name

  • Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift)

  • Ensure that the --service-account-key-file argument is set as appropriate (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.20

Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift)

  • Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.21

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift)

  • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.24

Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift)

  • Ensure that the --encryption-provider-config argument is set as appropriate (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

D9.K8S.CRY.26

Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift)

  • Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

D9.K8S.CRY.28

Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift)

Low

Modification

  • Name

  • Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift)

  • Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.29

Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift)

Low

Modification

  • Name

  • Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift)

  • Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.31

Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift)

Informational

Modification

  • Name

  • Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift)

  • Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

D9.K8S.CRY.34

Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)

High

Modification

  • Name

  • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)

  • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.37

Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)

Medium

Modification

  • Name

  • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)

  • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.41

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift)

High

Modification

  • Name

  • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift)

  • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.45

Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift)

High

Modification

  • Name

  • Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift)

  • Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (API server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.55

Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift)

  • Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.61

Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift)

  • Ensure that the admission control plugin SecurityContextDeny is not set (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

D9.K8S.IAM.63

Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift)

High

Modification

  • Name

  • Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift)

  • Ensure that the admission control plugin SecurityContextConstraint is set (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.65

Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift)

High

Modification

  • Name

  • Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift)

  • Ensure that the admission control plugin SecurityContextConstraint is set (SCC restricted) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.67

Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift)

High

Modification

  • Name

  • Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift)

  • Minimize the admission of containers wishing to share the host process ID namespace (SCC) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.68

Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift)

High

Modification

  • Name

  • Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift)

  • Minimize the admission of containers wishing to share the host IPC namespace (SCC) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.69

Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift)

Low

Modification

  • Name

  • Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift)

  • Minimize the admission of containers wishing to share the host network namespace (SCC) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.72

Minimize the admission of containers with the NET_RAW capability (SCC) (Openshift)

High

Modification

  • Logic

  • List<OpenshiftSecurityContextConstraint> should have items contain [ requiredDropCapabilities contain-any [in ('NET_RAW','ALL')] ]

  • List<OpenshiftSecurityContextConstraint> should have items contain [ requiredDropCapabilities contain-any [$ in ('NET_RAW','ALL')] ]

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.LOG.07

Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift)

Low

Modification

  • Name

  • Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift)

  • Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (API Server) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.LOG.08

Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift)

Low

Modification

  • Name

  • Logic

  • Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift)

  • KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.audit-log-maxsize='100' and kubernetesPlatform.openshift.openshiftApiserver.configConfigmap.apiServerArguments.audit-log-maxsize='100'

  • Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (API Server) (Openshift)

  • KubernetesCluster should have kubernetesPlatform.openshift.openshiftKubeApiserver.configConfigmap.apiServerArguments.audit-log-maxsize >=100 and kubernetesPlatform.openshift.openshiftApiserver.configConfigmap.apiServerArguments.audit-log-maxsize >=100

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.NET.28

Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift)

High

Modification

  • Name

  • Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift)

  • Verify that the scheduler API service is protected by authentication and authorization (Scheduler) (Openshift)

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

D9.AWS.AS.09

Ensure that your Amazon MQ brokers are using the active/standby deployment mode

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.AS.10

Ensure AWS MQ brokers have the Auto Minor Version Upgrade feature enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.05

Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled

Low

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.DR.08

Ensure AWS Neptune clusters have a sufficient backup retention period set

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AWS.NET.1002

Ensure CloudFront origins don't use insecure SSL protocols

High

New

 

 

 

  • CloudGuard AWS All Rules Ruleset

D9.AZU.NET.72

Ensure that Oracle Database (TCP:1521) is restricted from the Internet

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.NET.73

Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019

High

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.K8S.CRY.47

Ensure that the healthz endpoints for the scheduler are protected by RBAC (OpenShift)

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.CRY.48

Verify that the scheduler API service is protected by RBAC (OpenShift)

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.28

Use https for kubelet connections (OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.87

Ensure that the kubelet uses certificates to authenticate (OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.88

Ensure that the --request-timeout argument is set (OpenShift)

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.89

Ensure that the API Server only makes use of Strong Cryptographic Ciphers (OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.90

Ensure that encryption providers are appropriately configured (OpenShift)

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.91

Ensure unsupported configuration overrides are not used (OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.IAM.92

Ensure that the admission control plugin SecurityContextConstraint is set (SCC)(Openshift)

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.LOG.10

Ensure that a minimal audit policy is created

High

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.NET.13

Ensure that the --insecure-port argument is set to 0 (OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.NET.16

Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)(OpenShift)

Critical

New

 

 

 

  • CIS OpenShift Container Platform v4 Benchmark v1.4.0

D9.K8S.AC.25

Limit binding of Anonymous User

Critical

New

 

 

 

  • Container Admission Control

  • Container Admission Control 1.0

August 09 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.18

Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account

Critical

Modification

  • Name

  • Logic

  • Ensure MFA is enabled for the 'root' user account

  • IamUser where name like '%root_account%' should have mfaType in('Virtual')

  • Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account

  • IamUser where name like '%root_account%' should have mfaType in('Virtual','Hardware')

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.101

Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)

High

Modification

  • Logic

  • S3Bucket should not have policy.Statement with [Effect='Allow' and (Action contain [$ regexMatch /\*/] or Action regexMatch /\*/) ]

  • S3Bucket should not have policy.Statement contain [Effect='Allow' and Action contain ['*'] and Condition isEmpty()]

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.78

Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port

Medium

Modification

  • Logic

  • Instance where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

  • Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

D9.AWS.NET.79

Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port

Medium

Modification

  • Logic

  • Instance where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]

  • Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

D9.AWS.NET.80

Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port

High

Modification

  • Logic

  • Instance where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

  • Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

D9.AWS.NET.81

Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port

High

Modification

  • Logic

  • Instance where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]

  • Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS ISO27001:2022

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

D9.AWS.NET.75

Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports

High

Modification

  • Name

  • Logic

  • Ensure no lambda allow ingress from 0.0.0.0/0 to remote server administration ports

  • Lambda should not have inboundRules with [ scope='0.0.0.0/0' and ( ( port<=23 and portTo>=20 ) or ( port<=115 and portTo>=115 ) or ( port<=139 and portTo>=137 ) or ( port<=2049 and portTo>=2049 ) or ( port<=3389 and portTo>=3389 ) ) ]

  • Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports

  • Lambda should not have inboundRules with [scope in ('0.0.0.0/0', '::/0') and portTo in (22, 115, 137, 2049, 3389)]

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS ISO27001:2022

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS MITRE ATT&CK Framework v10

D9.AZU.IAM.46

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

High

Modification

  • Logic

  • RoleAssignment should have (properties contain [getResource('User', principalId) contain [userCredentialRegistrationDetails.isRegisterWithMfa=true]] and properties contain [getResources('RoleDefinition',roleDefinitionId) contain [properties.roleName in ('Owner','Contributor')]])

  • User where assignedRoles contain [displayName regexMatch /.*Administrator|Creator|Global.*/] should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.47

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

High

Modification

  • Logic

  • RoleAssignment should have (properties contain [getResource('User', principalId) contain [userCredentialRegistrationDetails.isRegisterWithMfa=true]] and properties contain [getResources('RoleDefinition',roleDefinitionId) contain-none [properties.roleName in ('Owner','Contributor')]])

  • User should have userCredentialRegistrationDetails.isRegisterWithMfa=true

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.IAM.19

Ensure hardware MFA is enabled for the 'root' user account

Critical

Removal

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.4.0

August 02 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.GCP.CRY.01

Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)

High

Modification

  • Name

  • Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

  • Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP HIPAA

  • GCP Dashboard System Ruleset

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.03

Ensure Oslogin Is Enabled for a Project

Medium

Modification

  • Name

  • Ensure oslogin is enabled for a Project

  • Ensure Oslogin Is Enabled for a Project

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.02

Ensure that Corporate Login Credentials are Used

High

Modification

  • Name

  • Ensure that corporate login credentials are used

  • Ensure that Corporate Login Credentials are Used

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP CSA CCM v.3.0.1

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard SOC2 based on AICPA TSC 2017

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.04

Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account

High

Modification

  • Name

  • Ensure that there are only GCP-managed service account keys for each service account

  • Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Foundations v. 1.0.0

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.05

Ensure That Service Account Has No Admin Privileges

High

Modification

  • Name

  • Ensure that Service Account has no Admin privileges

  • Ensure That Service Account Has No Admin Privileges

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP HIPAA

  • GCP Dashboard System Ruleset

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.09

Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

Critical

Modification

  • Name

  • Ensure that Cloud Storage bucket is not anonymously or publicly accessible

  • Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP HIPAA

  • GCP Dashboard System Ruleset

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.11

Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance

High

Modification

  • Name

  • Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

  • Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.20

Ensure That the Default Network Does Not Exist in a Project

Medium

Modification

  • Name

  • Ensure the default network does not exist in a project

  • Ensure That the Default Network Does Not Exist in a Project

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.02

Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances

High

Modification

  • Name

  • Ensure 'Block Project-wide SSH keys' enabled for VM instances

  • Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.07

Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

High

Modification

  • Name

  • Ensure that the Cloud SQL database instance requires all incoming connections to use SSL

  • Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.08

Ensure Compute Instances Are Launched With Shielded VM Enabled

High

Modification

  • Name

  • Ensure Compute instances are launched with Shielded VM enabled

  • Ensure Compute Instances Are Launched With Shielded VM Enabled

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.09

Ensure That Compute Instances Have Confidential Computing Enabled

High

Modification

  • Name

  • Ensure that Compute instances have Confidential Computing enabled

  • Ensure That Compute Instances Have Confidential Computing Enabled

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.10

Ensure That Compute Instances Do Not Have Public IP Addresses

High

Modification

  • Name

  • Ensure that Compute instances do not have public IP addresses

  • Ensure That Compute Instances Do Not Have Public IP Addresses

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.11

Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

High

Modification

  • Name

  • Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible

  • Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.12

Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

High

Modification

  • Name

  • Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets

  • Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.13

Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days

High

Modification

  • Name

  • Ensure KMS encryption keys are rotated within a period of 90 days

  • Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.CRY.14

Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

High

Modification

  • Name

  • Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)

  • Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.DR.01

Ensure That Cloud SQL Database Instances Are Configured With Automated Backups

Low

Modification

  • Name

  • Ensure that Cloud SQL database instances are configured with automated backups

  • Ensure That Cloud SQL Database Instances Are Configured With Automated Backups

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.01

Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs

High

Modification

  • Name

  • Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

  • Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP CSA CCM v.3.0.1

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP HIPAA

  • GCP Dashboard System Ruleset

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.03

Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts

High

Modification

  • Name

  • Ensure that multi-factor authentication is enabled for all non-service accounts

  • Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP HIPAA

  • GCP Dashboard System Ruleset

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.18

Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users

High

Modification

  • Name

  • Ensure that Separation of duties is enforced while assigning service account related roles to users

  • Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.21

Ensure That Instances Are Not Configured To Use the Default Service Account

High

Modification

  • Name

  • Ensure that instances are not configured to use the default service account

  • Ensure That Instances Are Not Configured To Use the Default Service Account

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.22

Ensure API Keys Are Rotated Every 90 Days

High

Modification

  • Name

  • Ensure API keys are rotated every 90 days

  • Ensure API Keys Are Rotated Every 90 Days

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.23

Ensure API Keys Are Restricted to Only APIs That Application Needs Access

High

Modification

  • Name

  • Ensure API keys are restricted to only APIs that application needs access

  • Ensure API Keys Are Restricted to Only APIs That Application Needs Access

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.24

Ensure API Keys Only Exist for Active Services

High

Modification

  • Name

  • Ensure API keys are not created for a project

  • Ensure API Keys Only Exist for Active Services

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.25

Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level

High

Modification

  • Name

  • Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

  • Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.26

Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

High

Modification

  • Name

  • Ensure that Separation of duties is enforced while assigning KMS related roles to users

  • Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.27

Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled

Low

Modification

  • Name

  • Ensure that Cloud Storage buckets have uniform bucket-level access enabled

  • Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.28

Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible

High

Modification

  • Name

  • Ensure that BigQuery datasets are not anonymously or publicly accessible

  • Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.03

Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

Low

Modification

  • Name

  • Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'

  • Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.06

Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)

Low

Modification

  • Name

  • Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)

  • Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.12

Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

Low

Modification

  • Name

  • Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'

  • Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.13

Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately

Low

Modification

  • Name

  • Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately

  • Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.14

Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter

Low

Modification

  • Name

  • Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'default' or stricter

  • Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.16

Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'

Low

Modification

  • Name

  • Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'

  • Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.17

Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter

Low

Modification

  • Name

  • Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter

  • Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.18

Ensure That Cloud Audit Logging Is Configured Properly

Low

Modification

  • Name

  • Ensure that Cloud Audit Logging is configured properly across all services and all users from a project

  • Ensure That Cloud Audit Logging Is Configured Properly

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.19

Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes

Low

Modification

  • Name

  • Ensure log metric filter and alerts exist for project ownership assignments/changes

  • Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.20

Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for Audit Configuration changes

  • Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.21

Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for Custom Role changes

  • Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.22

Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes

Low

Modification

  • Name

  • Logic

  • Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes

  • AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert"OR protoPayload.methodName:"compute.firewalls.delete"']

  • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes

  • AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete"']

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.23

Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for VPC network route changes

  • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.24

Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for VPC network changes

  • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.25

Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes

  • Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.26

Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes

Low

Modification

  • Name

  • Ensure that the log metric filter and alerts exist for SQL instance configuration changes

  • Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.27

Ensure That Cloud DNS Logging Is Enabled for All VPC Networks

Low

Modification

  • Name

  • Ensure that Cloud DNS logging is enabled for all VPC networks

  • Ensure That Cloud DNS Logging Is Enabled for All VPC Networks

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.LOG.28

Ensure That Sinks Are Configured for All Log Entries

Low

Modification

  • Name

  • Ensure that sinks are configured for all log entries

  • Ensure That Sinks Are Configured for All Log Entries

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.08

Ensure That IP Forwarding Is Not Enabled on Instances

High

Modification

  • Name

  • Ensure that IP forwarding is not enabled on Instances

  • Ensure That IP Forwarding Is Not Enabled on Instances

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CloudGuard Network Security

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.12

Ensure That SSH Access Is Restricted From the Internet

High

Modification

  • Name

  • Ensure that SSH access is restricted from the internet

  • Ensure That SSH Access Is Restricted From the Internet

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.13

Ensure That RDP Access Is Restricted From the Internet

High

Modification

  • Name

  • Ensure that RDP access is restricted from the internet

  • Ensure That RDP Access Is Restricted From the Internet

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.16

Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network

Medium

Modification

  • Name

  • Ensure VPC Flow logs is enabled for every subnet in a VPC Network

  • Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network

  • GCP CIS Foundations v. 1.3.0

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.24

Ensure That Cloud SQL Database Instances Do Not Have Public IPs

High

Modification

  • Name

  • Ensure that Cloud SQL instances do not have public IPs

  • Ensure That Cloud SQL Database Instances Do Not Have Public IPs

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.26

Ensure That DNSSEC Is Enabled for Cloud DNS

High

Modification

  • Name

  • Ensure that DNSSEC is enabled for Cloud DNS

  • Ensure That DNSSEC Is Enabled for Cloud DNS

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.27

Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

High

Modification

  • Name

  • Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC

  • Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.28

Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC

High

Modification

  • Name

  • Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC

  • Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.29

Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

High

Modification

  • Name

  • Ensure no HTTPS proxy load balancers permit SSL policies with weak cipher suites

  • Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.31

Ensure Legacy Networks Do Not Exist for Older Projects

High

Modification

  • Name

  • Ensure legacy networks do not exist for a project

  • Ensure Legacy Networks Do Not Exist for Older Projects

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.0.0

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.VLN.02

Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'

Medium

Modification

  • Name

  • Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'

  • Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.VLN.05

Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'

Medium

Modification

  • Name

  • Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'

  • Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • CloudGuard GCP All Rules Ruleset

  • GCP CIS Controls V 8

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.ALI.CRY.04

Ensure that 'Virtual Machine's disk' are encrypted

High

Modification

  • Name

  • Ensure that Virtual Machine's Disks are encrypted

  • Ensure that 'Virtual Machine's disk' are encrypted

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.CRY.05

Ensure server-side encryption is set to 'Encrypt with BYOK'

High

Modification

  • Name

  • Ensure server-side encryption is set to 'Encrypt with BYOK'.

  • Ensure server-side encryption is set to 'Encrypt with BYOK'

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.CRY.06

Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key)

High

Modification

  • Name

  • Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key).

  • Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key)

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.CRY.07

Ensure that 'TDE' is set to 'Enabled' on for applicable database instance

High

Modification

  • Name

  • Ensure that 'TDE' is set to 'Enabled' on for applicable database instance.

  • Ensure that 'TDE' is set to 'Enabled' on for applicable database instance

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.IAM.01

Ensure no root account access key exists

High

Modification

  • Name

  • Ensure no root account access key exists.

  • Ensure no root account access key exists

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.04

Ensure users not logged on for 90 days or longer are disabled for console logon

High

Modification

  • Name

  • Ensure users not logged on for 90 days or longer are disabled for console logon.

  • Ensure users not logged on for 90 days or longer are disabled for console logon

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.08

Ensure RAM policies that allow full '*:*' administrative privileges are not created

High

Modification

  • Name

  • Ensure RAM policies that allow full "*:*" administrative privileges are not created

  • Ensure RAM policies that allow full '*:*' administrative privileges are not created

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.09

Ensure RAM password policy prevents password reuse

High

Modification

  • Name

  • Ensure RAM password policy prevents password reuse.

  • Ensure RAM password policy prevents password reuse

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.10

Ensure RAM password policy requires at least one uppercase letter

Low

Modification

  • Name

  • Ensure RAM password policy requires at least one uppercase letter.

  • Ensure RAM password policy requires at least one uppercase letter

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.11

Ensure RAM password policy requires at least one lowercase letter

Low

Modification

  • Name

  • Ensure RAM password policy requires at least one lowercase letter.

  • Ensure RAM password policy requires at least one lowercase letter

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.12

Ensure RAM password policy require at least one symbol

Low

Modification

  • Name

  • Ensure RAM password policy require at least one symbol.

  • Ensure RAM password policy require at least one symbol

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.13

Ensure RAM password policy require at least one number

Low

Modification

  • Name

  • Ensure RAM password policy require at least one number.

  • Ensure RAM password policy require at least one number

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.14

Ensure RAM password policy expires passwords within 90 days or less

Low

Modification

  • Name

  • Ensure RAM password policy expires passwords within 90 days or less.

  • Ensure RAM password policy expires passwords within 90 days or less

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.IAM.15

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

High

Modification

  • Name

  • Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour.

  • Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.LOG.10

Ensure Security Center Network, Host and Security log analysis is enabled

High

Modification

  • Name

  • Ensure Security Center Network, Host and Security log analysis is enabled.

  • Ensure Security Center Network, Host and Security log analysis is enabled

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.MON.02

Ensure that 'Auditing' Retention is 'greater than 6 months'

Low

Modification

  • Name

  • Ensure that 'Auditing' Retention is 'greater than 6 months'.

  • Ensure that 'Auditing' Retention is 'greater than 6 months'

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.NET.02

Ensure legacy networks does not exist

High

Modification

  • Name

  • Ensure legacy networks does not exist.

  • Ensure legacy networks does not exist

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

  • Alibaba cloud ruleset

D9.ALI.NET.16

Ensure VPC flow logging is enabled in all VPCs

High

Modification

  • Name

  • Ensure VPC flow logging is enabled in all VPCs.

  • Ensure VPC flow logging is enabled in all VPCs

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.01

Ensure that Security Center is Advanced or Enterprise Edition

High

Modification

  • Name

  • Ensure that Security Center is Advanced or Enterprise Edition.

  • Ensure that Security Center is Advanced or Enterprise Edition

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.02

Ensure that all assets are installed with security agent

High

Modification

  • Name

  • Ensure that all assets are installed with security agent.

  • Ensure that all assets are installed with security agent

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.03

Ensure that Automatic Quarantine is enabled

High

Modification

  • Name

  • Ensure that Automatic Quarantine is enabled.

  • Ensure that Automatic Quarantine is enabled

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.04

Ensure that Webshell detection is enabled on all web servers

High

Modification

  • Name

  • Ensure that Webshell detection is enabled on all web servers.

  • Ensure that Webshell detection is enabled on all web servers

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.05

Ensure that notification is enabled on all high risk items

Low

Modification

  • Name

  • Ensure that notification is enabled on all high risk items.

  • Ensure that notification is enabled on all high risk items

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.06

Ensure that Config Assessment is granted with privilege

Low

Modification

  • Name

  • Ensure that Config Assessment is granted with privilege.

  • Ensure that Config Assessment is granted with privilege

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.07

Ensure that scheduled vulnerability scan is enabled on all servers

High

Modification

  • Name

  • Ensure that scheduled vulnerability scan is enabled on all servers.

  • Ensure that scheduled vulnerability scan is enabled on all servers

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.ALI.VLN.09

Ensure that the latest OS Patches for all Virtual Machines are applied

High

Modification

  • Name

  • Ensure that the latest OS Patches for all Virtual Machines are applied.

  • Ensure that the latest OS Patches for all Virtual Machines are applied

  • Alibaba CIS Foundations v. 1.0

  • CloudGuard Alibaba All Rules Ruleset

D9.OCI.AS.01

Create at least one compartment in your tenancy to store cloud resources

Low

Modification

  • Name

  • Create at least one compartment in your tenancy to store cloud resources.

  • Create at least one compartment in your tenancy to store cloud resources

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.02

Ensure no VCNs are created in the root compartment

Low

Modification

  • Name

  • Ensure no VCNs are created in the root compartment.

  • Ensure no VCNs are created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.03

Ensure no instances created in the root compartment

Low

Modification

  • Name

  • Ensure no instances created in the root compartment.

  • Ensure no instances created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.04

Ensure no volumes are created in the root compartment

Low

Modification

  • Name

  • Ensure no volumes are created in the root compartment.

  • Ensure no volumes are created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.05

Ensure no filesystems are created in the root compartment

Low

Modification

  • Name

  • Ensure no filesystems are created in the root compartment.

  • Ensure no filesystems are created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.06

Ensure no buckets are created in the root compartment

Low

Modification

  • Name

  • Ensure no buckets are created in the root compartment.

  • Ensure no buckets are created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.AS.07

Ensure no autonomousdatabases are created in the root compartment

Low

Modification

  • Name

  • Ensure no autonomousdatabases are created in the root compartment.

  • Ensure no autonomousdatabases are created in the root compartment

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.CRY.04

Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)

High

Modification

  • Name

  • Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK).

  • Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.02

Ensure IAM password policy requires minimum length of 14 or greater

High

Modification

  • Name

  • Ensure IAM password policy requires minimum length of 14 or greater.

  • Ensure IAM password policy requires minimum length of 14 or greater

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.03

Ensure MFA is enabled for all users with a console password

Low

Modification

  • Name

  • Ensure MFA is enabled for all users with a console password.

  • Ensure MFA is enabled for all users with a console password

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.04

Ensure all OCI IAM user accounts have a valid and current email address

Low

Modification

  • Name

  • Ensure all OCI IAM user accounts have a valid and current email address.

