Jump to Content
Guides
API Reference
Changelog
Log In
Guides
Log In
Moon (Dark Mode)
Sun (Light Mode)
Guides
API Reference
Changelog
Managed identity should be used in your Function App
Search
Welcome
Welcome to CheckPoint CloudGuard Guides!
Overview
How to Get Started
Concepts
Platforms
Products
Secrets Scanning
Infrastructure as Code
CI/CD Hardening
Open Source
SpectralOps
Dashboard
Triage Issues
Sources
Reports
Integrations
Profile
Team & User Permissions (RBAC)
Teams and Asset Mapping
Custom Rules
SSO
Setup SSO (SAML 2.0)
Setup SSO with OKTA
Setup SSO with OneLogin
SCM
Usage
CLI
Configuration
Output
Detectors
Quick Start
Building Detectors
Logic Rules (OPA)
Codeprinting
The Detector Engine
Integrations
Productivity
Jira
Confluence
Cloud Automation
Terraform Cloud Run task
Git Provider Bot
Github Bot
Gitlab Bot
Pre receive Git hooks
Gitlab pre receive hook
Bitbucket pre receive hook
CI/CD
Gitlab Pipeline
config policies
Memcached
Memcache: default binding to world
Memcache: configured to run as root
Memcache: configured to use UDP
MySQL
MySQL allowing symbolic links invites various attacks
MySQL: usage of short password
MySQL: configured to run as root
MySQL: binding to world
Kafka
Kafka: using dated SSL/TLS protocols is insecure
Kafka: accepting unauthenticated connections is insecure
Kafka: hardcoded password in configuration is insecure
Kafka: usage of short password
PostgreSQL
Postgres: no password / trusted host configuration
Postgres: no password / trusted host configuration
Postgres: SSL/TLS is off
Postgres: default binding to world
Airflow
Airflow: Use of REST API Token
Airflow: Visible Fernet Key
Airflow: default binding to world
Redis
Redis: usage of weak password (ACL)
Redis: protected-mode no and default binding to world
Redis: protected-mode and weak ACL configuration
secrets policies
Secrets
Data files / database files found
SaaS vendor credentials should not be visible
Cloud services keys should not be visible or hardcoded
Cloud services hosts should not be visible or hardcoded
Log shipping access/API detail visible
Build or artifact systems access details visible
Visible private key or sensitive file
SaaS services hosts should not be visible or hardcoded
Visible sensitive data (PII/other)
AWS S3 Buckets: Visible endpoint
Potential keys or passwords are visible/hardcoded
App/framework keys or passwords are visible/hardcoded
Cloud services keys should not be visible or hardcoded
Sensitive File Found
aws policies
Elastic Load Balancing (ELB)
Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups
Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups
ELB secured listener certificate expires in one month
ELB is setup with HTTPS for secure communication
Remove Weak Ciphers for ELB
ELB - Recommended SSL/TLS protocol version
ELB secured listener certificate expires in one week
ELB is created with Access logs enabled
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP DB port
ELB with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
ELB with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
ELB with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
ELB with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
ELB with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
ELB with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
ELB with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
ELB with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
ELB with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
ELB with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
ELB with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
ELB with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
ELB with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
ELB with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
ELB with service 'POP3' (TCP:110) is exposed to a small network scope
ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
ELB with service 'SNMP' (UDP:161) is exposed to a small network scope
ELB with service 'Telnet' (TCP:23) is exposed to a small network scope
ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
ELB with service 'SMTP' (TCP:25) is exposed to a small network scope
ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
ELB with service 'MySQL' (TCP:3306) is exposed to a small network scope
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
ELB with service 'DNS' (UDP:53) is exposed to a small network scope
ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
ELB with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
ELB with service 'VNC Server' (TCP:5900) is exposed to a small network scope
ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
ELB with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
ELB with service 'Cassandra' (TCP:7001) is exposed to a small network scope
ELB with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
ELB with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
ELB with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
ELB with administrative service: SSH (TCP:22) is potentially exposed to the public internet
ELB with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
ELB with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public ELB with service POP3 (TCP:110) is potentially exposed to the public internet
Public ELB with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public ELB with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
Public ELB with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public ELB with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
Public ELB with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public ELB with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public ELB with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Public ELB with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public ELB with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Public ELB with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public ELB with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public ELB with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Public ELB with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public ELB with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public ELB with service SNMP (UDP:161) is potentially exposed to the public internet
Public ELB with service Telnet (TCP:23) is potentially exposed to the public internet
Public ELB with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public ELB with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
Public ELB with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public ELB with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public ELB with service SMTP (TCP:25) is potentially exposed to the public internet
Public ELB with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public ELB with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Public ELB with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public ELB with service MySQL (TCP:3306) is potentially exposed to the public internet
Public ELB with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public ELB with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public ELB with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public ELB with service DNS (UDP:53) is potentially exposed to the public internet
Public ELB with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public ELB with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Public ELB with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public ELB with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public ELB with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public ELB with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Public ELB with service Cassandra (TCP:7001) is potentially exposed to the public internet
Public ELB with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public ELB with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public ELB with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public ELB with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
ELB with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
ELB with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
ELB with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
ELB with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
ELB with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
ELB with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
ELB with unencrypted LDAP (TCP:389) is exposed to a wide network scope
ELB with unencrypted LDAP (UDP:389) is exposed to a wide network scope
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
ELB with unencrypted Redis (TCP:6379) is exposed to a wide network scope
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
ELB with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
ELB with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
ELB with administrative service: SSH (TCP:22) is exposed to a wide network scope
ELB with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
ELB with service 'POP3' (TCP:110) is exposed to a wide network scope
ELB with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
ELB with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
ELB with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
ELB with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
ELB with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
ELB with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
ELB with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
ELB with service 'SNMP' (UDP:161) is exposed to a wide network scope
ELB with service 'Telnet' (TCP:23) is exposed to a wide network scope
ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope
ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
ELB with service 'MySQL' (TCP:3306) is exposed to a wide network scope
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
ELB with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
ELB with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
ELB with service 'DNS' (UDP:53) is exposed to a wide network scope
ELB with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
ELB with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
ELB with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
ELB with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
ELB with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
ELB with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
ELB with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
ELB with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public ELB with service 'POP3' (TCP:110) is exposed to a small public network
Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Public ELB with service 'SNMP' (UDP:161) is exposed to a small public network
Public ELB with service 'Telnet' (TCP:23) is exposed to a small public network
Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network
Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public ELB with service 'MySQL' (TCP:3306) is exposed to a small public network
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public ELB with service 'DNS' (UDP:53) is exposed to a small public network
Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a small public network
Public ELB with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public ELB with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Public ELB with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public ELB with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public ELB with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Public ELB with service 'Puppet Master' (TCP:8140) is exposed to a small public network
Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public ELB with service 'SNMP' (UDP:161) is exposed to the entire internet
Public ELB with service 'Telnet' (TCP:23) is exposed to the entire internet
Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet
Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
Public ELB with service 'MySQL' (TCP:3306) is exposed to the entire internet
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public ELB with service 'DNS' (UDP:53) is exposed to the entire internet
Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Public ELB with service 'VNC Server' (TCP:5900) is exposed to the entire internet
Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public ELB with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
Public ELB with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Public ELB with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Public ELB with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public ELB with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
ELB with unencrypted Memcached (TCP:11211) is exposed to a small network scope
ELB with unencrypted Memcached (UDP:11211) is exposed to a small network scope
ELB with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
ELB with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
ELB with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
ELB with unencrypted Mongo (TCP:27017) is exposed to a small network scope
ELB with unencrypted LDAP (TCP:389) is exposed to a small network scope
ELB with unencrypted LDAP (UDP:389) is exposed to a small network scope
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
ELB with unencrypted Redis (TCP:6379) is exposed to a small network scope
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
ELB with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
ELB with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
Region
Ensure AWS Config is enabled in all regions
Ensure that IAM Access analyzer is enabled for all regions
Process for Security Group Management - Detection of new Security Groups
Ensure CloudTrail is enabled in all regions
Ensure VPC Flow Logging is Enabled in all Applicable Regions
Amazon GuardDuty service is enabled
Application Load Balancer
ALB secured listener certificate expires in one week
ALB secured listener certificate about to expire in one month
Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP
Make sure that ALB is protected by a WAF
Enable ALB Elastic Load Balancer v2 (ELBv2) access log
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP DB port
Ensure Invalid Headers Are Dropped In ALB
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
ApplicationLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
Amazon EC2 Instance
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Ensure IAM instance roles are used for AWS resource access from instances
Instances are Configured under Virtual Private Cloud
Instances outside of Europe region
Instances with Direct Connect virtual interface should not have public interfaces
Use encrypted storage for instances that might host a database.
