Jump to Content
CloudGuard Docs
GuidesAPI ReferenceChangelogDiscussions
Log InCloudGuard Docs
Guides
Log In
GuidesAPI ReferenceChangelogDiscussions

Welcome

  • Welcome to CheckPoint CloudGuard Guides!

Overview

  • How to Get Started
  • Concepts
  • Platforms

Products

  • Secrets Scanning
  • Infrastructure as Code
  • CI/CD Hardening
  • Open Source

SpectralOps

  • Dashboard
  • Triage Issues
  • Sources
  • Reports
  • Integrations
  • Profile
  • Team & User Permissions (RBAC)
  • Teams and Asset Mapping
  • Custom Rules
  • SSO
    • Setup SSO (SAML 2.0)
    • Setup SSO with OKTA
    • Setup SSO with OneLogin
  • SCM

Usage

  • CLI
  • Configuration
  • Output
  • Detectors
    • Quick Start
    • Building Detectors
    • Logic Rules (OPA)
    • Codeprinting
    • The Detector Engine

Integrations

  • Productivity
    • Jira
    • Confluence
  • Cloud Automation
    • Terraform Cloud Run task
  • Git Provider Bot
    • Github Bot
    • Gitlab Bot
  • Pre receive Git hooks
    • Gitlab pre receive hook
    • Bitbucket pre receive hook
  • CI/CD
    • Gitlab Pipeline

config policies

  • Memcached
    • Memcache: default binding to world
    • Memcache: configured to run as root
    • Memcache: configured to use UDP
  • MySQL
    • MySQL allowing symbolic links invites various attacks
    • MySQL: usage of short password
    • MySQL: configured to run as root
    • MySQL: binding to world
  • Kafka
    • Kafka: using dated SSL/TLS protocols is insecure
    • Kafka: accepting unauthenticated connections is insecure
    • Kafka: hardcoded password in configuration is insecure
    • Kafka: usage of short password
  • PostgreSQL
    • Postgres: no password / trusted host configuration
    • Postgres: no password / trusted host configuration
    • Postgres: SSL/TLS is off
    • Postgres: default binding to world
  • Airflow
    • Airflow: Use of REST API Token
    • Airflow: Visible Fernet Key
    • Airflow: default binding to world
  • Redis
    • Redis: usage of weak password (ACL)
    • Redis: protected-mode no and default binding to world
    • Redis: protected-mode and weak ACL configuration
    • Redis: Usage of Visible Host

secrets policies

  • Secrets
    • Data files / database files found
    • SaaS vendor credentials should not be visible
    • Cloud services keys should not be visible or hardcoded
    • Cloud services hosts should not be visible or hardcoded
    • Log shipping access/API detail visible
    • Build or artifact systems access details visible
    • Visible private key or sensitive file
    • SaaS services hosts should not be visible or hardcoded
    • Visible sensitive data (PII/other)
    • AWS S3 Buckets: Visible endpoint
    • Potential keys or passwords are visible/hardcoded
    • App/framework keys or passwords are visible/hardcoded
    • Cloud services keys should not be visible or hardcoded
    • Sensitive File Found