  • Ensure all OCI IAM user accounts have a valid and current email address

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.05

Ensure user API keys rotate within 90 days or less

High

Modification

  • Name

  • Ensure user API keys rotate within 90 days or less.

  • Ensure user API keys rotate within 90 days or less

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.06

Ensure user customer secret keys rotate within 90 days or less

Low

Modification

  • Name

  • Ensure user customer secret keys rotate within 90 days or less.

  • Ensure user customer secret keys rotate within 90 days or less

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.07

Ensure user auth tokens rotate within 90 days or less

Low

Modification

  • Name

  • Ensure user auth tokens rotate within 90 days or less.

  • Ensure user auth tokens rotate within 90 days or less

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.08

Ensure permissions on all resources are given only to the tenancy administrator group

High

Modification

  • Name

  • Ensure permissions on all resources are given only to the tenancy administrator group.

  • Ensure permissions on all resources are given only to the tenancy administrator group

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.09

Ensure IAM administrators cannot update tenancy Administrators group

High

Modification

  • Name

  • Ensure IAM administrators cannot update tenancy Administrators group.

  • Ensure IAM administrators cannot update tenancy Administrators group

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.IAM.10

Ensure API keys are not created for tenancy administrator users

High

Modification

  • Name

  • Ensure API keys are not created for tenancy administrator users.

  • Ensure API keys are not created for tenancy administrator users

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.01

Ensure default tags are used on resources

Low

Modification

  • Name

  • Ensure default tags are used on resources.

  • Ensure default tags are used on resources

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.02

Ensure VCN flow logging is enabled for all subnets

Low

Modification

  • Name

  • Ensure VCN flow logging is enabled for all subnets.

  • Ensure VCN flow logging is enabled for all subnets

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.03

Ensure write level Object Storage logging is enabled for all buckets

Low

Modification

  • Name

  • Ensure write level Object Storage logging is enabled for all buckets.

  • Ensure write level Object Storage logging is enabled for all buckets

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.04

Create at least one notification topic and subscription to receive monitoring alerts

Low

Modification

  • Name

  • Create at least one notification topic and subscription to receive monitoring alerts.

  • Create at least one notification topic and subscription to receive monitoring alerts

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.05

Ensure a notification is configured for Identity Provider changes

Low

Modification

  • Name

  • Ensure a notification is configured for Identity Provider changes.

  • Ensure a notification is configured for Identity Provider changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.06

Ensure a notification is configured for IdP group mapping changes

Low

Modification

  • Name

  • Ensure a notification is configured for IdP group mapping changes.

  • Ensure a notification is configured for IdP group mapping changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.07

Ensure a notification is configured for IAM group changes

Low

Modification

  • Name

  • Ensure a notification is configured for IAM group changes.

  • Ensure a notification is configured for IAM group changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.09

Ensure a notification is configured for user changes

Low

Modification

  • Name

  • Ensure a notification is configured for user changes.

  • Ensure a notification is configured for user changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.10

Ensure a notification is configured for VCN changes

Low

Modification

  • Name

  • Ensure a notification is configured for VCN changes.

  • Ensure a notification is configured for VCN changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.11

Ensure a notification is configured for changes to route tables

Low

Modification

  • Name

  • Ensure a notification is configured for changes to route tables.

  • Ensure a notification is configured for changes to route tables

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.12

Ensure a notification is configured for security list changes

Low

Modification

  • Name

  • Ensure a notification is configured for security list changes.

  • Ensure a notification is configured for security list changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.13

Ensure a notification is configured for network security group changes

Low

Modification

  • Name

  • Ensure a notification is configured for network security group changes.

  • Ensure a notification is configured for network security group changes

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.LOG.14

Ensure a notification is configured for changes to network gateways

Low

Modification

  • Name

  • Ensure a notification is configured for changes to network gateways.

  • Ensure a notification is configured for changes to network gateways

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.01

Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

Critical

Modification

  • Name

  • Ensure no security lists allow ingress from 0.0.0.0/0 to port 22.

  • Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.02

Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389

Critical

Modification

  • Name

  • Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389.

  • Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.03

Ensure the default security list of every VCN restricts all traffic except ICMP

High

Modification

  • Name

  • Ensure the default security list of every VCN restricts all traffic except ICMP.

  • Ensure the default security list of every VCN restricts all traffic except ICMP

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.04

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22

Critical

Modification

  • Name

  • Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22.

  • Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.05

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

Critical

Modification

  • Name

  • Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389.

  • Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.07

Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network

High

Modification

  • Name

  • Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud.

  • Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.OPE.01

Ensure Versioning is Enabled for Object Storage Buckets

Low

Modification

  • Name

  • Ensure Versioning is Enabled for Object Storage Buckets.

  • Ensure Versioning is Enabled for Object Storage Buckets

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.OPE.02

Ensure Cloud Guard is enabled in the root compartment of the tenancy

Low

Modification

  • Name

  • Ensure Cloud Guard is enabled in the root compartment of the tenancy.

  • Ensure Cloud Guard is enabled in the root compartment of the tenancy

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

July 26 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.CRY.35

Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

High

Modification

  • Name

  • Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

  • Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.CRY.45

Ensure FTP deployments are Disabled

Low

Modification

  • Name

  • Ensure FTP deployments are Disabled for webapp

  • Ensure FTP deployments are Disabled

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.50

Ensure that an exclusionary Geographic Access Policy is considered

Low

Modification

  • Name

  • Ensure that an exclusionary Geographic Access Policy is considered.

  • Ensure that an exclusionary Geographic Access Policy is considered

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.VLN.07

Ensure AWS Security Hub is enabled

Low

Modification

  • Name

  • Ensure AWS Security Hub is enabled.

  • Ensure AWS Security Hub is enabled

  • AWS CIS Foundations v. 1.5.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard Best Practices

D9.OCI.NET.04

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22.

Critical

Modification

  • Logic

  • NetworkSecurityGroup should have securityRules contain-none [ protocol='any' ] and securityRules contain-none [ tcpOptions isEmpty() and udpOptions isEmpty() ] and securityRules contain-none [ direction='INGRESS' and source='0.0.0.0/0' and protocol!='1' ] and securityRules contain-none [ tcpOptions.destinationPortRange.min<=22 and tcpOptions.destinationPortRange.max>=22 ]

  • NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=22 and tcpOptions.destinationPortRange.max>=22]

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.OCI.NET.05

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389.

Critical

Modification

  • Logic

  • NetworkSecurityGroup should have securityRules contain-none [ protocol='any' ] and securityRules contain-none [ tcpOptions isEmpty() and udpOptions isEmpty() ] and securityRules contain-none [ direction='INGRESS' and source='0.0.0.0/0' and protocol!='1' ] and securityRules contain-none [ tcpOptions.destinationPortRange.min<=3389 and tcpOptions.destinationPortRange.max>=3389 ]

  • NetworkSecurityGroup should not have securityRules contain [ direction='INGRESS' and source='0.0.0.0/0' and tcpOptions.destinationPortRange.min<=3389 and tcpOptions.destinationPortRange.max>=3389 ]

  • OCI Foundations Benchmark v1.2.0

  • CloudGuard OCI All Rules Ruleset

D9.AZU.NET.38

Ensure FTP deployments are disabled

High

Removal

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.3.1

July 19 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.08

SSL/TLS certificates expire in one week

High

Modification

  • Severity

  • Low

  • High

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.10

ELB secured listener certificate expires in one week

High

Modification

  • Severity

  • Low

  • High

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.12

ALB secured listener certificate expires in one week

High

Modification

  • Severity

  • Low

  • High

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.18

Ensure MFA is enabled for the 'root' user account

Critical

Modification

  • Name

  • Logic

  • Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account

  • IamUser where name like '%root_account%' should have mfaType in('Virtual','Hardware')

  • Ensure MFA is enabled for the 'root' user account

  • IamUser where name like '%root_account%' should have mfaType in('Virtual')

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.CRY.18

Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

High

Modification

  • Name

  • Ensure that 'OS and Data' disks are encrypted with CMK

  • Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.12

Ensure that logging for Azure Key Vault is 'Enabled'

Low

Modification

  • Name

  • Ensure that logging for Azure KeyVault is 'Enabled'

  • Ensure that logging for Azure Key Vault is 'Enabled'

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.01

Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

High

Modification

  • Name

  • Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)

  • Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Network Security Alerts

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.18

Ensure Azure Application Gateway Web application firewall (WAF) is enabled

High

Modification

  • Logic

  • ApplicationGateway should have firewall.enabled=true

  • ApplicationGateway should have firewall.enabled or regionalWAFPolicy.policySettings.state='Enabled'

  • Azure CloudGuard CheckUp

  • Azure NIST 800-53 Rev 5

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

D9.AZU.NET.20

Ensure that Resource Locks are set for Mission-Critical Azure Resources

Low

Modification

  • Name

  • Ensure that Azure Resource Group has resource lock enabled

  • Ensure that Resource Locks are set for Mission-Critical Azure Resources

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.NET.26

Ensure that RDP access from the Internet is evaluated and restricted

High

Modification

  • Name

  • Ensure that RDP access is restricted from the internet

  • Ensure that RDP access from the Internet is evaluated and restricted

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.27

Ensure that SSH access from the Internet is evaluated and restricted

High

Modification

  • Name

  • Ensure that SSH access is restricted from the internet

  • Ensure that SSH access from the Internet is evaluated and restricted

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.01

Ensure Azure Key Vaults are Used to Store Secrets

High

Modification

  • Name

  • Ensure Azure Keyvaults are used to store secrets

  • Ensure Azure Key Vaults are Used to Store Secrets

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure NIST CSF v1.1

  • Azure HIPAA

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.12

Ensure that the Expiration Date is set for all Keys in Key Vaults

Low

Modification

  • Name

  • Ensure that the expiration date is set on all keys

  • Ensure that the Expiration Date is set for all Keys in Key Vaults

  • Azure CIS Foundations v. 1.4.0

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure GDPR Readiness

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.13

Ensure that the Expiration Date is set for all Secrets in Key Vaults

Low

Modification

  • Name

  • Ensure that the expiration date is set on all Secrets

  • Ensure that the Expiration Date is set for all Secrets in Key Vaults

  • Azure CIS Foundations v. 1.4.0

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure GDPR Readiness

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.14

Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

Low

Modification

  • Name

  • Ensure SQL server's TDE protector is encrypted with Customer-managed key

  • Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.16

Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Low

Modification

  • Name

  • Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

  • Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.21

Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

High

Modification

  • Name

  • Ensure that 'HTTP Version' is the latest, if used to run the web app

  • Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.24

Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

High

Modification

  • Name

  • Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

  • Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.26

Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

Low

Modification

  • Name

  • Ensure that 'Unattached disks' are encrypted with CMK

  • Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.27

Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

Low

Modification

  • Name

  • Ensure storage for critical data is encrypted with Customer Managed Key

  • Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

  • Azure CIS Foundations v. 1.4.0

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure GDPR Readiness

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.35

Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

High

Modification

  • Name

  • Ensure the 'Minimum TLS version' is set to 'Version 1.2'

  • Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.CRY.37

Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

High

Modification

  • Name

  • Ensure Soft Delete is Enabled for Azure Storage

  • Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.CRY.39

Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

High

Modification

  • Name

  • Ensure That Storage Account Access Keys are Periodically Regenerated

  • Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.40

Ensure That 'PHP version' is the Latest, If Used to Run the Web App

Low

Modification

  • Name

  • Ensure That 'PHP version' is the Latest, If Used to Run the Windows Web App

  • Ensure That 'PHP version' is the Latest, If Used to Run the Web App

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.41

Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App

Low

Modification

  • Name

  • Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Linux Web App

  • Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.CRY.42

Ensure that 'Java version' is the latest, if used to run the Web App

Low

Modification

  • Name

  • Ensure that 'Java version' is the latest, if used to run the Windows Web App

  • Ensure that 'Java version' is the latest, if used to run the Web App

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.08

Ensure App Service Authentication is set up for apps in Azure App Service - Webapp