Instances outside of Brazilian region
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port
Ensure that EC2 instance's volumes are encrypted
Ensure that EC2 instance's custom AMI is encrypted at rest
Ensure that EC2 instance's custom AMI is not publicly shared
Ensure that EC2 Metadata Service only allows IMDSv2
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Instance with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
Instance with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
Instance with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
Instance with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
Instance with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
Instance with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
Instance with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
Instance with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
Instance with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
Instance with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
Instance with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
Instance with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
Instance with service 'POP3' (TCP:110) is exposed to a small network scope
Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
Instance with service 'SNMP' (UDP:161) is exposed to a small network scope
Instance with service 'Telnet' (TCP:23) is exposed to a small network scope
Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
Instance with service 'SMTP' (TCP:25) is exposed to a small network scope
Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
Instance with service 'MySQL' (TCP:3306) is exposed to a small network scope
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
Instance with service 'DNS' (UDP:53) is exposed to a small network scope
Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
Instance with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
Instance with service 'VNC Server' (TCP:5900) is exposed to a small network scope
Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
Instance with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
Instance with service 'Cassandra' (TCP:7001) is exposed to a small network scope
Instance with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
Instance with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
Instance with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
Instance with administrative service: SSH (TCP:22) is potentially exposed to the public internet
Instance with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
Instance with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public Instance with service POP3 (TCP:110) is potentially exposed to the public internet
Public Instance with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public Instance with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
Public Instance with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public Instance with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
Public Instance with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public Instance with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public Instance with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Public Instance with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public Instance with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Public Instance with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public Instance with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public Instance with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Public Instance with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public Instance with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public Instance with service SNMP (UDP:161) is potentially exposed to the public internet
Public Instance with service Telnet (TCP:23) is potentially exposed to the public internet
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
Public Instance with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public Instance with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public Instance with service SMTP (TCP:25) is potentially exposed to the public internet
Public Instance with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public Instance with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Public Instance with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public Instance with service MySQL (TCP:3306) is potentially exposed to the public internet
Public Instance with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public Instance with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public Instance with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public Instance with service DNS (UDP:53) is potentially exposed to the public internet
Public Instance with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public Instance with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Public Instance with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public Instance with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public Instance with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public Instance with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Public Instance with service Cassandra (TCP:7001) is potentially exposed to the public internet
Public Instance with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public Instance with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public Instance with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public Instance with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
Instance with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
Instance with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
Instance with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
Instance with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
Instance with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
Instance with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
Instance with unencrypted LDAP (TCP:389) is exposed to a wide network scope
Instance with unencrypted LDAP (UDP:389) is exposed to a wide network scope
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
Instance with unencrypted Redis (TCP:6379) is exposed to a wide network scope
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
Instance with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
Instance with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
Instance with administrative service: SSH (TCP:22) is exposed to a wide network scope
Instance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
Instance with service 'POP3' (TCP:110) is exposed to a wide network scope
Instance with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
Instance with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
Instance with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
Instance with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
Instance with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
Instance with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
Instance with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
Instance with service 'SNMP' (UDP:161) is exposed to a wide network scope
Instance with service 'Telnet' (TCP:23) is exposed to a wide network scope
Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope
Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
Instance with service 'MySQL' (TCP:3306) is exposed to a wide network scope
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
Instance with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
Instance with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
Instance with service 'DNS' (UDP:53) is exposed to a wide network scope
Instance with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
Instance with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
Instance with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
Instance with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
Instance with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
Instance with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
Instance with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
Instance with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public Instance with service 'POP3' (TCP:110) is exposed to a small public network
Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Public Instance with service 'SNMP' (UDP:161) is exposed to a small public network
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network
Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public Instance with service 'MySQL' (TCP:3306) is exposed to a small public network
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public Instance with service 'DNS' (UDP:53) is exposed to a small public network
Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a small public network
Public Instance with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public Instance with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Public Instance with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public Instance with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public Instance with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Public Instance with service 'Puppet Master' (TCP:8140) is exposed to a small public network
Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public Instance with service 'SNMP' (UDP:161) is exposed to the entire internet
Public Instance with service 'Telnet' (TCP:23) is exposed to the entire internet
Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet
Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
Public Instance with service 'MySQL' (TCP:3306) is exposed to the entire internet
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public Instance with service 'DNS' (UDP:53) is exposed to the entire internet
Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Public Instance with service 'VNC Server' (TCP:5900) is exposed to the entire internet
Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public Instance with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
Public Instance with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Public Instance with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Public Instance with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public Instance with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
Instance with unencrypted Memcached (TCP:11211) is exposed to a small network scope
Instance with unencrypted Memcached (UDP:11211) is exposed to a small network scope
Instance with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
Instance with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
Instance with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
Instance with unencrypted Mongo (TCP:27017) is exposed to a small network scope
Instance with unencrypted LDAP (TCP:389) is exposed to a small network scope
Instance with unencrypted LDAP (UDP:389) is exposed to a small network scope
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
Instance with unencrypted Redis (TCP:6379) is exposed to a small network scope
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
Instance with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
Instance with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
EC2 Instance - there shouldn't be any High level findings in Inspector Scans
Instances without Inspector runs in the last 30 days
Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
Ensure IMDS Response Hop Limit is Set to One
Simple Storage Service (S3)
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure that Static website hosting is disabled on your S3 bucket
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users
S3 bucket CloudTrail logs ACL should not allow public access
Ensure that your AWS CloudTrail logging bucket has MFA delete enabled
S3 bucket should have server access logging enabled
Ensure that S3 Buckets are encrypted with CMK
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
Ensure MFA Delete is enabled on S3 buckets
Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users
S3 bucket should have versioning enabled
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users
Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)
S3 Buckets outside of Europe
Ensure all data in Amazon S3 has been discovered, classified and secured when required.