aws policies

  • Elastic Load Balancing (ELB)
    • Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups
    • Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups
    • ELB secured listener certificate expires in one month
    • ELB is setup with HTTPS for secure communication
    • Remove Weak Ciphers for ELB
    • ELB - Recommended SSL/TLS protocol version
    • ELB secured listener certificate expires in one week
    • ELB is created with Access logs enabled
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • ELB with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • ELB with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • ELB with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • ELB with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • ELB with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • ELB with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • ELB with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • ELB with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • ELB with service 'POP3' (TCP:110) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • ELB with service 'SNMP' (UDP:161) is exposed to a small network scope
    • ELB with service 'Telnet' (TCP:23) is exposed to a small network scope
    • ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • ELB with service 'SMTP' (TCP:25) is exposed to a small network scope
    • ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • ELB with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • ELB with service 'DNS' (UDP:53) is exposed to a small network scope
    • ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • ELB with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • ELB with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • ELB with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • ELB with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • ELB with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • ELB with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • ELB with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • ELB with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • ELB with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • ELB with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public ELB with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public ELB with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public ELB with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public ELB with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public ELB with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public ELB with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public ELB with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public ELB with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public ELB with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public ELB with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public ELB with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public ELB with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public ELB with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public ELB with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public ELB with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public ELB with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public ELB with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public ELB with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public ELB with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public ELB with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public ELB with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public ELB with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public ELB with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public ELB with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public ELB with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public ELB with service DNS (UDP:53) is potentially exposed to the public internet
    • Public ELB with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public ELB with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public ELB with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public ELB with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public ELB with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public ELB with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public ELB with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public ELB with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public ELB with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public ELB with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public ELB with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • ELB with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • ELB with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • ELB with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • ELB with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • ELB with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • ELB with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • ELB with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • ELB with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • ELB with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • ELB with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • ELB with service 'POP3' (TCP:110) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • ELB with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • ELB with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • ELB with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • ELB with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • ELB with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • ELB with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • ELB with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • ELB with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • ELB with service 'DNS' (UDP:53) is exposed to a wide network scope
    • ELB with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • ELB with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • ELB with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • ELB with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • ELB with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • ELB with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • ELB with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • ELB with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public ELB with service 'POP3' (TCP:110) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public ELB with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public ELB with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public ELB with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public ELB with service 'DNS' (UDP:53) is exposed to a small public network
    • Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public ELB with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public ELB with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public ELB with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public ELB with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public ELB with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public ELB with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public ELB with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public ELB with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public ELB with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public ELB with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public ELB with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public ELB with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public ELB with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public ELB with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public ELB with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public ELB with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public ELB with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • ELB with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • ELB with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • ELB with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • ELB with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • ELB with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • ELB with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • ELB with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • ELB with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • Region
    • Ensure AWS Config is enabled in all regions
    • Ensure that IAM Access analyzer is enabled for all regions
    • Process for Security Group Management - Detection of new Security Groups
    • Ensure CloudTrail is enabled in all regions
    • Ensure VPC Flow Logging is Enabled in all Applicable Regions
    • Amazon GuardDuty service is enabled
  • Application Load Balancer
    • ALB secured listener certificate expires in one week
    • ALB secured listener certificate about to expire in one month
    • Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP
    • Make sure that ALB is protected by a WAF
    • Enable ALB Elastic Load Balancer v2 (ELBv2) access log
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • Ensure Invalid Headers Are Dropped In ALB
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • ApplicationLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • Amazon EC2 Instance
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Ensure IAM instance roles are used for AWS resource access from instances
    • Instances are Configured under Virtual Private Cloud
    • Instances outside of Europe region
    • Instances with Direct Connect virtual interface should not have public interfaces
    • Use encrypted storage for instances that might host a database.
    • Instances outside of Brazilian region
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • Ensure that EC2 instance's volumes are encrypted
    • Ensure that EC2 instance's custom AMI is encrypted at rest
    • Ensure that EC2 instance's custom AMI is not publicly shared
    • Ensure that EC2 Metadata Service only allows IMDSv2
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Instance with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • Instance with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • Instance with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • Instance with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • Instance with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • Instance with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • Instance with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • Instance with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • Instance with service 'POP3' (TCP:110) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • Instance with service 'SNMP' (UDP:161) is exposed to a small network scope
    • Instance with service 'Telnet' (TCP:23) is exposed to a small network scope
    • Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • Instance with service 'SMTP' (TCP:25) is exposed to a small network scope
    • Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • Instance with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • Instance with service 'DNS' (UDP:53) is exposed to a small network scope
    • Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • Instance with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • Instance with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • Instance with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • Instance with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • Instance with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • Instance with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • Instance with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • Instance with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • Instance with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • Instance with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public Instance with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public Instance with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public Instance with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public Instance with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public Instance with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public Instance with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public Instance with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public Instance with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public Instance with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public Instance with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public Instance with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public Instance with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public Instance with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public Instance with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public Instance with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public Instance with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public Instance with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public Instance with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public Instance with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public Instance with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public Instance with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public Instance with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public Instance with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public Instance with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public Instance with service DNS (UDP:53) is potentially exposed to the public internet