High

Modification

  • Name

  • Enable App Service Authentication on Azure App Service

  • Ensure App Service Authentication is set up for apps in Azure App Service - Webapp

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.14

Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp

High

Modification

  • Name

  • Enable Function App Service Authentication

  • Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp

  • Azure CIS Foundations v. 1.4.0

  • Azure Security Risk Management

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.41

Ensure Guest Users Are Reviewed on a Regular Basis

Low

Modification

  • Name

  • Ensure guest users are reviewed on a monthly basis

  • Ensure Guest Users Are Reviewed on a Regular Basis

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.45

Ensure That 'Number of methods required to reset' is set to '2'

Low

Modification

  • Name

  • Ensure that 'Number of methods required to reset' is set to '2'

  • Ensure That 'Number of methods required to reset' is set to '2'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.06

Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Low

Modification

  • Name

  • Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

  • Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.10

Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Low

Modification

  • Name

  • Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

  • Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.13

Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

High

Modification

  • Name

  • Ensure the storage container storing the activity logs is not publicly accessible

  • Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.16

Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

Low

Modification

  • Name

  • Ensure Storage logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests

  • Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.17

Ensure that Endpoint Protection for all Virtual Machines is installed

High

Modification

  • Name

  • Ensure that the endpoint protection for all Virtual Machines is installed

  • Ensure that Endpoint Protection for all Virtual Machines is installed

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.21

Ensure that 'Auditing' is set to 'On'

Low

Modification

  • Name

  • Ensure that SQL server 'Auditing' is set to 'On'

  • Ensure that 'Auditing' is set to 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure ISO 27001:2013

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.22

Ensure that 'Auditing' Retention is 'greater than 90 days'

Low

Modification

  • Name

  • Ensure that SQL Server 'Auditing' Retention is 'greater than 90 days'

  • Ensure that 'Auditing' Retention is 'greater than 90 days'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure ISO 27001:2013

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.25

Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

Low

Modification

  • Name

  • Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server

  • Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure ISO 27001:2013

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.47

Ensure that a 'Diagnostic Setting' exists

Low

Modification

  • Name

  • Ensure that Azure Monitor Logs is configured to export Activity Logs

  • Ensure that a 'Diagnostic Setting' exists

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.58

Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Low

Modification

  • Name

  • Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

  • Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.MON.63

Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server

Low

Modification

  • Name

  • Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server

  • Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.64

Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Low

Modification

  • Name

  • Ensure that VA setting 'Send scan reports to' is configured for a SQL server

  • Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.65

Ensure That Microsoft Defender for Servers Is Set to 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for Servers is set to 'On'

  • Ensure That Microsoft Defender for Servers Is Set to 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.66

Ensure That Microsoft Defender for App Services Is Set To 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for App Service is set to 'On'

  • Ensure That Microsoft Defender for App Services Is Set To 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.67

Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'

  • Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.68

Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for SQL servers on machines is set to 'On'

  • Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.69

Ensure That Microsoft Defender for Storage Is Set To 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for Storage is set to 'On'

  • Ensure That Microsoft Defender for Storage Is Set To 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.71

Ensure That Microsoft Defender for Key Vault Is Set To 'On'

High

Modification

  • Name

  • Ensure that Microsoft Defender for Key Vault is set to 'On'

  • Ensure That Microsoft Defender for Key Vault Is Set To 'On'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.72

Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

High

Modification

  • Name

  • Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected

  • Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.73

Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

High

Modification

  • Name

  • Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected

  • Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.74

Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

High

Modification

  • Name

  • Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'

  • Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.VLN.01

Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

Low

Modification

  • Name

  • Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'

  • Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.24

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

High

Modification

  • Name

  • Ensure default network access rule for Storage Accounts is set to deny

  • Ensure Default Network Access Rule for Storage Accounts is Set to Deny

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Microsoft Cloud Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.25

Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Low

Modification

  • Name

  • Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

  • Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.66

Ensure that 'Public access level' is disabled for storage accounts with blob containers

Critical

Modification

  • Name

  • Ensure that 'Public access level' is set to Private for blob containers

  • Ensure that 'Public access level' is disabled for storage accounts with blob containers

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.LOG.19

Ensure that Object-level logging for write events is enabled for S3 bucket

Low

Modification

  • Name

  • Ensure that object-level logging is enabled for S3 buckets

  • Ensure that Object-level logging for write events is enabled for S3 bucket

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.IAM.03

Ensure that Azure Active Directory Admin is Configured for SQL Servers

Low

Modification

  • Name

  • Ensure that Azure SQL Server Admin is configured with AD Authentication

  • Ensure that Azure Active Directory Admin is Configured for SQL Servers

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure GDPR Readiness

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

D9.AWS.IAM.53

Ensure AWS IAM policies do not grant 'assume role' permission across all services

High

Modification

  • Severity

  • Low

  • High

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AZU.IAM.46

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

High

Modification

  • Name

  • Ensure that multi-factor authentication is enabled for all privileged users

  • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.47

Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

High

Modification

  • Name

  • Ensure that multi-factor authentication is enabled for all non-privileged users

  • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.51

Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.52

Ensure that A Multi-factor Authentication Policy Exists for All Users

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.53

Ensure Multi-factor Authentication is Required for Risky Sign-ins

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.IAM.54

Ensure Multi-factor Authentication is Required for Azure Management

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AZU.NET.62

Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

High

Modification

  • Name

  • Ensure Cosmos DB account public network access is disabled

  • Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

D9.AZU.NET.64

Ensure That Private Endpoints Are Used Where Possible

Medium

Modification

  • Name

  • Ensure Cosmos DB account is using Private Endpoints

  • Ensure That Private Endpoints Are Used Where Possible

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

D9.AWS.IAM.19

Ensure hardware MFA is enabled for the 'root' user account

Critical

New

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.4.0

July 12 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.CRY.46

Ensure FTP deployments are Disabled for FunctionApp

Low

Modification

  • Logic

  • FunctionApp should not have ftpState='AllAllowed'

  • FunctionApp should have ftpState in('FtpsOnly', 'Disabled')

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • CloudGuard Azure All Rules Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AWS.IAM.102

Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.

Critical

Modification

  • Logic

  • EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='*' or Principal.AWS='*')]

  • EcrRepository should not have policy.document.Statement contain [ Effect='Allow' and (Principal='*' or Principal.AWS='*') and not Condition]

  • AWS Security Risk Management

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CSA CCM v.4.0.1

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.CRY.84

CodeBuild S3 logs should be encrypted

High

Modification

  • Severity

  • Low

  • High

  • AWS NIST 800-53 Rev 5

  • CloudGuard AWS All Rules Ruleset

  • AWS CloudGuard Best Practices

D9.AZU.IAM.49

Ensure Trusted Locations Are Defined

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.IAM.50

Ensure that an exclusionary Geographic Access Policy is considered.

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

D9.AZU.MON.81

Ensure that Storage Account has Microsoft Defender for Cloud enabled

Low

New

 

 

 

  • CloudGuard Azure All Rules Ruleset

July 05 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.05

Ensure that encryption-at-rest is enabled for RDS Instances

High

Modification

  • Name

  • Ensure that encryption is enabled for RDS Instances

  • Ensure that encryption-at-rest is enabled for RDS Instances

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.22

Ensure that encryption is enabled for EFS file systems

High

Modification

  • Name

  • Ensure that your Amazon EFS file systems are encrypted

  • Ensure that encryption is enabled for EFS file systems

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.01

Eliminate use of the 'root' user for administrative and daily tasks

High

Modification

  • Name

  • Avoid the use of the 'root' account

  • Eliminate use of the 'root' user for administrative and daily tasks

  • AWS HIPAA

  • CloudGuard AWS Dashboards

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.16

Ensure no 'root' user account access key exists

High

Modification

  • Name

  • Ensure no root account access key exists

  • Ensure no 'root' user account access key exists

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.27

Ensure IAM policies that allow full '*:*' administrative privileges are not attached

High

Modification

  • Name

  • Ensure IAM policies that allow full '*:*' administrative privileges are not created

  • Ensure IAM policies that allow full '*:*' administrative privileges are not attached

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.43

Ensure MFA Delete is enabled on S3 buckets

Low

Modification

  • Name

  • Ensure MFA Delete is enable on S3 buckets

  • Ensure MFA Delete is enabled on S3 buckets

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.LOG.03

Ensure CloudTrail trails are integrated with CloudWatch Logs

Low

Modification

  • Name

  • Ensure that CloudTrail trails are integrated with CloudWatch Logs

  • Ensure CloudTrail trails are integrated with CloudWatch Logs

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.01

Ensure unauthorized API calls are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for unauthorized API calls

  • Ensure unauthorized API calls are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.02

Ensure management console sign-in without MFA is monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

  • Ensure management console sign-in without MFA is monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.04

Ensure IAM policy changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for IAM policy changes

  • Ensure IAM policy changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.05

Ensure CloudTrail configuration changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for CloudTrail configuration changes

  • Ensure CloudTrail configuration changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.07

Ensure disabling or scheduled deletion of customer created CMKs is monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

  • Ensure disabling or scheduled deletion of customer created CMKs is monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.08

Ensure S3 bucket policy changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for S3 bucket policy changes

  • Ensure S3 bucket policy changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.09

Ensure AWS Config configuration changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for AWS Config configuration changes

  • Ensure AWS Config configuration changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.11

Ensure Network Access Control Lists (NACL) changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

  • Ensure Network Access Control Lists (NACL) changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.12

Ensure changes to network gateways are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for changes to network gateways

  • Ensure changes to network gateways are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.13

Ensure route table changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for route table changes

  • Ensure route table changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.14

Ensure VPC changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for VPC changes

  • Ensure VPC changes are monitored

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.17

Ensure that public access is not given to RDS Instance

Critical

Modification

  • Name

  • RDS should not have Public Interface open to a public scope

  • Ensure that public access is not given to RDS Instance

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.06

Ensure AWS Management Console authentication failures are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

  • Ensure AWS Management Console authentication failures are monitored

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.10

Ensure security group changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exist for security group changes

  • Ensure security group changes are monitored

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.LOG.19

Ensure that object-level logging is enabled for S3 buckets

Low

Modification

  • Name

  • Ensure that object-level logging is enabled for S3 buckets

  • Ensure that object-level logging is enabled for S3 buckets

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.51

Ensure there is only one active access key available for any single IAM user

High

Modification

  • Name

  • Ensure AWS IAM users have no more than one active Access Key

  • Ensure there is only one active access key available for any single IAM user

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.72

Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

Critical

Modification

  • Name

  • Ensure that S3 Buckets are configured with Block public access (bucket/account settings)

  • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.90

Ensure that EC2 Metadata Service only allows IMDSv2

Medium

Modification

  • Name

  • Ensure that EC2 instances requires the use of Instance Metadata Service Version 2 (IMDSv2)

  • Ensure that EC2 Metadata Service only allows IMDSv2

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS HITRUST v11.0.0

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.CRY.53

Ensure that sensitive parameters are encrypted

High

Modification

  • Logic

  • SystemManagerParameter where name regexMatch /(pass)|(user)|(login)|(pwd)|(key)|(secret)/ should have parameterType='SecureString'

  • SystemManagerParameter where name regexMatch /(pass|user|login|pwd|key|secret)/ should have parameterType='SecureString'