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users
S3 Buckets outside of Brazil
Ensure that S3 Bucket is encrypted at rest
Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users
Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)
Ensure Enabling Versioning For S3 Bucket
Ensure that S3 buckets are not publicly accessible
Ensure that S3 buckets are not publicly accessible without a condition
S3 bucket should not be world-listable from anonymous users
S3 bucket should not be world-writable from anonymous users
S3 bucket should not have writable permissions from anonymous users
S3 bucket should not have world-readable permissions from anonymous users
S3 bucket should not allow delete actions from all principals without a condition
S3 bucket should not allow get actions from all principals without a condition
S3 bucket should not allow list actions from all principals without a condition
S3 bucket should not allow put or restore actions from all principals without a condition
S3 buckets should not grant any external privileges via ACL
S3 bucket should not allow delete actions from all principals
S3 bucket should not allow get actions from all principals with a condition
S3 bucket should not allow list actions from all principals
S3 bucket should not allow put or restore actions from all principals
Ensure S3 buckets are not publicly accessible without a condition
Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level
Ensure S3 buckets are not publicly accessible
Network Load Balancer
Ensure to update the Security Policy of the Network Load Balancer
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
NetworkLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public NetworkLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Public NetworkLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public NetworkLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Public NetworkLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public NetworkLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public NetworkLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
NetworkLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
IAM User
Ensure IAM users have either access key or console password enabled
Ensure inactive user for 30 days or greater are disabled
Ensure inactive user for 90 days or greater are disabled
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account
Ensure IAM Users Receive Permissions Only Through Groups
IamUser with Admin or wide permissions without MFA enabled
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure 'root' account does not have an active X.509 signing certificate
Ensure whether IAM users are members of at least one IAM group
Ensure there is only one active access key available for any single IAM user
Ensure credentials unused for 45 days or greater are disabled (Second access key)
Use managed policies instead of inline IAM Policies
Ensure credentials unused for 45 days or greater are disabled (Console password)
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure second access key is rotated every 30 days or less
Ensure credentials unused for 45 days or greater are disabled (First access key)
Ensure first access key is rotated every 30 days or less
Ensure second access key is rotated every 45 days or less
Ensure no 'root' user account access key exists
Ensure inactive IAM access keys are deleted
Ensure IAM User do not have administrator privileges
Ensure access keys are rotated every 90 days or less (Second access key)
Ensure first access key is rotated every 45 days or less
Ensure access keys are rotated every 90 days or less (First access key)
Eliminate use of the 'root' user for administrative and daily tasks
Ensure IAM user password is rotated every 90 days or less
Ensure hardware MFA is enabled for the 'root' user account
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
IAM Role
Ensure that Role names cannot be enumerable
Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
Ensure EKS Node Group IAM role do not have administrator privileges
Unused IAM role more than 90 days
Ensure cross-account IAM Role uses MFA or external ID as a condition
Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
Amazon Elastic File System (EFS)
Amazon EFS must have an associated tag
Ensure that encryption is enabled for EFS file systems
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
AWS Security Group
Restrict outbound traffic to that which is necessary, and specifically deny all other traffic
Ensure that Security Groups are not open to all
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Ensure the default security group of every VPC restricts all traffic
Remove Unused Security Groups
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Remove Unused Security Groups that are open to all
Security Groups must be defined under a Virtual Private Cloud
Process for Security Group Management - Managing security groups
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
Default Security Groups - with network policies
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure no security groups allow ingress from ::/0 to remote server administration ports
AWS Identity and Access Management (IAM)
Password Policy must require at least one number
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy require at least one lowercase letter
Ensure IAM password policy expires passwords within 90 days or less
Ensure security contact information is registered
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy prevents password reuse
Ensure IAM password policy require at least one symbol
Credentials report was generated in the last 24 hours
Enforce Password Policy
Credentials report was generated in the last 24 hours
Enforce Password Policy
Ensure IAM password policy prevents password reuse
Ensure IAM password policy require at least one lowercase letter
Ensure IAM password policy require at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM Users Receive Permissions Only Through Groups
Ensure IAM policies are attached only to groups or roles
Password Policy must require at least one number
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM policies that allow full *:* administrative privileges are not attached
Ensure AWS Config is enabled in all regions
Amazon RDS
RDS should not have Public Interface
Ensures that AWS RDS databases are encrypted using Customer Managed Keys
Ensure that public access is not given to RDS Instance
Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
Ensure that encryption-at-rest is enabled for RDS Instances
Ensure AWS RDS instances have Multi-Availability Zone enabled
Ensure AWS RDS retention policy is at least 7 days
RDS Databases with Direct Connect virtual interface should not have public interfaces
Ensure AWS RDS instances have Automatic Backup set up
RDS should not have been open to a large scope
Ensure that RDS database instance enforces SSL/TLS for all connections
Ensure that RDS database instance doesn't use its default endpoint port
Ensure that encryption is enabled for AWS RDSDBCluster Storage
Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled
Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless)
Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC).
Ensure Aurora PostgreSQL is not exposed to local file read vulnerability
CloudTrail
Ensure CloudTrail configuration changes are monitored
Ensure a log metric filter and alarm exist for SSM actions
Ensure a log metric filter and alarm exists for AWS MFA Deletion for IAM users
Ensure AWS Config configuration changes are monitored
Ensure security group changes are monitored
Ensure a log metric filter and alarm exist for usage of 'root' account
Ensure appropriate subscribers to each SNS topic
Ensure VPC changes are monitored
Ensure changes to network gateways are monitored
Ensure disabling or scheduled deletion of customer created CMKs is monitored
Ensure Network Access Control Lists (NACL) changes are monitored
Ensure a log metric filter and alarm exist for IAM login profile changes
Ensure AWS Organizations changes are monitored
Ensure CloudTrail log file validation is enabled
Ensure AWS Management Console authentication failures are monitored
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure S3 bucket policy changes are monitored
Ensure unauthorized API calls are monitored
Ensure multi-regions trail exists for each AWS CloudTrail
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure management console sign-in without MFA is monitored
Ensure IAM policy changes are monitored
Ensure route table changes are monitored
Ensure a log metric filter and alarm exist for STS 'AssumeRole' action
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure a log metric filter and alarm exist for EC2 instance changes
Ensure a log metric filter and alarm exist for EC2 Large instance changes
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure multi-regions trail exists for each AWS CloudTrail
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs have KmsKeyId defined
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure CloudTrail Logging is Enabled
AWS Nat Gateway
Ensure that NAT gateway is not associated in a private subnet
Ensure NAT gateway state is available
Ensure NAT gateway has a name tag
Ensure NAT gateway has a name tag
Amazon ElastiCache
Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements
Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments
Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled
Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled
Ensure that the latest version of Redis is used for your AWS ElastiCache clusters
Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters
AWS Network-Firewall
Ensure Network firewall alerts logging is enabled
Ensure Network firewall resides in a dedicated subnet
Ensure Network firewall have subnet change protection enabled
Ensure Network firewall status is not FAILED
Ensure Network firewall flow logging is enabled
Ensure Network firewall have policy change protection enabled
Ensure Network firewall delete protection enabled
Ensure Network firewall delete protection enabled
Ensure Network firewall have subnet change protection enabled
Ensure Network firewall have policy change protection enabled
Ensure Network firewall resides in a dedicated subnet
IAM Policy
Ensure AWS IAM policies do not grant 'assume role' permission across all services
Ensure IAM user, group, or role should have IAM access key permissions restricted
Ensure AWS IAM policies allow only the required privileges for each role
Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users
Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element
Ensure IAM policies that allow full '*:*' administrative privileges are not attached
Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
Ensure a support role has been created to manage incidents with AWS Support
Ensure undedicated AWS IAM managed policies do not have full action permissions
Ensure all IAM policies are in use
Ensure IAM user, group, or role should have MFA permissions restricted
Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
Amazon Elastic Container Service
Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols
ECS Service with Admin Roles
Ensure there are no inline policies attached to the ECS service
Ensure that at least one Load Balancer is attached to the service
Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard)
IAM Server Certificate
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
SSL/TLS certificates expire in 45 days
SSL/TLS certificates expire in one week
SSL/TLS certificates expire in one month
Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix
AWS Lambda
Ensure AWS Lambda function is configured inside a VPC
Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard)
Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports
Ensure AWS Lambda functions have tracing enabled
Lambda Functions must have an associated tag
Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)
Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard)
Ensure that Lambda Function is not publicly exposed via resource policy without a condition
Ensure that Lambda Function URL is secured with IAM authentication
Ensure Lambda functions are not using deprecated runtimes
Ensure that Amazon Lambda functions are referencing active execution roles
Ensure that your Amazon Lambda functions have access to VPC-only resources.