    • Public Instance with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public Instance with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public Instance with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public Instance with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public Instance with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public Instance with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public Instance with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public Instance with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public Instance with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public Instance with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public Instance with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • Instance with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • Instance with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • Instance with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • Instance with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • Instance with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • Instance with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • Instance with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • Instance with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • Instance with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • Instance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • Instance with service 'POP3' (TCP:110) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • Instance with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • Instance with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • Instance with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • Instance with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • Instance with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • Instance with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • Instance with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • Instance with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • Instance with service 'DNS' (UDP:53) is exposed to a wide network scope
    • Instance with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • Instance with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • Instance with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • Instance with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • Instance with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • Instance with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • Instance with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • Instance with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public Instance with service 'POP3' (TCP:110) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public Instance with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public Instance with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public Instance with service 'DNS' (UDP:53) is exposed to a small public network
    • Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public Instance with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public Instance with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public Instance with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public Instance with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public Instance with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public Instance with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public Instance with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public Instance with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public Instance with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public Instance with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public Instance with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public Instance with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public Instance with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public Instance with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public Instance with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public Instance with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public Instance with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • Instance with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • Instance with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • Instance with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • Instance with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • Instance with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • Instance with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • Instance with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • Instance with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
    • EC2 Instance - there shouldn't be any High level findings in Inspector Scans
    • Instances without Inspector runs in the last 30 days
    • Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
    • Ensure IMDS Response Hop Limit is Set to One
  • Simple Storage Service (S3)
    • Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
    • Ensure that Static website hosting is disabled on your S3 bucket
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
    • Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users
    • S3 bucket CloudTrail logs ACL should not allow public access
    • Ensure that your AWS CloudTrail logging bucket has MFA delete enabled
    • S3 bucket should have server access logging enabled
    • Ensure that S3 Buckets are encrypted with CMK
    • Ensure S3 Bucket Policy is set to deny HTTP requests
    • Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
    • Ensure MFA Delete is enabled on S3 buckets
    • Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users
    • S3 bucket should have versioning enabled
    • Ensure that Object-level logging for write events is enabled for S3 bucket
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
    • Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users
    • Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)
    • S3 Buckets outside of Europe
    • Ensure all data in Amazon S3 has been discovered, classified and secured when required.
    • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
    • Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users
    • S3 Buckets outside of Brazil
    • Ensure that S3 Bucket is encrypted at rest
    • Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users
    • Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)
    • Ensure Enabling Versioning For S3 Bucket
    • Ensure that S3 buckets are not publicly accessible
    • Ensure that S3 buckets are not publicly accessible without a condition
    • S3 bucket should not be world-listable from anonymous users
    • S3 bucket should not be world-writable from anonymous users
    • S3 bucket should not have writable permissions from anonymous users
    • S3 bucket should not have world-readable permissions from anonymous users
    • S3 bucket should not allow delete actions from all principals without a condition
    • S3 bucket should not allow get actions from all principals without a condition
    • S3 bucket should not allow list actions from all principals without a condition
    • S3 bucket should not allow put or restore actions from all principals without a condition
    • S3 buckets should not grant any external privileges via ACL
    • S3 bucket should not allow delete actions from all principals
    • S3 bucket should not allow get actions from all principals with a condition
    • S3 bucket should not allow list actions from all principals
    • S3 bucket should not allow put or restore actions from all principals
    • Ensure S3 buckets are not publicly accessible without a condition
    • Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level
    • Ensure S3 buckets are not publicly accessible
  • Network Load Balancer
    • Ensure to update the Security Policy of the Network Load Balancer
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • NetworkLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • IAM User
    • Ensure IAM users have either access key or console password enabled
    • Ensure inactive user for 30 days or greater are disabled
    • Ensure inactive user for 90 days or greater are disabled
    • Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account
    • Ensure IAM Users Receive Permissions Only Through Groups
    • IamUser with Admin or wide permissions without MFA enabled
    • Do not setup access keys during initial user setup for all IAM users that have a console password
    • Ensure 'root' account does not have an active X.509 signing certificate
    • Ensure whether IAM users are members of at least one IAM group
    • Ensure there is only one active access key available for any single IAM user
    • Ensure credentials unused for 45 days or greater are disabled (Second access key)
    • Use managed policies instead of inline IAM Policies
    • Ensure credentials unused for 45 days or greater are disabled (Console password)
    • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
    • Ensure second access key is rotated every 30 days or less
    • Ensure credentials unused for 45 days or greater are disabled (First access key)
    • Ensure first access key is rotated every 30 days or less
    • Ensure second access key is rotated every 45 days or less
    • Ensure no 'root' user account access key exists
    • Ensure inactive IAM access keys are deleted
    • Ensure IAM User do not have administrator privileges
    • Ensure access keys are rotated every 90 days or less (Second access key)
    • Ensure first access key is rotated every 45 days or less
    • Ensure access keys are rotated every 90 days or less (First access key)
    • Eliminate use of the 'root' user for administrative and daily tasks
    • Ensure IAM user password is rotated every 90 days or less
    • Ensure hardware MFA is enabled for the 'root' user account
    • Ensure IAM users have either access key or console password enabled
    • Ensure IAM users have either access key or console password enabled
    • Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
    • Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
  • IAM Role
    • Ensure that Role names cannot be enumerable
    • Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
    • Ensure EKS Node Group IAM role do not have administrator privileges
    • Unused IAM role more than 90 days
    • Ensure cross-account IAM Role uses MFA or external ID as a condition
    • Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)
    • Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
  • Amazon Elastic File System (EFS)
    • Amazon EFS must have an associated tag
    • Ensure that encryption is enabled for EFS file systems
    • Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
  • AWS Security Group
    • Restrict outbound traffic to that which is necessary, and specifically deny all other traffic
    • Ensure that Security Groups are not open to all
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure the default security group of every VPC restricts all traffic
    • Remove Unused Security Groups
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Remove Unused Security Groups that are open to all
    • Security Groups must be defined under a Virtual Private Cloud
    • Process for Security Group Management - Managing security groups
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
    • Default Security Groups - with network policies
    • Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
    • Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS Identity and Access Management (IAM)
    • Password Policy must require at least one number
    • Ensure IAM password policy requires minimum length of 14 or greater
    • Ensure IAM password policy require at least one lowercase letter
    • Ensure IAM password policy expires passwords within 90 days or less
    • Ensure security contact information is registered
    • Ensure IAM password policy requires at least one uppercase letter
    • Ensure IAM password policy prevents password reuse
    • Ensure IAM password policy require at least one symbol
    • Credentials report was generated in the last 24 hours
    • Enforce Password Policy
    • Credentials report was generated in the last 24 hours
    • Enforce Password Policy
    • Ensure IAM password policy prevents password reuse
    • Ensure IAM password policy require at least one lowercase letter
    • Ensure IAM password policy require at least one symbol
    • Ensure IAM password policy requires at least one uppercase letter
    • Ensure IAM password policy requires minimum length of 14 or greater
    • Ensure IAM Users Receive Permissions Only Through Groups
    • Ensure IAM policies are attached only to groups or roles
    • Password Policy must require at least one number
    • Ensure IAM password policy expires passwords within 90 days or less
    • Ensure IAM policies that allow full *:* administrative privileges are not attached
    • Ensure AWS Config is enabled in all regions
  • Amazon RDS
    • RDS should not have Public Interface
    • Ensures that AWS RDS databases are encrypted using Customer Managed Keys
    • Ensure that public access is not given to RDS Instance
    • Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
    • Ensure that encryption-at-rest is enabled for RDS Instances
    • Ensure AWS RDS instances have Multi-Availability Zone enabled
    • Ensure AWS RDS retention policy is at least 7 days
    • RDS Databases with Direct Connect virtual interface should not have public interfaces
    • Ensure AWS RDS instances have Automatic Backup set up
    • RDS should not have been open to a large scope
    • Ensure that RDS database instance enforces SSL/TLS for all connections
    • Ensure that RDS database instance doesn't use its default endpoint port
    • Ensure that encryption is enabled for AWS RDSDBCluster Storage
    • Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled
    • Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless)
    • Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC).
    • Ensure Aurora PostgreSQL is not exposed to local file read vulnerability
  • CloudTrail
    • Ensure CloudTrail configuration changes are monitored
    • Ensure a log metric filter and alarm exist for SSM actions
    • Ensure a log metric filter and alarm exists for AWS MFA Deletion for IAM users
    • Ensure AWS Config configuration changes are monitored
    • Ensure security group changes are monitored
    • Ensure a log metric filter and alarm exist for usage of 'root' account
    • Ensure appropriate subscribers to each SNS topic
    • Ensure VPC changes are monitored
    • Ensure changes to network gateways are monitored
    • Ensure disabling or scheduled deletion of customer created CMKs is monitored
    • Ensure Network Access Control Lists (NACL) changes are monitored
    • Ensure a log metric filter and alarm exist for IAM login profile changes
    • Ensure AWS Organizations changes are monitored
    • Ensure CloudTrail log file validation is enabled