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.61

Ensure EBS Volume Encryption is Enabled in all Regions

High

Modification

  • Name

  • Ensure EBS volume encryption is enabled

  • Ensure EBS Volume Encryption is Enabled in all Regions

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

D9.AWS.CRY.83

Attached EBS volumes should be encrypted at-rest

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.84

CodeBuild S3 logs should be encrypted

Low

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.85

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.86

Connections to Amazon Redshift clusters should be encrypted in transit

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.IAM.66

Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments

Low

Modification

  • Logic

  • List<IamSAMLProvider> should have items with [id] length() > 0]

  • List<IamSAMLProvider> should have items with [id] length() > 0

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.24

Ensure AWS Organizations changes are monitored

Low

Modification

  • Name

  • Ensure a log metric filter and alarm exists for AWS Organizations changes

  • Ensure AWS Organizations changes are monitored

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CSA CCM v.4.0.1

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

D9.AWS.OPE.08

Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances

Low

Modification

  • Name

  • Ensure AWS RDS automatic minor upgrades are enabled

  • Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AZU.IAM.48

Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.CRY.77

Ensure rotation for customer created symmetric CMKs is enabled

High

Modification

  • Name

  • Ensure KMS CMK have key rotation enabled

  • Ensure rotation for customer created symmetric CMKs is enabled

  • AWS PCI-DSS 4.0

  • AWS CIS Foundations v. 2.0.0

  • AWS CloudGuard Best Practices

D9.AZU.MON.87

Ensure Application Insights are Configured

Low

New

 

 

 

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.AS.01

Instances outside of Europe region

Low

Modification

  • Logic

  • Instance should have region like '%eu_%'

  • Instance should have region like 'eu_%'

  • AWS GDPR Readiness

D9.AWS.AS.02

S3 Buckets outside of Europe

Low

Modification

  • Logic

  • S3Bucket should have region regexMatch /eu_*/i

  • S3Bucket should have region like 'eu_%'

  • AWS GDPR Readiness

D9.GCP.CRY.16

Enable 2FA for VM Instances using OS Login

Medium

New

 

 

 

  • GCP CloudGuard Best Practices

D9.AWS.CRY.82

S3 buckets should have server-side encryption enabled

Medium

Removal

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.GCP.IAM.30

Ensure Essential Contacts are defined for your Google Cloud organization

High

Removal

 

 

 

  • GCP NIST 800-53 Rev 5

  • GCP CloudGuard Best Practices

D9.AWS.CRY.71

Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot

High

Removal

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.72

Ensure that encryption is enabled for AWS RDS DB Snapshot

High

Removal

 

 

 

  • AWS CloudGuard Best Practices

June 28 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.04

Ensure S3 Bucket Policy is set to deny HTTP requests

High

Modification

  • Logic

  • S3Bucket where policy should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and ((Action contain ['s3:GetObject'] and Action contain ['s3:PutObject']) or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • S3Bucket should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and ((Action contain ['s3:GetObject'] and Action contain ['s3:PutObject']) or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.LOG.23

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

High

Modification

  • Logic

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS CSA CCM v.4.0.1

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.K8S.IAM.38

Minimize the admission of containers with added capabilities (PSP)

High

Modification

  • Logic

  • List<KubernetesPodSecurityPolicy> should have items contain [(not spec.allowedCapabilities) or (spec.allowedCapabilities contain [isEmpty()])]

  • List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [(not spec.allowedCapabilities) or (spec.allowedCapabilities contain [isEmpty()])]

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.AWS.CRY.82

S3 buckets should have server-side encryption enabled

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.NET.36

AWS Cloud Front - WAF Integration

Medium

Modification

  • Logic

  • CloudFront should have distributionConfig.webACLId

  • CloudFront where region unlike 'cn_%' should have distributionConfig.webACLId

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CIS Controls V 8

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AZU.CRY.49

Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.CRY.50

Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.CRY.51

Enable Role Based Access Control for Azure Key Vault

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.LOG.18

Ensure that logging for Azure AppService 'HTTP logs' is enabled

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.85

Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.86

Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts

Low

New

 

 

 

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v. 1.0.0

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

D9.ALI.CRY.05

Ensure server-side encryption is set to 'Encrypt with BYOK'.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.CRY.06

Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key).

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.CRY.07

Ensure that 'TDE' is set to 'Enabled' on for applicable database instance.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.IAM.18

Ensure that multi-factor authentication is enabled for all RAM users that have a console password

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.IAM.19

Ensure access keys are rotated every 90 days or less

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.02

Ensure that ActionTrail are configured to export copies of all Log entries

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.03

Ensure the OSS used to store ActionTrail logs is not publicly accessible

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.10

Ensure Security Center Network, Host and Security log analysis is enabled.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.25

Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.26

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.LOG.27

Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.MON.01

Ensure that 'Auditing' is set to 'On' for applicable database instances

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.MON.02

Ensure that 'Auditing' Retention is 'greater than 6 months'.

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.NET.11

Ensure network access rule for storage bucket is not set to publicly accessible

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.NET.12

Ensure that RDS instance requires all incoming connections to use SSL

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.NET.13

Ensure that RDS Instances are not open to the world

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.NET.15

Ensure that SSH access is restricted from the internet

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.NET.16

Ensure VPC flow logging is enabled in all VPCs.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.01

Ensure that Security Center is Advanced or Enterprise Edition.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.02

Ensure that all assets are installed with security agent.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.03

Ensure that Automatic Quarantine is enabled.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.04

Ensure that Webshell detection is enabled on all web servers.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.05

Ensure that notification is enabled on all high risk items.

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.06

Ensure that Config Assessment is granted with privilege.

Low

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.07

Ensure that scheduled vulnerability scan is enabled on all servers.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.ALI.VLN.09

Ensure that the latest OS Patches for all Virtual Machines are applied.

High

New

 

 

 

  • Alibaba CIS Foundations v. 1.0

D9.AZU.LOG.07

Ensure that a Log Profile exists

Low

Removal

 

 

 

  • Azure CloudGuard Best Practices

  • Azure ITSG-33

June 21 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.78

CloudFront distributions should require encryption in transit

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.79

CloudFront distributions should encrypt traffic to custom origins

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.80

RDS cluster snapshots should be encrypted at rest

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.CRY.81

RDS database snapshots should be encrypted at rest

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

June 14 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.IAM.46

Ensure that multi-factor authentication is enabled for all privileged users

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.IAM.47

Ensure that multi-factor authentication is enabled for all non-privileged users

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.CRY.77

Ensure KMS CMK have key rotation enabled

High

Modification

  • Logic

  • KMS where origin != 'AWS_CLOUDHSM' and isCustomerManaged=true should not have rotationStatus isEmpty()

  • KMS where origin!='AWS_CLOUDHSM' and isCustomerManaged=true and deletionDate<=0 and isSymmetricKey=true should have rotationStatus=true

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Best Practices

D9.AWS.LOG.09

Ensure rotation for customer created CMKs is enabled

Low

Removal

 

 

 

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.MON.03

Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled

Low

Removal

 

 

 

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v. 1.0.0

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

June 07 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.K8S.IAM.02

Ensure that the --anonymous-auth argument is set to false (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.authentication.anonymous.enabled= 'false'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.authentication.anonymous.enabled = 'false'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.MON.01

Ensure that the --event-qps argument is set to 0 (Kubelet)

Low

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.eventRecordQPS= '0'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.eventRecordQPS = '0'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.NET.01

Ensure that the --client-ca-file argument is set as appropriate (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.authentication.x509.clientCAFile

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.authentication.x509.clientCAFile

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.NET.03

Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.streamingConnectionIdleTimeout!= '0'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.streamingConnectionIdleTimeout != '0'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.NET.04

Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)

Medium

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.makeIPTablesUtilChains= 'true'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.makeIPTablesUtilChains= 'true'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.OPE.01

Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.protectKernelDefaults= 'true'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.protectKernelDefaults = 'true'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.GCP.CRY.14

Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)

High

Modification

  • Logic

  • BigQueryTable should not have encryptionConfiguration.kmsKeyName isEmpty()

  • BigQueryTable where view.query isEmpty() should not have encryptionConfiguration.kmsKeyName isEmpty()

  • GCP CIS Foundations v. 1.3.0

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP MITRE ATT&CK Framework v12.1

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.K8S.CRY.01

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have (kubeletData.kubeletconfig.tlsCertFile ) and (kubeletData.kubeletconfig.tlsPrivateKeyFile )

  • KubernetesNode where not kubeletData isEmpty() should have (kubeletData.kubeletconfig.tlsCertFile ) and (kubeletData.kubeletconfig.tlsPrivateKeyFile )

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.CRY.02

Ensure that the --rotate-certificates argument is not set to false (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.rotateCertificates= 'true'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.rotateCertificates = 'true'

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.CRY.03

Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)

High

Modification

  • Logic

  • KubernetesNode should have kubeletData.kubeletconfig.featureGates.RotateKubeletServerCertificate= 'true'

  • KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.featureGates.RotateKubeletServerCertificate = 'true'

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.AWS.CRY.77

Ensure KMS CMK have key rotation enabled

High

Modification

  • Logic

  • KMS where isCustomerManaged=true should not have rotationStatus isEmpty()

  • KMS where origin != 'AWS_CLOUDHSM' and isCustomerManaged=true should not have rotationStatus isEmpty()

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Best Practices

D9.AWS.IAM.114

Ensure API gateway policy limits public access

High

New

 

 

 

  • CloudGuard AWS Default Ruleset

D9.AWS.NET.95

Ensure API gateway has WAF

Low

New

 

 

 

  • CloudGuard AWS Default Ruleset

May 31 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.59

Ensure that VPC Endpoint policy does not provide excessive permissions

High

Modification

  • Name

  • Ensure that VPC Endpoint policy won't allow all actions

  • Ensure that VPC Endpoint policy does not provide excessive permissions

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.GCP.IAM.29

Ensure unrestricted API keys are not available within your GCP projects

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • GCP CloudGuard Best Practices

D9.GCP.IAM.30

Ensure Essential Contacts are defined for your Google Cloud organization

High

New

 

 

 

  • GCP NIST 800-53 Rev 5

  • GCP CloudGuard Best Practices

May 24 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.68

Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)

Low

Modification

  • Logic

  • Lambda should have kmsKeyArn

  • Lambda where not environmentVariables isEmpty() should have kmsKeyArn

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.NET.94

Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0

Medium

New

 

 

 

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Best Practices

D9.AWS.OPE.25

Ensure EKS cluster version is up-to-date

Informational

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.IAM.70

Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version

Critical

Removal

 

 

 

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.IAM.42

S3 buckets should not grant any external privileges via ACL

High

Removal

 

 

 

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

May 17 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.03

Ensure that S3 Buckets are encrypted with CMK

High

Modification

  • Logic

  • S3Bucket should have encryption.serverSideEncryptionRules contain [ not serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId isEmpty() ]

  • S3Bucket should have encryption.serverSideEncryptionRules contain [ getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('isCustomerManaged') and getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('enabled') ]

  • AWS HIPAA

  • None

  • AWS LGPD regulation

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.NET.24

Ensure default network access rule for Storage Accounts is set to deny

High

Modification

  • Logic

  • StorageAccount should not have networkRuleSet.defaultAction='Allow'

  • StorageAccount should not have publicNetworkAccessAsDisplayedInPortal ='Enabled from all networks'

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • Azure CIS Foundations v. 1.1.0

  • Azure CloudGuard Best Practices

  • Azure Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure HITRUST v9.5.0

  • Azure CIS Foundations v. 1.3.1

D9.AWS.IAM.52

Ensure AWS IAM policies allow only the required privileges for each role

Low

Modification

  • Logic

  • IamPolicy where arn!='arn:aws:iam::aws:policy/AdministratorAccess' should not have document.Statement contain[ Effect='Allow' ] and document.Statement contain [ Action='*' ]

  • IamPolicy where arn!='arn:aws:iam::aws:policy/AdministratorAccess' should not have document.Statement contain-any [ $ with [ Effect='Allow' and Action='*' ] ]

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AZU.MON.82

Ensure that Activity Log Alert exists for Create or Update Public IP Address rule

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.83

Ensure that Activity Log Alert exists for Delete Public IP Address rule

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.84

Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.NET.68

Ensure Private Endpoints are used to access Storage Accounts

Medium

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.NET.69

Ensure that Private Endpoints are Used for Azure Key Vault

Medium

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.NET.70

Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Low

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.VLN.07

Ensure AWS Security Hub is enabled.