Amazon API Gateway
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet
Ensure that all requestValidatorId in API Gateway are not null
Ensure that all authorization Type in API Gateway are not set to None
Ensure that an API Key is required on a Method Request
Ensure API gateway policy limits public access
Ensure API gateway has WAF
Ensure API Gateway endpoints has client certificate authentication
AWS Certificate Manager
Ensure invalid or failed certificates are removed from ACM
Ensure that all the expired SSL/TLS certificates are removed from ACM
Ensure ACM certificate was not issued before the Heartbleed security bug fix
ACM has a PENDING_VALIDATION Certificate
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
Ensure ACM only has certificates with single domain names, and none with wildcard domain names
ACM has soon to be expired certificates
Ensure the AWS Certificate Manager (ACM) has no unused certificates
Amazon VPC Endpoints
Ensure VPC Endpoint has a name tag
Ensure that VPC Endpoint policy does not provide excessive permissions
Ensure that the VPC Endpoint status is Available state
Ensure that VPC Endpoint policy won't allow all actions
Ensure VPC Endpoint has a name tag
EKS Cluster
EksCluster should not have more than one security group
EksCluster should not be publicly accessed
Ensure that AWS EKS Cluster control plane logging is enabled
Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0
Ensure EKS cluster version is up-to-date
Amazon Secrets Manager
Ensure that AWS Secret Manager Secret rotation is enabled
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Amazon Kinesis
AWS Kinesis streams are encrypted with customer managed CMK
AWS Kinesis data streams have server side encryption (SSE) enabled
Ensure AWS Kinesis Streams Keys are rotated
Amazon ElasticSearch service
Ensure OpenSearch should have IAM permissions restricted
Enforce creation of ElasticSearch domains within your VPCs
Ensure that encryption of data at rest is enabled on Elasticsearch domains
Ensure that node-to-node encryption is enabled for Elasticsearch service
Amazon SageMaker
Ensure that SageMaker is placed in VPC
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled
Ensure SageMaker Notebook Instance Data Encryption is enabled
Ensure that SageMaker Notebook does not have direct internet access
Amazon DynamoDB
Ensure that AWS DynamoDB is encrypted using customer-managed CMK
Ensure Amazon DynamoDB tables have continuous backups enabled
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
Identify and remove any unused AWS DynamoDB tables to optimize AWS costs
AWS Transit Gateway
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
Ensure Transit gateway have a name tag
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
Ensure Transit gateway have a name tag
Subnet
Ensure AWS VPC subnets have automatic public IP assignment disabled
Amazon Elastic Block Storage (EBS)
Ensure EBS Volume Encryption is Enabled in all Regions
Ensure AWS EBS Volumes are attached to instances
Attached EBS volumes should be encrypted at-rest
IAM Group
Ensure IAM groups have at least one IAM User attached
Ensure that IamGroup does not have Inline policies
Ensure IAM group do not have administrator privileges
Amazon CloudFront
Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates
Use encrypted connection between CloudFront and origin server
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
Ensure AWS CloudFront web distribution with geo restriction is enabled
Determine if CloudFront CDN is in use
Ensure AWS CloudFront distribution with access logging is enabled
AWS Cloud Front - WAF Integration
Use secure ciphers in CloudFront distribution
CloudFront distributions should require encryption in transit
CloudFront distributions should encrypt traffic to custom origins
Ensure CloudFront origins don't use insecure SSL protocols
Simple Queue Service (SQS)
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
Ensure that SQS policy won't allow all actions from all principals
Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs
Ensure that SQS policy won't allow all actions from all principals without a condition
Ensure SQS Dead-letter queue is not configured to send messages to the source queue
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
Ensure that SQS policy won't allow all actions from all principals
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
EC2 Auto Scaling Group
Ensure Auto Scaling group have scaling cooldown configured
Ensure Auto Scaling group being used with multiple Availability zones
Ensure Auto Scaling group does not have suspended processes
Ensure Auto Scaling group being used with multiple Availability zones
Ensure Auto Scaling group does not have suspended processes
Ensure Auto Scaling group have scaling cooldown configured
Amazon Systems Manager document
Amazon System Manager Document should not be publicly available
Ensure that public System Manager Documents include parameters
SNS Topic
Ensure SNS Topics aren't publicly accessible
Ensure SNS topic have active subscriptions
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Ensure SNS Topics administrative actions aren't publicly executable without a condition
Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
Ensure SNS Topics aren't publicly accessible
Ensure SNS Topics administrative actions aren’t publicly executable
AWS Config
Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel
Amazon ECS Task Definitions
Enable container's health checks
Container metadata
IAM SAML Identity Provider
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Route53RecordSetGroup
Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
Amazon Route 53
Expired Route 53 Domain Names
AWS Route 53 Domain Name Renewal (30 days before expiration)
AWS Route 53 Domain Name Renewal (7 days before expiration)
Enable AWS Route 53 Domain Transfer Lock
Enable AWS Route 53 Domain Auto Renew
Amazon VPC
Ensure VPC flow logging is enabled in all VPCs
Ensure the number of private gateways is within the AWS limit for each region
Identify unused AWS VPCs
Ensure VPC flow logging is enabled in all VPCs
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Ensure the default security group of every VPC restricts all traffic
Ensure routing tables for security groups peering are \"least access\"
Amazon Elastic Container Service - Cluster
Prefer using IAM roles for tasks rather than using IAM roles for an instance
Ensure that at least one instance is registered with an ECS Cluster
ECS Cluster At-Rest Encryption
ECS Cluster should not have running container instances with unconnected agents
Route53 Hosted Zone
Use Route53 for scalable, secure DNS service in AWS.
AWS Key Management Service (KMS)
Ensure only usable Customer Managed Keys are in the AWS KMS
Ensure rotation for customer created symmetric CMKs is enabled
Ensure rotation for customer created CMKs is enabled
Ensure rotation for customer created CMKs is enabled
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion
Amazon Redshift
Ensure AWS Redshift clusters are not publicly accessible
Use KMS CMK customer-managed keys for Redshift clusters
Ensure AWS Redshift instances are encrypted
Connections to Amazon Redshift clusters should be encrypted in transit
Amazon Systems Manager Parameter
Ensure that sensitive parameters are encrypted
Amazon Machine Image (AMI)
Ensure that EC2 AMIs are not publicly accessible
EMR Cluster
Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
Ensure EMR clusters nodes should not have public IP
Amazon NACL
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Route Table
Ensure AWS NAT Gateways are being utilized instead of the default route
AWS EcrRepository
Ensure that ECR image tags are immutable.
Ensure that ECR image scan on push is enabled.
Ensure that ECR repositories are encrypted.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.
Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images.
Ensure that Amazon ECR image repositories are using lifecycle policies.