    • Ensure AWS Management Console authentication failures are monitored
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure S3 bucket policy changes are monitored
    • Ensure unauthorized API calls are monitored
    • Ensure multi-regions trail exists for each AWS CloudTrail
    • Ensure CloudTrail trails are integrated with CloudWatch Logs
    • Ensure management console sign-in without MFA is monitored
    • Ensure IAM policy changes are monitored
    • Ensure route table changes are monitored
    • Ensure a log metric filter and alarm exist for STS 'AssumeRole' action
    • Ensure that Object-level logging for read events is enabled for S3 bucket
    • Ensure a log metric filter and alarm exist for EC2 instance changes
    • Ensure a log metric filter and alarm exist for EC2 Large instance changes
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure multi-regions trail exists for each AWS CloudTrail
    • Ensure CloudTrail log file validation is enabled
    • Ensure CloudTrail trails are integrated with CloudWatch Logs
    • Ensure CloudTrail logs have KmsKeyId defined
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
    • Ensure CloudTrail Logging is Enabled
  • AWS Nat Gateway
    • Ensure that NAT gateway is not associated in a private subnet
    • Ensure NAT gateway state is available
    • Ensure NAT gateway has a name tag
    • Ensure NAT gateway has a name tag
  • Amazon ElastiCache
    • Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements
    • Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments
    • Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled
    • Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
    • Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled
    • Ensure that the latest version of Redis is used for your AWS ElastiCache clusters
    • Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters
  • AWS Network-Firewall
    • Ensure Network firewall alerts logging is enabled
    • Ensure Network firewall resides in a dedicated subnet
    • Ensure Network firewall have subnet change protection enabled
    • Ensure Network firewall status is not FAILED
    • Ensure Network firewall flow logging is enabled
    • Ensure Network firewall have policy change protection enabled
    • Ensure Network firewall delete protection enabled
    • Ensure Network firewall delete protection enabled
    • Ensure Network firewall have subnet change protection enabled
    • Ensure Network firewall have policy change protection enabled
    • Ensure Network firewall resides in a dedicated subnet
  • IAM Policy
    • Ensure AWS IAM policies do not grant 'assume role' permission across all services
    • Ensure IAM user, group, or role should have IAM access key permissions restricted
    • Ensure AWS IAM policies allow only the required privileges for each role
    • Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users
    • Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
    • Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element
    • Ensure IAM policies that allow full '*:*' administrative privileges are not attached
    • Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
    • Ensure a support role has been created to manage incidents with AWS Support
    • Ensure undedicated AWS IAM managed policies do not have full action permissions
    • Ensure all IAM policies are in use
    • Ensure IAM user, group, or role should have MFA permissions restricted
    • Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
  • Amazon Elastic Container Service
    • Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols
    • ECS Service with Admin Roles
    • Ensure there are no inline policies attached to the ECS service
    • Ensure that at least one Load Balancer is attached to the service
    • Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
    • Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard)
  • IAM Server Certificate
    • Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
    • SSL/TLS certificates expire in 45 days
    • SSL/TLS certificates expire in one week
    • SSL/TLS certificates expire in one month
    • Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix
  • AWS Lambda
    • Ensure AWS Lambda function is configured inside a VPC
    • Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard)
    • Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports
    • Ensure AWS Lambda functions have tracing enabled
    • Lambda Functions must have an associated tag
    • Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
    • Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
    • Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)
    • Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard)
    • Ensure that Lambda Function is not publicly exposed via resource policy without a condition
    • Ensure that Lambda Function URL is secured with IAM authentication
    • Ensure Lambda functions are not using deprecated runtimes
    • Ensure that Amazon Lambda functions are referencing active execution roles
    • Ensure that your Amazon Lambda functions have access to VPC-only resources.
  • Amazon API Gateway
    • Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet
    • Ensure that all requestValidatorId in API Gateway are not null
    • Ensure that all authorization Type in API Gateway are not set to None
    • Ensure that an API Key is required on a Method Request
    • Ensure API gateway policy limits public access
    • Ensure API gateway has WAF
    • Ensure API Gateway endpoints has client certificate authentication
  • AWS Certificate Manager
    • Ensure invalid or failed certificates are removed from ACM
    • Ensure that all the expired SSL/TLS certificates are removed from ACM
    • Ensure ACM certificate was not issued before the Heartbleed security bug fix
    • ACM has a PENDING_VALIDATION Certificate
    • Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
    • Ensure ACM only has certificates with single domain names, and none with wildcard domain names
    • ACM has soon to be expired certificates
    • Ensure the AWS Certificate Manager (ACM) has no unused certificates
  • Amazon VPC Endpoints
    • Ensure VPC Endpoint has a name tag
    • Ensure that VPC Endpoint policy does not provide excessive permissions
    • Ensure that the VPC Endpoint status is Available state
    • Ensure that VPC Endpoint policy won't allow all actions
    • Ensure VPC Endpoint has a name tag
  • EKS Cluster
    • EksCluster should not have more than one security group
    • EksCluster should not be publicly accessed
    • Ensure that AWS EKS Cluster control plane logging is enabled
    • Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0
    • Ensure EKS cluster version is up-to-date
  • Amazon Secrets Manager
    • Ensure that AWS Secret Manager Secret rotation is enabled
    • Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
    • Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
    • Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
    • Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
  • Amazon Kinesis
    • AWS Kinesis streams are encrypted with customer managed CMK
    • AWS Kinesis data streams have server side encryption (SSE) enabled
    • Ensure AWS Kinesis Streams Keys are rotated
  • Amazon ElasticSearch service
    • Ensure OpenSearch should have IAM permissions restricted
    • Enforce creation of ElasticSearch domains within your VPCs
    • Ensure that encryption of data at rest is enabled on Elasticsearch domains
    • Ensure that node-to-node encryption is enabled for Elasticsearch service
  • Amazon SageMaker
    • Ensure that SageMaker is placed in VPC
    • Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled
    • Ensure SageMaker Notebook Instance Data Encryption is enabled
    • Ensure that SageMaker Notebook does not have direct internet access
  • Amazon DynamoDB
    • Ensure that AWS DynamoDB is encrypted using customer-managed CMK
    • Ensure Amazon DynamoDB tables have continuous backups enabled
    • DynamoDB Accelerator (DAX) clusters should be encrypted at rest
    • Identify and remove any unused AWS DynamoDB tables to optimize AWS costs
  • AWS Transit Gateway
    • Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
    • Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
    • Ensure Transit gateway have a name tag
    • Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
    • Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
    • Ensure Transit gateway have a name tag
  • Subnet
    • Ensure AWS VPC subnets have automatic public IP assignment disabled
  • Amazon Elastic Block Storage (EBS)
    • Ensure EBS Volume Encryption is Enabled in all Regions
    • Ensure AWS EBS Volumes are attached to instances
    • Attached EBS volumes should be encrypted at-rest
  • IAM Group
    • Ensure IAM groups have at least one IAM User attached
    • Ensure that IamGroup does not have Inline policies
    • Ensure IAM group do not have administrator privileges
  • Amazon CloudFront
    • Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates
    • Use encrypted connection between CloudFront and origin server
    • Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
    • Ensure AWS CloudFront web distribution with geo restriction is enabled
    • Determine if CloudFront CDN is in use
    • Ensure AWS CloudFront distribution with access logging is enabled
    • AWS Cloud Front - WAF Integration
    • Use secure ciphers in CloudFront distribution
    • CloudFront distributions should require encryption in transit
    • CloudFront distributions should encrypt traffic to custom origins
    • Ensure CloudFront origins don't use insecure SSL protocols
  • Simple Queue Service (SQS)
    • Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
    • Ensure that SQS policy won't allow all actions from all principals
    • Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs
    • Ensure that SQS policy won't allow all actions from all principals without a condition
    • Ensure SQS Dead-letter queue is not configured to send messages to the source queue
    • Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
    • Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
    • Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
    • Ensure that SQS policy won't allow all actions from all principals
    • Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
  • EC2 Auto Scaling Group
    • Ensure Auto Scaling group have scaling cooldown configured
    • Ensure Auto Scaling group being used with multiple Availability zones
    • Ensure Auto Scaling group does not have suspended processes
    • Ensure Auto Scaling group being used with multiple Availability zones
    • Ensure Auto Scaling group does not have suspended processes
    • Ensure Auto Scaling group have scaling cooldown configured
  • Amazon Systems Manager document
    • Amazon System Manager Document should not be publicly available
    • Ensure that public System Manager Documents include parameters
  • SNS Topic
    • Ensure SNS Topics aren't publicly accessible
    • Ensure SNS topic have active subscriptions
    • Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
    • Ensure SNS Topics administrative actions aren't publicly executable without a condition
    • Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
    • Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
    • Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
    • Ensure SNS Topics aren't publicly accessible
    • Ensure SNS Topics administrative actions aren’t publicly executable
  • AWS Config
    • Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel
  • Amazon ECS Task Definitions
    • Enable container's health checks
    • Container metadata
  • IAM SAML Identity Provider
    • Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • Route53RecordSetGroup
    • Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
    • Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
  • Amazon Route 53
    • Expired Route 53 Domain Names
    • AWS Route 53 Domain Name Renewal (30 days before expiration)
    • AWS Route 53 Domain Name Renewal (7 days before expiration)
    • Enable AWS Route 53 Domain Transfer Lock
    • Enable AWS Route 53 Domain Auto Renew
  • Amazon VPC
    • Ensure VPC flow logging is enabled in all VPCs
    • Ensure the number of private gateways is within the AWS limit for each region
    • Identify unused AWS VPCs
    • Ensure VPC flow logging is enabled in all VPCs
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Ensure the default security group of every VPC restricts all traffic
    • Ensure routing tables for security groups peering are \"least access\"
  • Amazon Elastic Container Service - Cluster
    • Prefer using IAM roles for tasks rather than using IAM roles for an instance
    • Ensure that at least one instance is registered with an ECS Cluster
    • ECS Cluster At-Rest Encryption
    • ECS Cluster should not have running container instances with unconnected agents
  • Route53 Hosted Zone
    • Use Route53 for scalable, secure DNS service in AWS.
  • AWS Key Management Service (KMS)
    • Ensure only usable Customer Managed Keys are in the AWS KMS
    • Ensure rotation for customer created symmetric CMKs is enabled
    • Ensure rotation for customer created CMKs is enabled
    • Ensure rotation for customer created CMKs is enabled
    • Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion
  • Amazon Redshift
    • Ensure AWS Redshift clusters are not publicly accessible
    • Use KMS CMK customer-managed keys for Redshift clusters
    • Ensure AWS Redshift instances are encrypted
    • Connections to Amazon Redshift clusters should be encrypted in transit
  • Amazon Systems Manager Parameter
    • Ensure that sensitive parameters are encrypted
  • Amazon Machine Image (AMI)
    • Ensure that EC2 AMIs are not publicly accessible
  • EMR Cluster
    • Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
    • Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
    • Ensure EMR clusters nodes should not have public IP
  • Amazon NACL
    • Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • Route Table
    • Ensure AWS NAT Gateways are being utilized instead of the default route
  • AWS EcrRepository
    • Ensure that ECR image tags are immutable.
    • Ensure that ECR image scan on push is enabled.
    • Ensure that ECR repositories are encrypted.
    • Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.
    • Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.
    • Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images.
    • Ensure that Amazon ECR image repositories are using lifecycle policies.