Low

New

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • AWS CloudGuard Best Practices

D9.AZU.NET.71

Ensure an Azure Bastion Host Exists

Medium

New

 

 

 

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.VLN.08

Ensure Lambda functions are not using deprecated runtimes

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.ALI.IAM.01

Ensure no root account access key exists.

High

Modification

  • Name

  • Ensure no root account access key exists

  • Ensure no root account access key exists.

  • Alibaba cloud ruleset

May 10 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.77

Ensure KMS CMK have key rotation enabled

High

New

 

 

 

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Best Practices

D9.AWS.IAM.113

Amazon EBS snapshots should not be publicly accessible

High

New

 

 

 

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Best Practices

D9.AWS.VLN.01

EC2 Instance - there shouldn't be any High level findings in Inspector Scans

High

Removal

 

 

 

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.VLN.07

Ensure that enhance scanning is enabled for all repositories

High

Removal

 

 

 

  • AWS CloudGuard Best Practices

May 03 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.IAM.45

Ensure that 'Number of methods required to reset' is set to '2'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • AZU PCI-DSS 4.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.MON.75

Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.76

Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.78

Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.79

Ensure That Microsoft Defender for DNS Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.80

Ensure That Microsoft Defender for Databases Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v. 1.5.0

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AZU.MON.77

Ensure That Microsoft Defender for Containers Is Set To 'On'

High

New

 

 

 

  • Azure CIS Foundations v.2.0

  • Azure CloudGuard Best Practices

D9.AWS.CRY.71

Ensure that encryption is enabled for AWS RDS DB Cluster Snapshot

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.72

Ensure that encryption is enabled for AWS RDS DB Snapshot

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.70

Ensure that encryption is enabled for AWS RDSDBCluster Storage

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.73

Ensure that user Volume Encryption is enabled for AWS Workspace

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.74

Ensure that root Volume Encryption is enabled for AWS Workspace

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.CRY.76

Ensure that encryption is enabled for AWS EBS Snapshot

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.ALI.CRY.02

Ensure server-side encryption is set to 'Encrypt with Service Key'

High

Modification

  • Name

  • Ensure that OSS bucket server side encryption using KMS is enabled

  • Ensure server-side encryption is set to 'Encrypt with Service Key'

  • Alibaba cloud ruleset

D9.ALI.CRY.03

Ensure that 'Unattached disks' are encrypted

High

Modification

  • Name

  • Ensure that ECS Disks are encrypted

  • Ensure that 'Unattached disks' are encrypted

  • Alibaba cloud ruleset

D9.ALI.CRY.04

Ensure that Virtual Machine's Disks are encrypted

High

Modification

  • Name

  • Ensure that ECS Virtual Machine's Disks are encrypted

  • Ensure that Virtual Machine's Disks are encrypted

  • Alibaba cloud ruleset

D9.ALI.LOG.01

Ensure that logging is enabled for OSS buckets

Low

Modification

  • Logic

  • OssBucket should have logging.loggingEnabled=true and name != logging.targetBucket

  • OssBucket should have logging.loggingEnabled=true and name!=logging.targetBucket

  • Alibaba cloud ruleset

D9.ALI.NET.03

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

High

Modification

  • Logic

  • SecurityGroup should not have inboundRules with [sourceCidrIp = '0.0.0.0/0' and port<=22 and portTo>=22]

  • SecurityGroup should not have inboundRules with [sourceCidrIp='0.0.0.0/0' and (port=22 and portTo=22)]

  • Alibaba cloud ruleset

D9.ALI.NET.04

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

High

Modification

  • Logic

  • SecurityGroup should not have inboundRules with [sourceCidrIp = '0.0.0.0/0' and port<=3389 and portTo>=3389]

  • SecurityGroup should not have inboundRules with [sourceCidrIp = '0.0.0.0/0' and (port=3389 and portTo=3389)]

  • Alibaba cloud ruleset

April 24 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.OCI.LOG.06

Ensure a notification is configured for IdP group mapping changes.

Low

Modification

  • Logic

  • List<EventRule> should have items with [isEnabled=true and (actions.actions with [ actionType='ONS'] and actions.actions with [ isEnabled=true ]) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.createpolicy']) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.deletepolicy']) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.updatepolicy']) length() >0]

  • List<EventRule> should have items with [isEnabled=true and (actions.actions with [ actionType='ONS'] and actions.actions with [ isEnabled=true ]) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.createidpgroupmapping']) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.deleteidpgroupmapping']) and (condition.eventType contain ['com.oraclecloud.identitycontrolplane.updateidpgroupmapping']) length() >0]

  • OCI Foundations Benchmark v1.2.0

April 19 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.112

Enforce Password Policy

High

New

 

 

 

  • AWS HIPAA

  • None

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.MON.26

Ensure a log metric filter and alarm exist for EC2 instance changes

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.MON.27

Ensure a log metric filter and alarm exist for EC2 Large instance changes

Medium

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.NET.93

Ensure EMR clusters nodes should not have public IP

High

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS CloudGuard Best Practices

D9.AWS.IAM.111

Credentials report was generated in the last 24 hours

Low

New

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CIS Foundations v. 1.0.0

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.OCI.CRY.05

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.AWS.OPE.23

Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images.

Low

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.OPE.24

Ensure that Amazon ECR image repositories are using lifecycle policies.

Low

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.VLN.07

Ensure that enhance scanning is enabled for all repositories

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.ALI.CRY.01

Ensure that 'Secure transfer required' is set to 'Enabled'

High

Modification

  • Name

  • Ensure that 'Secure transfer required' is Enabled

  • Ensure that 'Secure transfer required' is set to 'Enabled'

  • Alibaba cloud ruleset

D9.ALI.IAM.04

Ensure users not logged on for 90 days or longer are disabled for console logon.

High

Modification

  • Name

  • Logic

  • Ensure users not logged on for 90 days or longer are disabled for console logon

  • RamUser should not have (lastLoginDate isEmpty() and lastLoginDate after(-90, 'days') )

  • Ensure users not logged on for 90 days or longer are disabled for console logon.

  • RamUser should not have lastLoginDate isEmpty() or lastLoginDate before(-90, 'days')

  • Alibaba cloud ruleset

D9.ALI.IAM.08

Ensure RAM policies that allow full "*:*" administrative privileges are not created

High

Modification

  • Name

  • Ensure RAM policies that allow full access administrative privileges are not created

  • Ensure RAM policies that allow full "*:*" administrative privileges are not created

  • Alibaba cloud ruleset

D9.ALI.IAM.09

Ensure RAM password policy prevents password reuse.

High

Modification

  • Name

  • Ensure RAM password policy prevents password reuse

  • Ensure RAM password policy prevents password reuse.

  • Alibaba cloud ruleset

D9.ALI.IAM.10

Ensure RAM password policy requires at least one uppercase letter.

Low

Modification

  • Name

  • Ensure RAM password policy requires at least one uppercase letter

  • Ensure RAM password policy requires at least one uppercase letter.

  • Alibaba cloud ruleset

D9.ALI.IAM.11

Ensure RAM password policy requires at least one lowercase letter.

Low

Modification

  • Name

  • Ensure RAM password policy requires at least one lowercase letter

  • Ensure RAM password policy requires at least one lowercase letter.

  • Alibaba cloud ruleset

D9.ALI.IAM.12

Ensure RAM password policy require at least one symbol.

Low

Modification

  • Name

  • Ensure RAM password policy require at least one symbol

  • Ensure RAM password policy require at least one symbol.

  • Alibaba cloud ruleset

D9.ALI.IAM.13

Ensure RAM password policy require at least one number.

Low

Modification

  • Name

  • Ensure RAM password policy require at least one number

  • Ensure RAM password policy require at least one number.

  • Alibaba cloud ruleset

D9.ALI.IAM.14

Ensure RAM password policy expires passwords within 90 days or less.

Low

Modification

  • Name

  • Logic

  • Ensure RAM password policy expires passwords within 90 days or less

  • RamPasswordPolicy should have maxPasswordAge<=90

  • Ensure RAM password policy expires passwords within 90 days or less.

  • RamPasswordPolicy should have maxPasswordAge>0 and maxPasswordAge<=90

  • Alibaba cloud ruleset

D9.ALI.IAM.15

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour.

High

Modification

  • Name

  • Logic

  • Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

  • RamPasswordPolicy should have maxLoginAttemps<=5

  • Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour.

  • RamPasswordPolicy should have maxLoginAttemps>0 and maxLoginAttemps<=5

  • Alibaba cloud ruleset

D9.ALI.IAM.16

Ensure RAM password policy requires minimum length of 14 or greater

Low

Modification

  • Name

  • Ensure RAM password policy requires minimum length of at least 14

  • Ensure RAM password policy requires minimum length of 14 or greater

  • Alibaba cloud ruleset

D9.ALI.NET.02

Ensure legacy networks does not exist.

High

Modification

  • Name

  • Ensure legacy networks does not exist

  • Ensure legacy networks does not exist.

  • Alibaba cloud ruleset

D9.AWS.PRE.02

Enforce Password Policy

High

Removal

 

 

 

  • AWS HIPAA

  • None

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.PRE.01

Credentials report was generated in the last 24 hours

Low

Removal

 

 

 

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS HITRUST v11.0.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CIS Foundations v. 1.0.0

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

March 29 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.59

Ensure ACM certificate was not issued before the Heartbleed security bug fix

Critical

Modification

  • Logic

  • AcmCertificate should have (notBefore > 1396915200 and issuedAt = -62135596800) or issuedAt > 1396915200

  • AcmCertificate where status='ISSUED' should have ( notBefore>1396915200 and issuedAt=-62135596800 ) or issuedAt>1396915200

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.OCI.AS.01

Create at least one compartment in your tenancy to store cloud resources.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.02

Ensure no VCNs are created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.03

Ensure no instances created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.04

Ensure no volumes are created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.05

Ensure no filesystems are created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.06

Ensure no buckets are created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.AS.07

Ensure no autonomousdatabases are created in the root compartment.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.CRY.01

Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK).

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.CRY.02

Ensure Block Volumes are encrypted with Customer Managed Keys (CMK).

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.CRY.03

Ensure boot volumes are encrypted with Customer Managed Key (CMK).

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.CRY.04

Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK).

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.01

Ensure no Object Storage buckets are publicly visible.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.02

Ensure IAM password policy requires minimum length of 14 or greater.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.03

Ensure MFA is enabled for all users with a console password.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.04

Ensure all OCI IAM user accounts have a valid and current email address.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.05

Ensure user API keys rotate within 90 days or less.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.06

Ensure user customer secret keys rotate within 90 days or less.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.07

Ensure user auth tokens rotate within 90 days or less.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.08

Ensure permissions on all resources are given only to the tenancy administrator group.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.09

Ensure IAM administrators cannot update tenancy Administrators group.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.IAM.10

Ensure API keys are not created for tenancy administrator users.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.01

Ensure default tags are used on resources.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.02

Ensure VCN flow logging is enabled for all subnets.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.03

Ensure write level Object Storage logging is enabled for all buckets.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.04

Create at least one notification topic and subscription to receive monitoring alerts.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.05

Ensure a notification is configured for Identity Provider changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.06

Ensure a notification is configured for IdP group mapping changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.07

Ensure a notification is configured for IAM group changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.08

Ensure a notification is configured for IAM policy changes

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.09

Ensure a notification is configured for user changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.10

Ensure a notification is configured for VCN changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.11

Ensure a notification is configured for changes to route tables.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.12

Ensure a notification is configured for security list changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.13

Ensure a notification is configured for network security group changes.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.LOG.14

Ensure a notification is configured for changes to network gateways.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.01

Ensure no security lists allow ingress from 0.0.0.0/0 to port 22.