kubernetes policies
Pods
Apply Security Context to Your Pods and Containers
Ensure that the seccomp profile is set to docker/default in your pod definitions
Ensure that an application uses secrets are as files over secrets as environment variables
Ensure that the default namespace is not used
Ensure SecurityContext Field Is Set
CPU & Memory Limits Should be Set
CPU & Memory Requests Should be Set
Image Tag should not be 'latest'
Image Tag should not be blank
Use Read-Only Filesystem
Do not admit containers with docker socket bind mount
Do not admit root containers
Do not admit containers with SYS_ADMIN capability
Do not generally permit containers with allowPrivilegeEscalation
Run as a high-UID user
Do not generally permit privileged containers
Pod containers should not share the host process ID namespace
Pod should not use the node network namespace
Host device path mounts should not be used
Pod containers should not share the host IPC namespace
Do not override DNS settings in Pod
SELinux options should not be configured on containers
CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =
Ensure that the --token-auth-file parameter is not set (API Server)
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure that the --client-ca-file argument is set as appropriate (API Server)
Ensure that the --etcd-cafile argument is set as appropriate (API Server)
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager)
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd)
Ensure that the --client-cert-auth argument is set to true (etcd)
Ensure that the --auto-tls argument is not set to true (etcd)
Ensure that the --experimental-encryption-provider-config argument is set as appropriate (API Server)
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)
Ensure that the --client-cert-auth argument is set to true (etcd) (Openshift)
Ensure that the --auto-tls argument is not set to true (etcd) (Openshift)
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)
Ensure that the --peer-client-cert-auth argument is set to true (etcd) (Openshift)
Ensure that the --peer-auto-tls argument is not set to true (etcd) (Openshift)
Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift)
Ensure that the admission control plugin AlwaysAdmit is not set (API Server)
Ensure that the --basic-auth-file argument is not set (API Server)
Ensure that the --profiling argument is set to false (API Server)
Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server)
Ensure that the admission control plugin PodSecurityPolicy is set (API Server)
Ensure that the --authorization-mode argument includes RBAC (API Server)
Ensure that the --profiling argument is set to false (Scheduler)
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager)
Ensure that the --profiling argument is set to false (Controller Manager)
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager)
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd)
Ensure that the --peer-client-cert-auth argument is set to true (etcd)
Ensure that the --peer-auto-tls argument is not set to true (etcd)
Ensure that Containers are not running in privileged mode
Do not admit root containers
Ensure containers are secured with AppArmor profile
Ensure that the --anonymous-auth argument is set to false (API Server)
Ensure that Containers are not running with dangerous capabilities
Ensure that Containers are not running with insecure capabilities
Ensure that the --authorization-mode argument includes Node (API Server)
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server)
Ensure that the --DenyServiceExternalIPs is not set
Ensure that the --kubelet-https argument is set to true
Minimize the admission of HostPath volumes
Minimize the admission of containers which use HostPorts
Ensure that the --request-timeout argument is set as appropriate (API Server)
Ensure that the --encryption-provider-config argument is set as appropriate (API Server)
Ensure that a minimal audit policy is created (API Server)
Ensure that encryption providers are appropriately configured (API Server)
Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server)
Ensure that a unique Certificate Authority is used for etcd
Ensure that the --audit-log-path argument is set as appropriate (API Server)
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server)
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server)
Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server)
Ensure that the AdvancedAuditing argument is not set to false (API Server)
Ensure that the --service-account-lookup argument is set to true (API Server)
Ensure that the admission control plugin ServiceAccount is set (API Server)
Ensure that the --insecure-allow-any-token argument is not set (API Server)
Ensure that the --insecure-bind-address argument is not set (API Server)
Ensure that the --insecure-port argument is set to 0 (API Server)
Ensure that the --secure-port argument is not set to 0 (API Server)
Ensure that the --repair-malformed-updates argument is set to false (API Server)
Ensure that the admission control plugin AlwaysPullImages is set (API Server)
Ensure that the admission control plugin NamespaceLifecycle is set (API Server)
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server)
Ensure that the --authorization-mode argument is set to Node (API Server)
Ensure that the admission control plugin NodeRestriction is set (API Server)
Ensure that the admission control plugin EventRateLimit is set (API Server)
Ensure that the --address argument is set to 127.0.0.1 (Scheduler)
Ensure that the --address argument is set to 127.0.0.1 (Controller Manager)
Ensure that the admission control plugin DenyEscalatingExec is set (API Server)
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
Ensure pods outside of kube-system do not have access to node volume
Ensure that the --service-account-key-file argument is set as appropriate (API Server)
Kubernetes Role
Minimize access to secrets (RBAC)
Minimize wildcard use in Roles and ClusterRoles (RBAC)
Profiling (metric) is protected by RBAC (RBAC) (Openshift)
Profiling (pprof) is protected by RBAC (RBAC) (Openshift)
Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift)
Node
Ensure that the --anonymous-auth argument is set to false (Kubelet)
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
Ensure that the --hostname-override argument is not set (Kubelet) (Openshift)
Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)
Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
Ensure that the --event-qps argument is set to 0 (Kubelet)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
Ensure that the --read-only-port argument is set to 0 (Kubelet)
Ensure that the --rotate-certificates argument is not set to false (Kubelet)
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)
Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
Ensure that the --rotate-certificates argument is not set to false (Kubelet) (Openshift)
Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) (Openshift)
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)
Ensure that the --rotate-certificates argument is not present or is set to true (Kubelet)
Ensure that the --hostname-override argument is not set (Kubelet)
Ensure that the --cadvisor-port argument is set to 0 (Kubelet)
Ensure that garbage collection is configured as appropriate (Kubelet) (Openshift)
Kubernetes Role Binding
Ensure that the cluster-admin role is only used where required (RBAC)
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC)
Ensure that default service accounts are not actively used. (RBAC)
Minimize access to create pods (RBAC)
Ensure that the cluster-admin role is not being used
Ensure that anonymous requests are authorized (RBAC)(Openshift)
Ensure that the cluster-admin role is only used where required (RBAC - ClusterRoleBinding)
Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)
Limit binding of Anonymous User
Network Policies
Ensure that the CNI in use supports Network Policies
Ensure Traffic Between Client and Load Balancer Use HTTPS Protocol Only
Restrict Traffic Among Pods with a Network Policy
Kubernetes Service Account
Ensure that Service Account Tokens are only mounted where necessary (RBAC)
Ensure that default service accounts are not actively used (RBAC - ServiceAccount)
Pod Security Policies
Minimize the admission of containers wishing to share the host IPC namespace (PSP)
Minimize the admission of privileged containers (PSP)
Minimize the admission of containers wishing to share the host network namespace (PSP)
Minimize the admission of containers with allowPrivilegeEscalation (PSP)
Minimize the admission of containers with added capabilities (PSP)
Minimize the admission of containers wishing to share the host process ID namespace (PSP)
Minimize the admission of root containers (PSP)
Ensure Object Have An Valid Email Address Annotation
Ensure Object Have An Owner Label
Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster
Minimize the admission of containers with the NET_RAW capability (PSP)
Minimize the admission of containers to RootFilesystem (PSP)
Minimize the admission of FSGroup applied to some volumes (PSP)
Minimize the admission of primary group ID the containers are run with (PSP)
Minimize the admission of SupplementalGroups in containers (PSP)
Service
CVE-2020-8554: Services should not use 'externalIPs'
Services should not expose SSH port
google policies
Virtual Machine Instances
Ensure GCP VM Instances have Labels
Public VMInstance with service VNC Server(TCP:5900) is exposed to a wide public network
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide network scope
Ensure oslogin is enabled for a Virtual Machine
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide public network
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a small public network
Ensure VM Instance should not have public IP
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide network scope
VMInstance with service VNC Listener(TCP:5500) is exposed to a small network scope
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a large network
VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet
VMInstance with service DNS(UDP:53) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a small network
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide public network
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
Ensure That Compute Instances Have Confidential Computing Enabled
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a small network
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small network scope
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network
VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a large network
Public VMInstance with service VNC Server(TCP:5900) is exposed to a small public network
Public VMInstance with service POP3(TCP:110) is exposed to a wide public network
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide network scope
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a large network
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide public network
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small public network
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small network scope
VMInstance with service POP3(TCP:110) is exposed to a small network scope
Ensure That IP Forwarding Is Not Enabled on Instances
VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a small network
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a large network
VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a small public network
VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide network scope
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8080) is exposed to a wide network scope
VMInstance with unencrypted LDAP (UDP:389) is exposed to a small network
Ensure Compute Instances Are Launched With Shielded VM Enabled
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a small network
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small network scope
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide public network
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a wide public network
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small network scope
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a small public network
VMInstance with service SMTP(TCP:25) is exposed to a wide network scope
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide network scope
VMInstance with unencrypted LDAP (UDP:389) is exposed to a large network
VMInstance with service Known internal web port(TCP:8000) is exposed to a small network scope
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small network scope
Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide public network
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide public network
VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide network scope
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a wide public network
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide public network
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a wide public network
VMInstance with service VNC Listener(TCP:5500) is exposed to a wide network scope
VMInstance with service DNS(UDP:53) is exposed to a small network scope
VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide network scope
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small network scope
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small public network
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide public network
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small network scope
Public VMInstance with service Cassandra(TCP:7001) is exposed to a wide public network
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small public network
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide network scope