kubernetes policies

  • Pods
    • Apply Security Context to Your Pods and Containers
    • Ensure that the seccomp profile is set to docker/default in your pod definitions
    • Ensure that an application uses secrets are as files over secrets as environment variables
    • Ensure that the default namespace is not used
    • Ensure SecurityContext Field Is Set
    • CPU & Memory Limits Should be Set
    • CPU & Memory Requests Should be Set
    • Image Tag should not be 'latest'
    • Image Tag should not be blank
    • Use Read-Only Filesystem
    • Do not admit containers with docker socket bind mount
    • Do not admit root containers
    • Do not admit containers with SYS_ADMIN capability
    • Do not generally permit containers with allowPrivilegeEscalation
    • Run as a high-UID user
    • Do not generally permit privileged containers
    • Pod containers should not share the host process ID namespace
    • Pod should not use the node network namespace
    • Host device path mounts should not be used
    • Pod containers should not share the host IPC namespace
    • Do not override DNS settings in Pod
    • SELinux options should not be configured on containers
    • CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =
    • Ensure that the --token-auth-file parameter is not set (API Server)
    • Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server)
    • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
    • Ensure that the --client-ca-file argument is set as appropriate (API Server)
    • Ensure that the --etcd-cafile argument is set as appropriate (API Server)
    • Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager)
    • Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
    • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd)
    • Ensure that the --client-cert-auth argument is set to true (etcd)
    • Ensure that the --auto-tls argument is not set to true (etcd)
    • Ensure that the --experimental-encryption-provider-config argument is set as appropriate (API Server)
    • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)
    • Ensure that the --client-cert-auth argument is set to true (etcd) (Openshift)
    • Ensure that the --auto-tls argument is not set to true (etcd) (Openshift)
    • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)
    • Ensure that the --peer-client-cert-auth argument is set to true (etcd) (Openshift)
    • Ensure that the --peer-auto-tls argument is not set to true (etcd) (Openshift)
    • Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift)
    • Ensure that the admission control plugin AlwaysAdmit is not set (API Server)
    • Ensure that the --basic-auth-file argument is not set (API Server)
    • Ensure that the --profiling argument is set to false (API Server)
    • Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)
    • Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server)
    • Ensure that the admission control plugin PodSecurityPolicy is set (API Server)
    • Ensure that the --authorization-mode argument includes RBAC (API Server)
    • Ensure that the --profiling argument is set to false (Scheduler)
    • Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager)
    • Ensure that the --profiling argument is set to false (Controller Manager)
    • Ensure that the --use-service-account-credentials argument is set to true (Controller Manager)
    • Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)
    • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd)
    • Ensure that the --peer-client-cert-auth argument is set to true (etcd)
    • Ensure that the --peer-auto-tls argument is not set to true (etcd)
    • Ensure that Containers are not running in privileged mode
    • Do not admit root containers
    • Ensure containers are secured with AppArmor profile
    • Ensure that the --anonymous-auth argument is set to false (API Server)
    • Ensure that Containers are not running with dangerous capabilities
    • Ensure that Containers are not running with insecure capabilities
    • Ensure that the --authorization-mode argument includes Node (API Server)
    • Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server)
    • Ensure that the --DenyServiceExternalIPs is not set
    • Ensure that the --kubelet-https argument is set to true
    • Minimize the admission of HostPath volumes
    • Minimize the admission of containers which use HostPorts
    • Ensure that the --request-timeout argument is set as appropriate (API Server)
    • Ensure that the --encryption-provider-config argument is set as appropriate (API Server)
    • Ensure that a minimal audit policy is created (API Server)
    • Ensure that encryption providers are appropriately configured (API Server)
    • Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server)
    • Ensure that a unique Certificate Authority is used for etcd
    • Ensure that the --audit-log-path argument is set as appropriate (API Server)
    • Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server)
    • Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server)
    • Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server)
    • Ensure that the AdvancedAuditing argument is not set to false (API Server)
    • Ensure that the --service-account-lookup argument is set to true (API Server)
    • Ensure that the admission control plugin ServiceAccount is set (API Server)
    • Ensure that the --insecure-allow-any-token argument is not set (API Server)
    • Ensure that the --insecure-bind-address argument is not set (API Server)
    • Ensure that the --insecure-port argument is set to 0 (API Server)
    • Ensure that the --secure-port argument is not set to 0 (API Server)
    • Ensure that the --repair-malformed-updates argument is set to false (API Server)
    • Ensure that the admission control plugin AlwaysPullImages is set (API Server)
    • Ensure that the admission control plugin NamespaceLifecycle is set (API Server)
    • Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server)
    • Ensure that the --authorization-mode argument is set to Node (API Server)
    • Ensure that the admission control plugin NodeRestriction is set (API Server)
    • Ensure that the admission control plugin EventRateLimit is set (API Server)
    • Ensure that the --address argument is set to 127.0.0.1 (Scheduler)
    • Ensure that the --address argument is set to 127.0.0.1 (Controller Manager)
    • Ensure that the admission control plugin DenyEscalatingExec is set (API Server)
    • Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
    • Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
    • Ensure pods outside of kube-system do not have access to node volume
    • Ensure that the --service-account-key-file argument is set as appropriate (API Server)
  • Kubernetes Role
    • Minimize access to secrets (RBAC)
    • Minimize wildcard use in Roles and ClusterRoles (RBAC)
    • Profiling (metric) is protected by RBAC (RBAC) (Openshift)
    • Profiling (pprof) is protected by RBAC (RBAC) (Openshift)
    • Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift)
  • Node
    • Ensure that the --anonymous-auth argument is set to false (Kubelet)
    • Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)
    • Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
    • Ensure that the --hostname-override argument is not set (Kubelet) (Openshift)
    • Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)
    • Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
    • Ensure that the --event-qps argument is set to 0 (Kubelet)
    • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
    • Ensure that the --read-only-port argument is set to 0 (Kubelet)
    • Ensure that the --rotate-certificates argument is not set to false (Kubelet)
    • Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)
    • Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
    • Ensure that the --rotate-certificates argument is not set to false (Kubelet) (Openshift)
    • Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) (Openshift)
    • Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)
    • Ensure that the --rotate-certificates argument is not present or is set to true (Kubelet)
    • Ensure that the --hostname-override argument is not set (Kubelet)
    • Ensure that the --cadvisor-port argument is set to 0 (Kubelet)
    • Ensure that garbage collection is configured as appropriate (Kubelet) (Openshift)
  • Kubernetes Role Binding
    • Ensure that the cluster-admin role is only used where required (RBAC)
    • Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC)
    • Ensure that default service accounts are not actively used. (RBAC)
    • Minimize access to create pods (RBAC)
    • Ensure that the cluster-admin role is not being used
    • Ensure that anonymous requests are authorized (RBAC)(Openshift)
    • Ensure that the cluster-admin role is only used where required (RBAC - ClusterRoleBinding)
    • Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)
    • Limit binding of Anonymous User
  • Network Policies
    • Ensure that the CNI in use supports Network Policies
    • Ensure Traffic Between Client and Load Balancer Use HTTPS Protocol Only
    • Restrict Traffic Among Pods with a Network Policy
  • Kubernetes Service Account
    • Ensure that Service Account Tokens are only mounted where necessary (RBAC)
    • Ensure that default service accounts are not actively used (RBAC - ServiceAccount)
  • Pod Security Policies
    • Minimize the admission of containers wishing to share the host IPC namespace (PSP)
    • Minimize the admission of privileged containers (PSP)
    • Minimize the admission of containers wishing to share the host network namespace (PSP)
    • Minimize the admission of containers with allowPrivilegeEscalation (PSP)
    • Minimize the admission of containers with added capabilities (PSP)
    • Minimize the admission of containers wishing to share the host process ID namespace (PSP)
    • Minimize the admission of root containers (PSP)
    • Ensure Object Have An Valid Email Address Annotation
    • Ensure Object Have An Owner Label
    • Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster
    • Minimize the admission of containers with the NET_RAW capability (PSP)
    • Minimize the admission of containers to RootFilesystem (PSP)
    • Minimize the admission of FSGroup applied to some volumes (PSP)
    • Minimize the admission of primary group ID the containers are run with (PSP)
    • Minimize the admission of SupplementalGroups in containers (PSP)
  • Service
    • CVE-2020-8554: Services should not use 'externalIPs'
    • Services should not expose SSH port