Critical

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.02

Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389.

Critical

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.03

Ensure the default security list of every VCN restricts all traffic except ICMP.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.04

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22.

Critical

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.05

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389.

Critical

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.06

Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.07

Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.NET.08

Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network.

High

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.OPE.01

Ensure Versioning is Enabled for Object Storage Buckets.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

D9.OCI.OPE.02

Ensure Cloud Guard is enabled in the root compartment of the tenancy.

Low

New

 

 

 

  • OCI Foundations Benchmark v1.2.0

March 15 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.IAM.18

Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.01

Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • None

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.02

Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.04

Ensure the default security group of every VPC restricts all traffic

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CIS Foundations v. 1.1.0

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS CIS Foundations v. 1.0.0

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CIS Foundations v. 1.2.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.16

RDS should not have Public Interface

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.17

RDS should not have Public Interface open to a public scope

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS Dashboard System Ruleset

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.08

Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.29

Ensure that EC2 AMIs are not publicly accessible

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS PCI-DSS 3.2

  • AWS ISO 27001:2013

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AZU.NET.16

Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380

High

Modification

  • Logic

  • RedisCache should have subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6379 and destinationPortTo>=6379 ] ] and subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6380 and destinationPortTo>=6380 ] ]

  • RedisCache where sku.name='Premium' should have subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6379 and destinationPortTo>=6379 ] ] and subnet.securityGroup.outboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=6380 and destinationPortTo>=6380 ] ]

  • Azure LGPD regulation

  • Azure NIST 800-53 Rev 5

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CloudGuard Network Security Alerts

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

D9.AWS.CRY.67

Ensure that EC2 instance's custom AMI is encrypted at rest

High

Modification

  • Logic

  • Instance where imageDetails.imageLocation regexMatch /^(?!amazon\/).+/ should not have imageDetails.blockDeviceMappings contain [ ebs.encrypted=false ]

  • Instance where imageDetails.imageLocation regexMatch /^(?!amazon|aws-marketplace\/).+/ should not have imageDetails.blockDeviceMappings contain [ ebs.encrypted=false ]

  • AWS Security Risk Management

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.IAM.1019

IamUser with Admin or wide permissions without MFA enabled

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS Dashboard System Ruleset

  • AWS HITRUST

  • AWS MITRE ATT&CK Framework v10

D9.AWS.IAM.106

Ensure that EC2 instance's custom AMI is not publicly shared

Critical

Modification

  • Logic

  • Severity

  • Instance where imageDetails.imageLocation regexMatch /^(?!amazon\/).+/ should not have imageDetails.isPublic

  • High

  • Instance where imageDetails.imageLocation regexMatch /^(?!amazon|aws-marketplace\/).+/ should not have imageDetails.isPublic

  • Critical

  • AWS Security Risk Management

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.NET.72

Ensure that S3 Buckets are configured with Block public access (bucket/account settings)

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.60

Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate

High

Modification

  • Severity

  • Critical

  • High

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.IAM.57

Ensure SNS Topics aren't publicly accessible

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.27

Instances with Direct Connect virtual interface should not have public interfaces

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.28

RDS Databases with Direct Connect virtual interface should not have public interfaces

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS ISO 27001:2013

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.47

Ensure AWS VPC subnets have automatic public IP assignment disabled

Critical

Modification

  • Severity

  • Medium

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.51

Ensure AWS Redshift clusters are not publicly accessible

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.52

Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.56

Ensure that Security Groups are not open to all

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.71

EksCluster should not be publicly accessed

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.77

Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

  • AWS CIS Foundations v. 1.3.0

  • AWS CIS Foundations v. 1.4.0

D9.AWS.VLN.05

Ensure that public System Manager Documents include parameters

High

Modification

  • Severity

  • Critical

  • High

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.91

Ensure no security groups allow ingress from ::/0 to remote server administration ports

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS CIS Foundations v. 1.5.0

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.IAM.102

Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.

Critical

Modification

  • Severity

  • High

  • Critical

  • AWS HITRUST v11.0.0

  • CloudGuard AWS Default Ruleset

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Best Practices

D9.AWS.CRY.69

Ensure that RDS database instance enforces SSL/TLS for all connections

High

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.NET.92

Ensure that RDS database instance doesn't use its default endpoint port

Low

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.VLN.06

Ensure Inspector Instances have continuous scanning active

Low

New

 

 

 

  • AWS CloudGuard Best Practices

March 01 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.NET.14

Ensure that Redis is updated regularly with security and operational updates.

Low

Modification

  • Name

  • Ensure that Redis is updated regularly with security and operational updates. Note this feature is only available to Premium tier Redis Caches.

  • Ensure that Redis is updated regularly with security and operational updates.

  • Azure LGPD regulation

  • Azure CloudGuard Network Security Alerts

  • Azure CloudGuard Best Practices

February 22 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.LOG.12

Ensure that logging for Azure KeyVault is 'Enabled'

Low

Modification

  • Logic

  • KeyVault should have diagnosticSettings contain [ logs contain [ category='AuditEvent' and enabled=true ] ]

  • KeyVault should have diagnosticSettings contain [ logs contain [ (category='AuditEvent' or categoryGroup='audit') and enabled=true ] ]

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

February 15 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.VLN.02

Instances without Inspector runs in the last 30 days

Low

Removal

 

 

 

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

February 08 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.NET.18

RDS should not have been open to a large scope

High

Modification

  • Name

  • RDS should not have be open to a large scope

  • RDS should not have been open to a large scope

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Network Alerts for default VPC components

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.70

EksCluster should not have more than one security group

Medium

Modification

  • Name

  • EksCluster should not have more than one security groups

  • EksCluster should not have more than one security group

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.NET.71

EksCluster should not be publicly accessed

High

Modification

  • Name

  • EksCluster should not be publicly access

  • EksCluster should not be publicly accessed

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Best Practices

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.K8S.IAM.86

Ensure that a unique Certificate Authority is used for etcd

High

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

February 01 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.04

Ensure S3 Bucket Policy is set to deny HTTP requests

High

Modification

  • Logic

  • S3Bucket where policy should have policy.Statement contain-all [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and (Action contain ['s3:GetObject'] or Action contain ['s3:PutObject'] or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • S3Bucket where policy should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and ((Action contain ['s3:GetObject'] and Action contain ['s3:PutObject']) or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AZU.CRY.27

Ensure storage for critical data is encrypted with Customer Managed Key

Low

Modification

  • Name

  • Ensure storage for critical data are encrypted with Customer Managed Key

  • Ensure storage for critical data is encrypted with Customer Managed Key

  • Azure CIS Foundations v. 1.4.0

  • Azure LGPD regulation

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure GDPR Readiness

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure Dashboard System Ruleset

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.41

Ensure guest users are reviewed on a monthly basis

Low

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.42

Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.43

Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Low

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.NET.02

Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server

High

Modification

  • Name

  • Ensure entire Azure infrastructure doesn't have access to Azure SQL Server

  • Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server

  • Azure LGPD regulation

  • Azure NIST 800-53 Rev 5

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CloudGuard Network Security Alerts

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

D9.AZU.CRY.25

Ensure Function App is using the latest version of TLS encryption

High

Modification

  • Name

  • Ensure function app is using the latest version of TLS encryption

  • Ensure Function App is using the latest version of TLS encryption

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure Security Benchmark

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AWS.NET.91

Ensure no security groups allow ingress from ::/0 to remote server administration ports

High

New

 

 

 

  • AWS CIS Foundations v. 1.5.0

  • AWS CloudGuard Best Practices

D9.K8S.IAM.83

Ensure that a minimal audit policy is created (API Server)

Low

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

D9.K8S.IAM.84

Ensure that encryption providers are appropriately configured (API Server)

High

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

D9.K8S.IAM.85

Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server)

High

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

D9.AZU.NET.30

Ensure that you are using authorized IP address ranges to secure access to the API server

High

Modification

  • Name

  • Ensure that you are using authorized IP address ranges in order to secure access to the API server

  • Ensure that you are using authorized IP address ranges to secure access to the API server

  • Azure NIST 800-53 Rev 5

  • Azure CloudGuard Best Practices

D9.GCP.NET.04

Ensure VM Instance should not have public IP

High

Removal

 

 

 

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP HIPAA

  • GCP GDPR Readiness

  • GCP CloudGuard Best Practices

January 25 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.20

Ensure AWS Kinesis Streams Keys are rotated

Low

Modification

  • Logic

  • Kinesis should have getResource('KMS', kmsKeyId) contain [ rotationStatus = true ]

  • Kinesis where encrypted should have encryptionKey.rotationStatus=true

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.21

AWS Kinesis streams are encrypted with customer managed CMK

Low

Modification

  • Logic

  • Kinesis should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • Kinesis should have encryptionKey.isCustomerManaged=true

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.23

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys

Low

Modification

  • Logic

  • EFS should have getResource('KMS', encryptionKeyArn) contain [ isCustomerManaged = true ]

  • EFS should have encryptionKey.isCustomerManaged=true

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.GCP.NET.10

Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters

Medium

Modification

  • Name

  • Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters

  • Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters

  • GCP CloudGuard CheckUp

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 1.0.0

  • GCP CloudGuard Best Practices

D9.GCP.NET.11

Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

High

Modification

  • Name

  • Ensure 'Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

  • Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

  • GCP CloudGuard CheckUp

  • GCP CIS Foundations v. 1.3.0

  • GCP Security Risk Management

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP CIS Foundations v. 2.0

  • GCP CIS Foundations v. 1.0.0

  • GCP PCI-DSS 3.2

  • GCP NIST 800-53 Rev 4

  • GCP ISO 27001:2013

  • GCP NIST CSF v1.1

  • GCP CloudGuard Network Security

  • GCP CIS Foundations v. 1.1.0

  • GCP CIS Foundations v. 1.2.0

  • GCP CloudGuard Best Practices

D9.GCP.IAM.20

Suspended user account unused for more than 6 months

High

Modification

  • Name

  • Suspended user account unused more then 6 months

  • Suspended user account unused for more than 6 months

  • GCP LGPD regulation

  • GCP NIST 800-53 Rev 5

  • GCP PCI-DSS 4.0

  • GCP GDPR Readiness

  • GCP CloudGuard Best Practices

D9.AWS.CRY.33

Ensures that AWS RDS databases are encrypted using Customer Managed Keys

Low

Modification

  • Logic

  • RDS where isStorageEncrypted=true should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • RDS where isStorageEncrypted=true should have encryptionKey.isCustomerManaged=true

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.35

Ensure SageMaker Notebook Instance Data Encryption is enabled

High

Modification

  • Logic

  • SageMakerNotebook should have kmsKeyId

  • SageMakerNotebook should have kmsKey

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS CloudGuard CheckUp

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.36

Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled

Low

Modification

  • Logic

  • SageMakerNotebook should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • SageMakerNotebook where kmsKey should have kmsKey.isCustomerManaged=true