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small public network
VMInstance with unencrypted Redis (TCP:6379) is exposed to a large network
Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8080) is exposed to a small network scope
VMInstance with service Telnet(TCP:23) is exposed to a wide network scope
VMInstance with service MySQL(TCP:3306) is exposed to a wide network scope
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small network scope
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet
VMInstance with service MySQL(TCP:3306) is exposed to a small network scope
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide network scope
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small network scope
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a small public network
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide public network
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a small public network
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a small public network
Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
VMInstance with service POP3(TCP:110) is exposed to a wide network scope
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide public network
VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a large network
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small public network
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide public network
VMInstance with service Memcached SSL(UDP:11215) is exposed to a small network scope
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a large network
Public VMInstance with service MySQL(TCP:3306) is exposed to a small public network
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8000) is exposed to a wide network scope
Asset does not contain a network tag
VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide network scope
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a large network
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a large network
VMInstance with service Memcached SSL(TCP:11214) is exposed to a small network scope
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide network scope
VMInstance with service SMTP(TCP:25) is exposed to a small network scope
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small network scope
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a small public network
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a small public network
VMInstance with service LDAP SSL(TCP:636) is exposed to a wide network scope
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small public network
VMInstance with service SNMP(UDP:161) is exposed to a wide network scope
VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide network scope
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small public network
VMInstance with service VNC Server(TCP:5900) is exposed to a wide network scope
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small network scope
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small network scope
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small public network
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a small network
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide public network
Public VMInstance with service SMTP(TCP:25) is exposed to a small public network
Public VMInstance with service MySQL(TCP:3306) is exposed to a wide public network
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a large network
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a small public network
VMInstance with service Memcached SSL(TCP:11215) is exposed to a small network scope
VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet
Ensure That Compute Instances Do Not Have Public IP Addresses
VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Public VMInstance with service DNS(UDP:53) is exposed to a wide public network
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide public network
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small public network
VMInstance with service Microsoft-DS(TCP:445) is exposed to a small network scope
Public VMInstance with service POP3(TCP:110) is exposed to a small public network
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet
Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
Public VMInstance with service Cassandra(TCP:7001) is exposed to a small public network
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a small public network
Public VMInstance with service SNMP(UDP:161) is exposed to a small public network
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide public network
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide public network
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide public network
Public VMInstance with service SNMP(UDP:161) is exposed to a wide public network
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide public network
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide public network
VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small public network
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a small public network
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide public network
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a small network
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small public network
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small network scope
VMInstance with service Puppet Master(TCP:8140) is exposed to a wide network scope
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a small public network
VMInstance with service VNC Server(TCP:5900) is exposed to a small network scope
VMInstance with service NetBios Session Service(UDP:139) is exposed to a small network scope
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide public network
Public VMInstance with service Telnet(TCP:23) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4505) is exposed to a small network scope
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide public network
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small network scope
VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide network scope
VMInstance with service Cassandra(TCP:7001) is exposed to a small network scope
VMInstance with service Telnet(TCP:23) is exposed to a small network scope
VMInstance with service SaltStack Master(TCP:4506) is exposed to a small network scope
VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network
VMInstance with service Puppet Master(TCP:8140) is exposed to a small network scope
Public VMInstance with service DNS(UDP:53) is exposed to a small public network
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
VMInstance with service SNMP(UDP:161) is exposed to a small network scope
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a wide public network
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide public network
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small network scope
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small public network
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide network scope
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide network scope
VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide network scope
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide network scope
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide public network
Public VMInstance with service Telnet(TCP:23) is exposed to a wide public network
VMInstance with service Cassandra(TCP:7001) is exposed to a wide network scope
VMInstance with unencrypted LDAP (TCP:389) is exposed to a small network
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small network scope
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide public network
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide public network
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a small network
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet
VMInstance with service Memcached SSL(UDP:11214) is exposed to a small network scope
Ensure That Instances Are Not Configured To Use the Default Service Account
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small public network
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a small public network
VMInstance with service LDAP SSL(TCP:636) is exposed to a small network scope
VMInstance with unencrypted LDAP (TCP:389) is exposed to a large network
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide network scope
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a small public network
VMInstance with service Postgres SQL(UDP:5432) is exposed to a small network scope
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide network scope
VMInstance with service Postgres SQL(TCP:5432) is exposed to a small network scope
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small public network
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a small public network
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a small public network
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide public network
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet
VMInstance with service MSSQL Server(TCP:1433) is exposed to a small network scope
VMInstance with service NetBios Session Service(TCP:139) is exposed to a small network scope
VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet
VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a small network
VMInstance with unencrypted Redis (TCP:6379) is exposed to a small network
Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a small public network
VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet
Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports.
Ensure that no VMInstance allows incoming traffic from 0.0.0.0/0 to the ICMP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP DB port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP DB port.
Enable 2FA for VM Instances using OS Login
Kubernetes Cluster
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure Kubernetes Clusters are configured with Labels
Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled
Ensure GKE Clusters use specific purpose-designed networks instead of the default network
Ensure `Automatic node repair` is enabled for Kubernetes Clusters
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes
Ensure Kubernetes Cluster is created with Client Certificate enabled
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Ensure Kubernetes web UI / Dashboard is disabled
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure the GKE Cluster alpha cluster feature is disabled
Ensure GKE Cluster HTTP load balancing is enabled
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
GCP AlertPolicy
Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
GCP IAM Policy
Ensure permissions to impersonate a service account are not granted at project level
Avoid using pre-IAM basic (primitive) roles
Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
Ensure that Corporate Login Credentials are Used
Ensure That Cloud Audit Logging Is Configured Properly
GCP CloudSql
Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled
Ensure Cloud SQL instances have labels
Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)
Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
Ensure That Cloud SQL Database Instances Do Not Have Public IPs
Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'
Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances
Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag
GCP Security Group
Ensure Global Firewall rule should not allows all traffic
Ensure That SSH Access Is Restricted From the Internet
Ensure That RDP Access Is Restricted From the Internet
Storage Bucket
Ensure that Cloud Storage bucket has usage logs enabled
Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
Storage Bucket outside of Europe
Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
GCP IAM User
Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
User did not log in the past 90 days
Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
Ensure that multi-factor authentication is enabled for admin users
Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
Suspended user account unused for more than 6 months
Ensure GCP IAM user does not have permissions to deploy all resources
Ensure GCP IAM user does not have permissions to deploy all resources
GCP API Key
Ensure API Keys Are Rotated Every 90 Days
Ensure API Keys Only Exist for Active Services
Ensure API Keys Are Restricted to Only APIs That Application Needs Access
Ensure unrestricted API keys are not available within your GCP projects
Google Cloud Function
Ensure that all the deployed cloud functions are in 'active' mode
Ensure that at least one event trigger was configured in your function
Ensure Google Cloud Function is configured with a VPC connector
GCP VPC Network
Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
Ensure Legacy Networks Do Not Exist for Older Projects
Ensure That the Default Network Does Not Exist in a Project
Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
Subnet
Ensure Private Google Access is enabled for all subnetworks in VPC Network
Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
GCP Project
Ensure Oslogin Is Enabled for a Project
Ensure Cloud Asset Inventory Is Enabled
Ensure 'Access Approval' is 'Enabled'
BigQuery
Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
Service Account
Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
Ensure That Service Account Has No Admin Privileges
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
Cloud Key Management Service
Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
Google Pub/Sub
Ensure PubSub service is encrypted, with customer managed encryption keys.