google policies

  • Virtual Machine Instances
    • Ensure GCP VM Instances have Labels
    • Public VMInstance with service VNC Server(TCP:5900) is exposed to a wide public network
    • VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide network scope
    • Ensure oslogin is enabled for a Virtual Machine
    • Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide public network
    • Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a small public network
    • Ensure VM Instance should not have public IP
    • VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide network scope
    • VMInstance with service VNC Listener(TCP:5500) is exposed to a small network scope
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a large network
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet
    • VMInstance with service DNS(UDP:53) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a small network
    • Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide public network
    • VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • Ensure That Compute Instances Have Confidential Computing Enabled
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a small network
    • VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small network scope
    • VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network
    • VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to a large network
    • Public VMInstance with service VNC Server(TCP:5900) is exposed to a small public network
    • Public VMInstance with service POP3(TCP:110) is exposed to a wide public network
    • VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide network scope
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to a large network
    • Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide public network
    • Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small public network
    • VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small network scope
    • VMInstance with service POP3(TCP:110) is exposed to a small network scope
    • Ensure That IP Forwarding Is Not Enabled on Instances
    • VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to a small network
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a large network
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet
    • Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a small public network
    • VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet
    • Public VMInstance with service Puppet Master(TCP:8140) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8080) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to a small network
    • Ensure Compute Instances Are Launched With Shielded VM Enabled
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a small network
    • VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small network scope
    • Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide public network
    • Public VMInstance with service VNC Listener(TCP:5500) is exposed to a wide public network
    • VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small network scope
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet
    • Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a small public network
    • VMInstance with service SMTP(TCP:25) is exposed to a wide network scope
    • VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to a large network
    • VMInstance with service Known internal web port(TCP:8000) is exposed to a small network scope
    • VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small network scope
    • Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network
    • Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide public network
    • Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide public network
    • VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide network scope
    • Public VMInstance with service LDAP SSL(TCP:636) is exposed to a wide public network
    • Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide public network
    • Public VMInstance with service Known internal web port(TCP:8000) is exposed to a wide public network
    • VMInstance with service VNC Listener(TCP:5500) is exposed to a wide network scope
    • VMInstance with service DNS(UDP:53) is exposed to a small network scope
    • VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide network scope
    • VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small network scope
    • Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small public network
    • Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide public network
    • VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small network scope
    • Public VMInstance with service Cassandra(TCP:7001) is exposed to a wide public network
    • Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small public network
    • VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide network scope
    • Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small public network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to a large network
    • Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances
    • Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8080) is exposed to a small network scope
    • VMInstance with service Telnet(TCP:23) is exposed to a wide network scope
    • VMInstance with service MySQL(TCP:3306) is exposed to a wide network scope
    • VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small network scope
    • VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet
    • VMInstance with service MySQL(TCP:3306) is exposed to a small network scope
    • VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide network scope
    • VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small network scope
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network
    • Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a small public network
    • Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide public network
    • Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a small public network
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network
    • Public VMInstance with service VNC Listener(TCP:5500) is exposed to a small public network
    • Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
    • VMInstance with service POP3(TCP:110) is exposed to a wide network scope
    • Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide public network
    • VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a large network
    • Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small public network
    • Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide public network
    • VMInstance with service Memcached SSL(UDP:11215) is exposed to a small network scope
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a large network
    • Public VMInstance with service MySQL(TCP:3306) is exposed to a small public network
    • Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8000) is exposed to a wide network scope
    • Asset does not contain a network tag
    • VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide network scope
    • Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a large network
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to a large network
    • VMInstance with service Memcached SSL(TCP:11214) is exposed to a small network scope
    • VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide network scope
    • VMInstance with service SMTP(TCP:25) is exposed to a small network scope
    • VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small network scope
    • Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a small public network
    • Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a small public network
    • VMInstance with service LDAP SSL(TCP:636) is exposed to a wide network scope
    • Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small public network
    • VMInstance with service SNMP(UDP:161) is exposed to a wide network scope
    • VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet
    • VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide network scope
    • Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small public network
    • VMInstance with service VNC Server(TCP:5900) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network
    • VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small network scope
    • VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small network scope
    • Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small public network
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to a small network
    • Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide public network
    • Public VMInstance with service SMTP(TCP:25) is exposed to a small public network
    • Public VMInstance with service MySQL(TCP:3306) is exposed to a wide public network
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a large network
    • Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a small public network
    • VMInstance with service Memcached SSL(TCP:11215) is exposed to a small network scope
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet
    • Ensure That Compute Instances Do Not Have Public IP Addresses
    • VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • Public VMInstance with service DNS(UDP:53) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide public network
    • Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small public network
    • VMInstance with service Microsoft-DS(TCP:445) is exposed to a small network scope
    • Public VMInstance with service POP3(TCP:110) is exposed to a small public network
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet
    • Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
    • Public VMInstance with service Cassandra(TCP:7001) is exposed to a small public network
    • Public VMInstance with service Known internal web port(TCP:8080) is exposed to a small public network
    • Public VMInstance with service SNMP(UDP:161) is exposed to a small public network
    • Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide public network
    • Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide public network
    • Public VMInstance with service SNMP(UDP:161) is exposed to a wide public network
    • Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide public network
    • Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide public network
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet
    • Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small public network
    • Public VMInstance with service Puppet Master(TCP:8140) is exposed to a small public network
    • Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide public network
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a small network
    • Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small public network
    • VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small network scope
    • VMInstance with service Puppet Master(TCP:8140) is exposed to a wide network scope
    • Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a small public network
    • VMInstance with service VNC Server(TCP:5900) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(UDP:139) is exposed to a small network scope
    • Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide public network
    • Public VMInstance with service Telnet(TCP:23) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4505) is exposed to a small network scope
    • Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide public network
    • VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small network scope
    • VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide network scope
    • VMInstance with service Cassandra(TCP:7001) is exposed to a small network scope
    • VMInstance with service Telnet(TCP:23) is exposed to a small network scope
    • VMInstance with service SaltStack Master(TCP:4506) is exposed to a small network scope
    • VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network
    • VMInstance with service Puppet Master(TCP:8140) is exposed to a small network scope
    • Public VMInstance with service DNS(UDP:53) is exposed to a small public network
    • VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • VMInstance with service SNMP(UDP:161) is exposed to a small network scope
    • Public VMInstance with service Known internal web port(TCP:8080) is exposed to a wide public network
    • VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network
    • Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide public network
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet
    • VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small network scope
    • Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small public network
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet
    • VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide network scope
    • VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide network scope
    • VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide network scope
    • VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide network scope
    • Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide public network
    • Public VMInstance with service Telnet(TCP:23) is exposed to a wide public network
    • VMInstance with service Cassandra(TCP:7001) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to a small network
    • VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small network scope
    • Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide public network
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to a small network
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet
    • VMInstance with service Memcached SSL(UDP:11214) is exposed to a small network scope
    • Ensure That Instances Are Not Configured To Use the Default Service Account
    • Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small public network
    • Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a small public network
    • VMInstance with service LDAP SSL(TCP:636) is exposed to a small network scope
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to a large network
    • Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide network scope
    • Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a small public network
    • VMInstance with service Postgres SQL(UDP:5432) is exposed to a small network scope
    • VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide network scope
    • VMInstance with service Postgres SQL(TCP:5432) is exposed to a small network scope
    • Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small public network
    • Public VMInstance with service Known internal web port(TCP:8000) is exposed to a small public network
    • Public VMInstance with service LDAP SSL(TCP:636) is exposed to a small public network
    • Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide public network
    • VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet
    • VMInstance with service MSSQL Server(TCP:1433) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(TCP:139) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a small network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to a small network
    • Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
    • VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet
    • Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a small public network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet
    • Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports.
    • Ensure that no VMInstance allows incoming traffic from 0.0.0.0/0 to the ICMP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP DB port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP DB port.
    • Enable 2FA for VM Instances using OS Login
    • Ensure that instances are not configured to use the default service account
  • Kubernetes Cluster
    • Ensure Network policy is enabled on Kubernetes Engine Clusters
    • Ensure Kubernetes Clusters are configured with Labels
    • Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled
    • Ensure GKE Clusters use specific purpose-designed networks instead of the default network
    • Ensure `Automatic node repair` is enabled for Kubernetes Clusters
    • Ensure Kubernetes Cluster is created with Alias IP ranges enabled
    • Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
    • Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes
    • Ensure Kubernetes Cluster is created with Client Certificate enabled
    • Ensure default Service account is not used for Project access in Kubernetes Clusters
    • Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters
    • Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
    • Ensure Kubernetes web UI / Dashboard is disabled
    • Ensure Kubernetes Cluster is created with Private cluster enabled
    • Ensure the GKE Cluster alpha cluster feature is disabled
    • Ensure GKE Cluster HTTP load balancing is enabled
    • Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
    • Ensure PodSecurityPolicy Configuration Enabled For Google Kubernetes Engine (GKE) Cluster
    • Ensure 'master_auth' Block Exists For Google Kubernetes Engine (GKE) Cluster
    • Ensure 'master_auth' Block Exists For Google Kubernetes Engine (GKE) Cluster
  • GCP AlertPolicy
    • Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
    • Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
    • Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
    • Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
    • Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP IAM Policy
    • Ensure permissions to impersonate a service account are not granted at project level
    • Avoid using pre-IAM basic (primitive) roles
    • Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
    • Ensure that Corporate Login Credentials are Used
    • Ensure That Cloud Audit Logging Is Configured Properly
  • GCP CloudSql
    • Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
    • Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled
    • Ensure Cloud SQL instances have labels
    • Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
    • Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)
    • Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
    • Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
    • Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
    • Ensure That Cloud SQL Database Instances Do Not Have Public IPs
    • Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
    • Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
    • Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
    • Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
    • Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'
    • Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
    • Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
    • Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
    • Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
    • Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
    • Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
    • Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
    • Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances
    • Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag
  • GCP Security Group
    • Ensure Global Firewall rule should not allows all traffic
    • Ensure That SSH Access Is Restricted From the Internet
    • Ensure That RDP Access Is Restricted From the Internet
    • Ensure Excluding RDP Port For Google Compute Firewall
  • Storage Bucket
    • Ensure that Cloud Storage bucket has usage logs enabled
    • Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
    • Storage Bucket outside of Europe
    • Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
    • Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
    • Ensure Versioning Enabled For a new bucket in Google cloud storage service (GCS)
  • GCP IAM User
    • Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
    • User did not log in the past 90 days
    • Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
    • Ensure that multi-factor authentication is enabled for admin users
    • Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
    • Suspended user account unused for more than 6 months
    • Ensure GCP IAM user does not have permissions to deploy all resources
    • Ensure GCP IAM user does not have permissions to deploy all resources
  • GCP API Key
    • Ensure API Keys Are Rotated Every 90 Days
    • Ensure API Keys Only Exist for Active Services
    • Ensure API Keys Are Restricted to Only APIs That Application Needs Access
    • Ensure unrestricted API keys are not available within your GCP projects
  • Google Cloud Function
    • Ensure that all the deployed cloud functions are in 'active' mode
    • Ensure that at least one event trigger was configured in your function
    • Ensure Google Cloud Function is configured with a VPC connector
  • GCP VPC Network
    • Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
    • Ensure Legacy Networks Do Not Exist for Older Projects
    • Ensure That the Default Network Does Not Exist in a Project
    • Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • Subnet
    • Ensure Private Google Access is enabled for all subnetworks in VPC Network
    • Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
    • Ensure Logging Configuration for Google Compute Subnetwork
  • GCP Project
    • Ensure Oslogin Is Enabled for a Project
    • Ensure Cloud Asset Inventory Is Enabled
    • Ensure 'Access Approval' is 'Enabled'
  • BigQuery
    • Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
    • Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
    • Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
  • Service Account
    • Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
    • Ensure That Service Account Has No Admin Privileges
    • Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
    • Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
  • Cloud Key Management Service
    • Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
    • Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • Google Pub/Sub
    • Ensure PubSub service is encrypted, with customer managed encryption keys.
  • GCP DNS Managed Zone
    • Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
    • Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
    • Ensure That DNSSEC Is Enabled for Cloud DNS
  • Https Load Balancer Proxy
    • Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
    • Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
  • Log Sink
    • Ensure That Sinks Are Configured for All Log Entries
  • GCP Dataproc Cluster
    • Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP EssentialContact
    • Ensure Essential Contacts is Configured for Organization
    • Ensure Essential Contacts are defined for your Google Cloud organization