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS PCI-DSS 4.0

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.GCP.AS.04

Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes

High

Modification

  • Name

  • Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes

  • Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes

  • GCP NIST 800-53 Rev 5

  • GCP CIS Foundations v. 1.0.0

  • GCP CloudGuard Best Practices

D9.GCP.DR.02

Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled

Low

Modification

  • Name

  • Ensure that Cloud SQL - MYSQL instance have Point-in-time recovery enabled

  • Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled

  • GCP NIST 800-53 Rev 5

  • GCP CloudGuard Best Practices

D9.AZU.NET.VirtualMachine.1270

Virtual machine administrative OMI/OMS service port (1270) is publicly accessible

High

Removal

 

 

 

  • Azure LGPD regulation

  • Azure Security Risk Management

  • Azure CloudGuard Network Security Alerts

  • Azure CloudGuard Best Practices

D9.AZU.NET.VirtualMachine.5985

Virtual machine administrative OMI/OMS service port (5985) is publicly accessible

High

Removal

 

 

 

  • Azure LGPD regulation

  • Azure Security Risk Management

  • Azure CloudGuard Network Security Alerts

  • Azure CloudGuard Best Practices

D9.AZU.NET.VirtualMachine.5986

Virtual machine administrative OMI/OMS service port (5986) is publicly accessible

High

Removal

 

 

 

  • Azure LGPD regulation

  • Azure Security Risk Management

  • Azure CloudGuard Network Security Alerts

  • Azure CloudGuard Best Practices

January 18 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.IAM.38

Ensure Security Defaults is enabled on Azure Active Directory

High

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.39

Ensure That 'Users Can Register Applications' Is Set to 'No'

High

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AZU.IAM.40

Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

High

New

 

 

 

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure CloudGuard Best Practices

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure CIS Foundations v. 1.3.1

D9.AWS.NET.37

Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols

High

Modification

  • Name

  • Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols

  • Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols

  • AWS Security Risk Management

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.K8S.IAM.30

Minimize the admission of containers with the NET_RAW capability (PSP)

High

Modification

  • Logic

  • List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [not spec.requiredDropCapabilities]

  • List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [spec.requiredDropCapabilities contain ['NET_RAW' or 'ALL']]

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.AWS.NET.44

Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups

Low

Modification

  • Name

  • Ensure that AWS Elastic Load Balancers (ELB) have no outbound rules in their security groups

  • Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.AS.05

Ensure that S3 buckets are not publicly accessible

High

Removal

 

 

 

  • None

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK Framework v10

D9.AWS.AS.1001

Ensure that S3 buckets are not publicly accessible without a condition

High

Removal

 

 

 

  • None

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK Framework v10

January 11 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.CRY.04

Ensure S3 Bucket Policy is set to deny HTTP requests

High

Modification

  • Logic

  • S3Bucket where policy should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and (Action contain ['s3:GetObject'] or Action contain ['s3:PutObject'] or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • S3Bucket where policy should have policy.Statement contain-all [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and (Action contain ['s3:GetObject'] or Action contain ['s3:PutObject'] or Action contain ['s3:*'] or Action contain ['*'] ) ]

  • AWS HIPAA

  • AWS LGPD regulation

  • AWS Security Risk Management

  • AWS CloudGuard S3 Bucket Security

  • AWS NIST 800-53 Rev 5

  • AWS CIS Foundations v. 1.5.0

  • AWS MITRE ATT&CK Framework v11.3

  • AWS NIST 800-53 Rev 4

  • AWS GDPR Readiness

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS CCPA Framework

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS CIS Foundations v. 1.3.0

  • AWS HITRUST

  • AWS ITSG-33

  • AWS CIS Foundations v. 1.4.0

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.20

Ensure AWS Kinesis Streams Keys are rotated

Low

Modification

  • Logic

  • Kinesis where encrypted should have getResources('KMS') contain [ rotationStatus=true and region = ~getValue('region') and ( arn=~getValue('kmsKeyId') or aliases contain [ name = ~getValue('kmsKeyId') or arn = ~getValue('kmsKeyId') ] or ~getValue('kmsKeyId') in (arn split('/')) )]

  • Kinesis should have getResource('KMS', kmsKeyId) contain [ rotationStatus = true ]

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.21

AWS Kinesis streams are encrypted with customer managed CMK

Low

Modification

  • Logic

  • Kinesis should have getResources('KMS') contain [ isCustomerManaged=true and region = ~getValue('region') and ( arn=~getValue('kmsKeyId') or aliases contain [ name = ~getValue('kmsKeyId') or arn = ~getValue('kmsKeyId') ] or ~getValue('kmsKeyId') in (arn split('/')) )]

  • Kinesis should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard CheckUp

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.23

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys

Low

Modification

  • Logic

  • EFS should have getResources('KMS') contain [ isCustomerManaged=true and region = ~getValue('region') and ( arn=~getValue('encryptionKeyArn') or aliases contain [ name = ~getValue('encryptionKeyArn') or arn = ~getValue('encryptionKeyArn') ] or ~getValue('encryptionKeyArn') in (arn split('/')) )]

  • EFS should have getResource('KMS', encryptionKeyArn) contain [ isCustomerManaged = true ]

  • AWS HIPAA

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS NIST 800-53 Rev 4

  • AWS PCI-DSS 3.2

  • AWS CSA CCM v.3.0.1

  • AWS ISO 27001:2013

  • AWS NIST CSF v1.1

  • AWS CloudGuard SOC2 based on AICPA TSC 2017

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS NIST 800-171

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.K8S.IAM.21

Ensure that the seccomp profile is set to docker/default in your pod definitions

High

Modification

  • Logic

  • KubernetesPod should have (annotations contain [ key='seccomp.security.alpha.kubernetes.io/pod' ]) or (spec.containers contain [ securityContext.seccompProfile.type='RuntimeDefault' ] and spec.initContainers isEmpty() or spec.initContainers contain [ securityContext.seccompProfile.type='RuntimeDefault' ])

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Kubernetes Benchmark v1.24

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

D9.K8S.NET.04

Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)

Medium

Modification

  • Logic

  • KubernetesNode should have (kubeletData.kubeletconfig.makeIPTablesUtilChains= 'true') or (kubeletData.kubeletconfig.makeIPTablesUtilChains isEmpty())

  • KubernetesNode should have kubeletData.kubeletconfig.makeIPTablesUtilChains= 'true'

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • OpenShift Container Platform v3

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.IAM.30

Minimize the admission of containers with the NET_RAW capability (PSP)

High

Modification

  • Logic

  • List<KubernetesPodSecurityPolicy> should have items contain [not spec.requiredDropCapabilities]

  • List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [not spec.requiredDropCapabilities]

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0

  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0

  • CIS Kubernetes Benchmark v1.24

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.AWS.CRY.33

Ensures that AWS RDS databases are encrypted using Customer Managed Keys

Low

Modification

  • Logic

  • RDS where isStorageEncrypted=true should have getResources('KMS') contain [ isCustomerManaged=true and region = ~getValue('region') and ( arn=~getValue('kmsKeyId') or aliases contain [ name = ~getValue('kmsKeyId') or arn = ~getValue('kmsKeyId') ] or ~getValue('kmsKeyId') in (arn split('/')) )]

  • RDS where isStorageEncrypted=true should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.AWS.CRY.36

Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled

Low

Modification

  • Logic

  • SageMakerNotebook should have getResources('KMS') contain [ isCustomerManaged=true and region = ~getValue('region') and ( arn=~getValue('kmsKeyId') or aliases contain [ name = ~getValue('kmsKeyId') or arn = ~getValue('kmsKeyId') ] or ~getValue('kmsKeyId') in (arn split('/')) )]

  • SageMakerNotebook should have getResource('KMS', kmsKeyId) contain [ isCustomerManaged = true ]

  • AWS NIST 800-53 Rev 5

  • AWS MITRE ATT&CK Framework v11.3

  • AWS CloudGuard Well Architected Framework

  • AWS CloudGuard Best Practices

  • AWS MAS TRM Framework

  • AWS HITRUST

  • AWS ITSG-33

  • AWS MITRE ATT&CK Framework v10

D9.K8S.IAM.81

Ensure that the --request-timeout argument is set as appropriate (API Server)

Low

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

D9.K8S.IAM.82

Ensure that the --encryption-provider-config argument is set as appropriate (API Server)

High

New

 

 

 

  • CIS Kubernetes Benchmark v1.24

D9.K8S.MON.02

Ensure that the --service-account-lookup argument is set to true (API Server)

High

Modification

  • Logic

  • KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should have spec.containers with [(parsedArgs contain-none [key like 'service-account-lookup']) or (parsedArgs contain [key like 'service-account-lookup' and value = 'true'])]

  • KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should not have spec.containers with [parsedArgs contain [key like 'service-account-lookup' and value = 'true']]

  • CIS Kubernetes Benchmark v1.24

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.K8S.CRY.14

Ensure that the --auto-tls argument is not set to true (etcd)

Low

Modification

  • Logic

  • KubernetesPod where labels contain [value='etcd'] and namespace = 'kube-system' should have spec.containers with [(parsedArgs contain-none [key like 'auto-tls']) or (parsedArgs contain [key like 'auto-tls' and value = 'false'])]

  • KubernetesPod where labels contain [value='etcd'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'auto-tls' and value = 'false']]

  • CIS Kubernetes Benchmark v1.4.0

  • Kubernetes v.1.13 CloudGuard Best Practices

  • Kubernetes NIST.SP.800-190

  • CIS Kubernetes Benchmark v1.5.1

  • CIS Kubernetes Benchmark v1.6.1

  • Kubernetes v.1.14 CloudGuard Best Practices

  • CIS Kubernetes Benchmark v1.20

  • CIS Kubernetes Benchmark v1.23

D9.AZU.AKS.03

Ensure that the pod security policy is enabled in your AKS cluster

Low

Removal

 

 

 

  • Azure CloudGuard Best Practices

January 04 2023

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Rule Name

Severity

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.LOG.12

Ensure that logging for Azure KeyVault is 'Enabled'

Low

Modification

  • Logic

  • KeyVault should have diagnosticSettings contain [ logs contain [ categoryGroup='audit' and enabled=true ] ]

  • KeyVault should have diagnosticSettings contain [ logs contain [ category='AuditEvent' and enabled=true ] ]

  • Azure CloudGuard CheckUp

  • Azure CIS Foundations v. 1.4.0

  • Azure CIS Foundations v. 1.5.0

  • Azure NIST 800-53 Rev 5

  • Azure CIS Foundations v. 1.0.0

  • Azure PCI-DSS 3.2

  • Azure NIST 800-53 Rev 4

  • Azure CSA CCM v.3.0.1

  • Azure ISO 27001:2013

  • Azure NIST CSF v1.1

  • Azure CloudGuard SOC2 based on AICPA TSC 2017

  • Azure HIPAA

  • Azure CIS Foundations v. 1.1.0

  • Azure NIST 800-171

  • Azure CloudGuard Best Practices

  • Azure Security Benchmark

  • Azure CIS Foundations v. 1.2.0

  • Azure CIS Foundations v. 1.3.0

  • Azure New Zealand Information Security Manual (NZISM) v.3.4

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

  • Azure CIS Foundations v. 1.3.1

D9.AZU.LOG.08

Ensure audit profile captures all the activities

Low

Modification

  • Logic

  • List<LogProfile> should have items with [ properties.categories contain [$='Write'] and properties.categories contain[$='Delete'] and properties.categories contain[$='Action'] and properties.categories length() = 3] length() > 0

  • LogProfile should have properties.categories contain [$='Write'] and properties.categories contain[$='Delete'] and properties.categories contain[$='Action'] and properties.categories length() = 3

  • Azure CloudGuard Best Practices

  • Azure HITRUST v9.5.0

  • Azure ITSG-33

Â