GCP DNS Managed Zone
Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
Ensure That DNSSEC Is Enabled for Cloud DNS
Https Load Balancer Proxy
Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
Log Sink
Ensure That Sinks Are Configured for All Log Entries
GCP Dataproc Cluster
Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
GCP EssentialContact
Ensure Essential Contacts is Configured for Organization
Ensure Essential Contacts are defined for your Google Cloud organization
azure policies
SQL Server on Virtual Machines
Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
Ensure that Azure Active Directory Admin is configured
Ensure Azure SQL Server data replication with Fail Over groups
Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server
Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All'
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
Ensure that SQL Server Auditing Retention is greater than 90 days
Ensure that 'Auditing' is set to 'On'
Restrict Azure SQL Server accessibility to a minimal address range
Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days
Ensure that 'Auditing' Retention is 'greater than 90 days'
Ensure that Azure Active Directory Admin is Configured for SQL Servers
Ensure that ADS - ATP 'Send alerts to' is set
Avoid using names like 'Admin' for an Azure SQL Server admin account login
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
Virtual Machine
Ensure that Azure Virtual Machine is assigned to an availability set
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible
Ensure that at least one Network Security Group is attached to all VMs and subnets that are public
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
Ensure Virtual Machines are utilizing Managed Disks
Ensure that Endpoint Protection for all Virtual Machines is installed
Azure Key Vault
Key vault should have purge protection enabled
Ensure that the Expiration Date is set for all Keys in Key Vaults
Ensure Azure Key Vaults are Used to Store Secrets
Ensure that the Expiration Date is set for all Secrets in Key Vaults
Ensure that logging for Azure Key Vault is 'Enabled'
Ensure the Key Vault is Recoverable
Ensure that Private Endpoints are Used for Azure Key Vault
Enable Role Based Access Control for Azure Key Vault
Network security group
Ensure Flow-Logs are Enabled on NSG
Ensure that MSQL (TCP:4333) is restricted from the Internet
Ensure FTP deployments are disabled
Ensure that CIFS (UDP:445) is restricted from the Internet
Ensure that Windows RPC (TCP:135) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on TCP protocol
Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied
Ensure that PostgreSQL (TCP:5432) is restricted from the Internet
Ensure that VNC Server (TCP:5900) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on UDP protocol
Ensure that SQL Server (TCP:1433) is restricted from the Internet
Ensure that FTP-Data (TCP:20) is restricted from the Internet
Ensure that NetBIOS (UDP:138) is restricted from the Internet
Ensure no security groups allow ingress from 0.0.0.0/0 to ICMP (Ping)
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Remove unused Network Security Groups
Ensure that Windows SMB (TCP:445) is restricted from the Internet
Ensure that DNS (TCP:53) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on ANY protocol
Ensure that NetBIOS (UDP:137) is restricted from the Internet
Ensure that MySQL (TCP:3306) is restricted from the Internet
Ensure that SMTP (TCP:25) is restricted from the Internet
Ensure that DNS (UDP:53) is restricted from the Internet
Ensure that SSH access from the Internet is evaluated and restricted
Ensure that SQL Server (UDP:1434) is restricted from the Internet
Ensure that RDP access from the Internet is evaluated and restricted
Ensure that VNC Listener (TCP:5500) is restricted from the Internet
Ensure that Telnet (TCP:23) is restricted from the Internet
Ensure Flow-Logs are Enabled on NSG
Ensure Flow-Logs are Enabled on NSG
Ensure Flow-Logs are Enabled on NSG
Ensure that Oracle Database (TCP:1521) is restricted from the Internet
Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019
Ensure that HTTP protocol (TCP:80) is restricted from the Internet
Ensure that HTTPS protocol (TCP:443) is restricted from the Internet
Azure SQL Database
Ensure that SQL Database Auditing Retention is greater than 90 days
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
Ensure that SQL Database Auditing is Enabled
Ensure that 'Data encryption' is set to 'On' on a SQL Database
Security Center - Policy
Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
Azure Alert Rule
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that activity log alert exists for the Delete Network Security Group Rule
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Ensure that Activity Log Alert exists for Delete Public IP Address rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that an activity log alert is created for Delete PostgreSQL Database events
Spring Cloud
Ensure that Spring Cloud App has end-to-end TLS enabled
Ensure that Spring Cloud App enforces HTTPS connections
Ensure that Spring Cloud App has system-assigned managed identity enabled
Azure Network Watcher
Ensure that Network Watcher is 'Enabled'
Network Security Group flow logs
Ensure Flow-Logs Retention Policy is greater than 90 days
Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Azure Redis Cache
Redis cache should have a backup
Ensure that Redis is updated regularly with security and operational updates.
Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources
Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
Ensure that the Redis Cache accepts only SSL connections
Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet
Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs
Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol
Container Registry
Ensure that admin user is disabled for Container Registry
Ensure Container Registry has locks
Ensure to not use the deprecated Classic registry
Azure functions
Ensure that Health Check is enabled for your Function App
Ensure remote debugging has been disabled for your production Azure Functions
Ensure Function App is using the latest version of TLS encryption
Managed identity should be used in your Function App
Function App should only be accessible over HTTPS
Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure that Application Service Logs are Enabled for Containerized Function Apps
Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp
Ensure FTP deployments are Disabled for FunctionApp
Azure Database for PostgreSQL
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Ensure that Geo Redundant Backups is enabled on PostgreSQL
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database
Azure Storage Account
Storage Accounts outside Europe
Ensure that 'Secure transfer required' is set to 'Enabled'
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Storage Accounts outside Brazil
Ensure that 'Secure transfer required' is set to 'Enabled' for Storage Accounts
Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs
Ensure Storage logging is enabled for Queue service for read, write, and delete requests
Ensure default network access rule for Storage Accounts is set to deny
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Ensure that 'Public access level' is disabled for storage accounts with blob containers
Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
Ensure Minimum TLS Encryption Version For Storage Account
Ensure that Containers and its blobs are not exposed publicly
Ensure that Storage Account has Microsoft Defender for Cloud enabled
Ensure Private Endpoints are used to access Storage Accounts
Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure Application Gateway
Ensure Application Gateway is using the latest version of TLS encryption
Ensure Azure Application Gateway Web application firewall (WAF) is enabled
Ensure Application Gateway is using Https protocol
Virtual Network
Ensure that Virtual Networks Subnets have Security Groups
Ensure that Azure Virtual Network subnet is configured with a Network Security Group
Ensure that Azure Virtual network peering is connected
Log Profile
Ensure that a Log Profile exists
Ensure that Activity Log Retention is set 365 days or greater
Ensure the log profile captures activity logs for all regions including global
Ensure audit profile captures all the activities
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Azure AKS
Ensure that you are using authorized IP address ranges to secure access to the API server
Ensure that your Cluster Pool contains at least 3 Nodes
Ensure that a network policy is in place to secure traffic between pods
Ensure that Azure CNI Networking is enabled
Ensure that the pod security policy is enabled in your AKS cluster
Enable role-based access control (RBAC) within Azure Kubernetes Services
Ensure Azure Kubernetes Service (AKS) Cluster Dashboard Is Disabled
Ensure Azure Monitoring Enabled For Azure Kubernetes Service (AKS) Cluster
Web Apps service
Ensure remote debugging has been disabled for your production Web App
Ensure that Register with Azure Active Directory is enabled on App Service
Ensure Web App is using the latest version of TLS encryption
Ensure App Service Authentication is set up for apps in Azure App Service - Webapp
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure That 'PHP version' is the Latest, If Used to Run the Web App
Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
Ensure that 'Java version' is the latest, if used to run the Web App
Ensure that 'Java version' is the latest, if used to run the Linux Web App
Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App
Ensure FTP deployments are Disabled
Azure Cosmos DB
Ensure That Private Endpoints Are Used Where Possible
Ensure Cosmos DB account access is not allowed from all networks
Ensure Cosmos DB account is encrypted with customer-managed keys
Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Ensure to filter source Ips for Cosmos DB Account
Azure Monitor Logs
Ensure that a 'Diagnostic Setting' exists
Ensure Diagnostic Setting captures appropriate categories
Azure Resource Group
Ensure that Resource Locks are set for Mission-Critical Azure Resources
Azure Disk Storage
Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
Azure Virtual Network Gateway
Ensure Virtual Network Gateway is configured with Cryptographic Algorithm
Azure Analysis Services
Ensure that firewall rules are enabled and configured for Analysis services server
Azure role-based access control
Ensure to audit role assignments that have implicit managed identity permissions
Ensure to audit role assignments that have implicit 'Owner' permissions
Ensure to audit role assignments that have implicit role management permissions
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Azure Role Definition
Ensure custom role definition doesn't have excessive permissions (Wildcard)
Azure Active Directory
Ensure that Azure Active Directory Admin is configured for SQL Server
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
Ensure That 'Number of methods required to reset' is set to '2'
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
My SQL DB Flexible Server
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
My SQL DB Single Server
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server
Auto Provisioning Settings
Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Security Contact
Ensure 'Additional email addresses' is Configured with a Security Contact Email
Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Ensure That 'All users with the following roles' is set to 'Owner'
Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts
Defender Plans
Ensure That Microsoft Defender for Servers Is Set to 'On'
Ensure That Microsoft Defender for App Services Is Set To 'On'
Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Ensure That Microsoft Defender for Storage Is Set To 'On'
Ensure that Microsoft Defender for Container Registries is set to 'On'
Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Ensure That Microsoft Defender for Containers Is Set To 'On'
Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Ensure That Microsoft Defender for DNS Is Set To 'On'
Ensure That Microsoft Defender for Databases Is Set To 'On'
PostgreSQL Flexible Server
Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
Defender Integrations
Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
AD Security Defaults
Ensure Security Defaults is enabled on Azure Active Directory
AD Authorization Policy
Ensure That 'Users Can Register Applications' Is Set to 'No'
Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
AD Access Reviews Schedule Definition
Ensure Guest Users Are Reviewed on a Regular Basis
cft policies
AWS Key Management Service (KMS)
Ensure that KMS key has key rotation enabled
Ensure that the KMS key have key rotation enabled
Ensure that KMS key policy does not allow access to everyone
Ensure that there is no wildcard action in an inline KMS key policy
Ensure that there is no wildcard principal in an inline KMS key policy
Ensure that an inline KMS key policy does not allow full administrative rights
Amazon RDS
Ensure enhanced monitoring for Amazon RDS instances is enabled
Ensure that RDS IAM authentication is enabled
Ensure RDS instances have backup policy
Ensure RDS instances have Multi-AZ enabled
Ensure AWS RDS database instance is not publicly accessible
Ensure that encryption is enabled for RDS Instances
Elastic Load Balancing (ELB)
Ensure that ELB V2 Listener protocol is not HTTP or TCP
Ensure ELB enforces recommended SSL/TLS protocol version
AWS Key Management Service (KMS)
Ensure that there is no wildcard action in an inline KMS replica key policy
Ensure that there is no wildcard principal in an inline KMS replica key policy
Ensure that an inline KMS replica key policy does not allow full administrative rights
Ensure A Pod Runs Without Privileged Containers
Amazon ElasticSearch service
Ensure that encryption of data at rest is enabled on Elasticsearch domains
Ensure that there is no Wildcard principal in ElasticSearch access policy
Ensure Elasticsearch Domain enforces HTTPS
Ensure that there is no wildcard action in ElasticSearch access policy
Ensure Elasticsearch Domain Logging is enabled
Ensure that node-to-node encryption is enabled for Elasticsearch service
Amazon RDS DBCluster
Ensure RDS cluster has IAM authentication enabled
Ensure that RDS DB cluster has encryption enabled
Amazon API Gateway
Ensure that all authorization Type in API Gateway is not set to None
Ensure that an API Key is required on a Method Request
Ensure API gateway methods are not publicly accessible
AWS ElasticLoadBalancingV2 LoadBalancer
Ensure that access logging is enabled for the ELB v2
Ensure that a Load balancer is not internet facing
Ensure that ELB v2 drops invalid headers
Amazon RDS GlobalCluster
Ensure that RDS global cluster has encryption enabled
AWS CloudFront Distribution
CloudFront Distribution should have WAF enabled
Ensure Cloudfront distribution has Access Logging enabled
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
AWS Lambda
Ensure AWS Lambda functions have tracing enabled
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Ensure that AWS Lambda function is configured for a Dead Letter Queue
Lambda Functions must have an associated tag
AWS Lambda
Ensure that there is no wildcard action in Lambda permission
Ensure that there is no wildcard principal in Lambda permission
Amazon Elastic File System (EFS)
Ensure that your Amazon EFS file systems are encrypted
AWS Lambda
Ensure that AWS lambda layer version permissions does not have a wildcard principal
AWS DocDB DBClusterParameterGroup
Ensure DocDB TLS is not disabled
Amazon DynamoDB
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
AWS EC2 SecurityGroupEgress
Ensure that every security group egress object has a description
VPC Subnet
Ensure AWS VPC subnets have automatic public IP assignment disabled
AWS ElasticLoadBalancingV2 TargetGroup
Ensure that ELB target group has a health check enabled
DB Security Group
Ensure that AWS DB Security Group does not allow public access
Amazon Kinesis
Ensure AWS Kinesis streams are encrypted with KMS customer master keys
AWS Backup BackupVault
Ensure Backup Vault is encrypted at rest using KMS CMK
AWS Identity and Access Management (IAM)
Ensure That Access Key Rotation Is Less Than 90 Days
Simple Storage Service (S3)
Ensure all S3 buckets employ encryption-at-rest
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
S3 bucket should not allow all actions from all principals
S3 bucket should not allow delete actions from all principals
S3 bucket should not allow 'get' actions from all principals
S3 bucket should not allow list actions from all principals
S3 bucket should not allow put actions from all principals
S3 bucket should not allow restoring object actions from all principals
Ensure that the S3 bucket is not publicly readable
Ensure that the S3 bucket is not publicly writable
Ensure that S3 server access logging is enabled
Ensure that S3 bucket has versioning enabled
Ensure that the S3 bucket has lifecycle configuration enabled
Ensure that the S3 bucket has object lock enabled
Amazon EC2 Instance
Ensure that the root block device has encryption enabled
Ensure AWS EC2 Instances use IAM Roles to control access
Ensure that address source/destination check is enabled on the instance
Amazon EC2 instance must have an associated tag
Ensure that EC2 API termination protection is enabled
Ensure that EC2 instance does not have public IP enabled
Ensure that EC2 is EBS optimized
Ensure that detailed monitoring for EC2 instances is enabled
Amazon Elastic Block Storage (EBS)
Ensure that EBS volume has encryption enabled
AWS DocDB DBCluster
Ensure DocDB is encrypted at rest
Ensure DocDB has audit logs enabled
Ensure DocDB Logging is enabled
AWS AutoScaling LaunchConfiguration
Ensure all data stored in the Launch configuration EBS is securely encrypted
AWS DAX Cluster
Ensure DAX is encrypted at rest (default is unencrypted)
AWS IAM Policy
Ensure that there is no wildcard action in an IAM policy
Ensure that the IAM Policy does not grant full administrative rights
Ensure that IAM policy is not directly attached to a user
AWS Managed Policy
Ensure that there is no wildcard action in a customer managed IAM policy
Ensure that customer managed IAM policy does not grant full administrative rights
Ensure that a customer managed IAM policy is not directly attached to a user
IAM User
Ensure that IAM user does not have directly embedded policy
Ensure that password reset is required in IAM login profile
Ensure that there is no wildcard action in an inline IAM user policy
Ensure that there is no wildcard resource in an inline IAM user policy
Ensure that an inline IAM user policy does not allow full administrative rights
IAM Role
Ensure that IAM Role cannot be assumed by anyone
Ensure that there is no wildcard action in an inline IAM role policy
Ensure that there is no wildcard resource in an inline IAM role policy
Ensure that an inline IAM role policy does not allow full administrative rights
IAM Group
Ensure that there is no wildcard action in an inline IAM group policy
Ensure that there is no wildcard resources in an inline IAM group policy
Ensure that an inline IAM group policy does not allow full administrative rights
CloudTrail
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail logging is enabled
Ensure CloudTrail log file validation is enabled
Ensure that CloudTrail is integrated with CloudWatch
AWS ElasticLoadBalancing LoadBalancer
Ensure that access logging is enabled for the classic ELB
Ensure that a classic Load balancer is not internet facing
Ensure that ELB has a health check setup
Ensure that ELB Listener protocol is HTTPS or SSL
AWS ApiGateway Stage
Ensure API Gateway has Access Logging enabled
Ensure API Gateway caching is enabled
Ensure API Gateway has X-Ray Tracing enabled
AWS ApiGatewayV2 Stage
Ensure API Gateway V2 has Access Logging enabled
Amazon NACL
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
AWS Security Group
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to ElasticSearch (TCP:9300)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Kibana (TCP:5601)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Redis (TCP:6379)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27017)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27018)
Ensure that every security group ingress object has a description
AWS EC2 SecurityGroup
Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300)
Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601)
Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379)
Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379)
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017)
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018)
Ensure that every security group ingress rule has a description
Ensure that every security group egress rule has a description
Ensure every security groups rule has a description
Amazon EC2 Instance
Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true