azure policies

  • SQL Server on Virtual Machines
    • Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
    • Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
    • Ensure that Azure Active Directory Admin is configured
    • Ensure Azure SQL Server data replication with Fail Over groups
    • Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server
    • Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All'
    • Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
    • Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
    • Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
    • Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
    • Ensure that SQL Server Auditing Retention is greater than 90 days
    • Ensure that 'Auditing' is set to 'On'
    • Restrict Azure SQL Server accessibility to a minimal address range
    • Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days
    • Ensure that 'Auditing' Retention is 'greater than 90 days'
    • Ensure that Azure Active Directory Admin is Configured for SQL Servers
    • Ensure that ADS - ATP 'Send alerts to' is set
    • Avoid using names like 'Admin' for an Azure SQL Server admin account login
    • Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
    • Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
    • Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Virtual Machine
    • Ensure that Azure Virtual Machine is assigned to an availability set
    • Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
    • Virtual machine administrative OMI/OMS service port (5986) is publicly accessible
    • Ensure that at least one Network Security Group is attached to all VMs and subnets that are public
    • Virtual machine administrative OMI/OMS service port (5985) is publicly accessible
    • Virtual machine administrative OMI/OMS service port (1270) is publicly accessible
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
    • Ensure Virtual Machines are utilizing Managed Disks
    • Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure Key Vault
    • Key vault should have purge protection enabled
    • Ensure that the Expiration Date is set for all Keys in Key Vaults
    • Ensure Azure Key Vaults are Used to Store Secrets
    • Ensure that the Expiration Date is set for all Secrets in Key Vaults
    • Ensure that logging for Azure Key Vault is 'Enabled'
    • Ensure the Key Vault is Recoverable
    • Ensure that Private Endpoints are Used for Azure Key Vault
    • Enable Role Based Access Control for Azure Key Vault
  • Network security group
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure that MSQL (TCP:4333) is restricted from the Internet
    • Ensure FTP deployments are disabled
    • Ensure that CIFS (UDP:445) is restricted from the Internet
    • Ensure that Windows RPC (TCP:135) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on TCP protocol
    • Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied
    • Ensure that PostgreSQL (TCP:5432) is restricted from the Internet
    • Ensure that VNC Server (TCP:5900) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on UDP protocol
    • Ensure that SQL Server (TCP:1433) is restricted from the Internet
    • Ensure that FTP-Data (TCP:20) is restricted from the Internet
    • Ensure that NetBIOS (UDP:138) is restricted from the Internet
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ICMP (Ping)
    • Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
    • Remove unused Network Security Groups
    • Ensure that Windows SMB (TCP:445) is restricted from the Internet
    • Ensure that DNS (TCP:53) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on ANY protocol
    • Ensure that NetBIOS (UDP:137) is restricted from the Internet
    • Ensure that MySQL (TCP:3306) is restricted from the Internet
    • Ensure that SMTP (TCP:25) is restricted from the Internet
    • Ensure that DNS (UDP:53) is restricted from the Internet
    • Ensure that SSH access from the Internet is evaluated and restricted
    • Ensure that SQL Server (UDP:1434) is restricted from the Internet
    • Ensure that RDP access from the Internet is evaluated and restricted
    • Ensure that VNC Listener (TCP:5500) is restricted from the Internet
    • Ensure that Telnet (TCP:23) is restricted from the Internet
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure that Oracle Database (TCP:1521) is restricted from the Internet
    • Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019
    • Ensure that HTTP protocol (TCP:80) is restricted from the Internet
    • Ensure that HTTPS protocol (TCP:443) is restricted from the Internet
  • Azure SQL Database
    • Ensure that SQL Database Auditing Retention is greater than 90 days
    • Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
    • Ensure that SQL Database Auditing is Enabled
    • Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Security Center - Policy
    • Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure Alert Rule
    • Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
    • Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
    • Ensure that Activity Log Alert exists for Delete Network Security Group
    • Ensure that activity log alert exists for the Delete Network Security Group Rule
    • Ensure that Activity Log Alert exists for Delete Policy Assignment
    • Ensure that Activity Log Alert exists for Create or Update Security Solution
    • Ensure that Activity Log Alert exists for Delete Security Solution
    • Ensure that Activity Log Alert exists for Create or Update Network Security Group
    • Ensure that Activity Log Alert exists for Create Policy Assignment
    • Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
    • Ensure that Activity Log Alert exists for Delete Public IP Address rule
    • Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
    • Ensure that an activity log alert is created for Delete PostgreSQL Database events
  • Spring Cloud
    • Ensure that Spring Cloud App has end-to-end TLS enabled
    • Ensure that Spring Cloud App enforces HTTPS connections
    • Ensure that Spring Cloud App has system-assigned managed identity enabled
  • Azure Network Watcher
    • Ensure that Network Watcher is 'Enabled'
  • Network Security Group flow logs
    • Ensure Flow-Logs Retention Policy is greater than 90 days
    • Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure Redis Cache
    • Redis cache should have a backup
    • Ensure that Redis is updated regularly with security and operational updates.
    • Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources
    • Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
    • Ensure that the Redis Cache accepts only SSL connections
    • Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet
    • Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
    • Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs
    • Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol
  • Container Registry
    • Ensure that admin user is disabled for Container Registry
    • Ensure Container Registry has locks
    • Ensure to not use the deprecated Classic registry
  • Azure functions
    • Ensure that Health Check is enabled for your Function App
    • Ensure remote debugging has been disabled for your production Azure Functions
    • Ensure Function App is using the latest version of TLS encryption
    • Managed identity should be used in your Function App
    • Function App should only be accessible over HTTPS
    • Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure that Application Service Logs are Enabled for Containerized Function Apps
    • Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp
    • Ensure FTP deployments are Disabled for FunctionApp
  • Azure Database for PostgreSQL
    • Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
    • Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
    • Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
    • Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
    • Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
    • Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
    • Ensure that Geo Redundant Backups is enabled on PostgreSQL
    • Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
    • Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
    • Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
    • Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database
  • Azure Storage Account
    • Storage Accounts outside Europe
    • Ensure that 'Secure transfer required' is set to 'Enabled'
    • Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
    • Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
    • Ensure Default Network Access Rule for Storage Accounts is Set to Deny
    • Storage Accounts outside Brazil
    • Ensure that 'Secure transfer required' is set to 'Enabled' for Storage Accounts
    • Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs
    • Ensure Storage logging is enabled for Queue service for read, write, and delete requests
    • Ensure default network access rule for Storage Accounts is set to deny
    • Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
    • Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
    • Ensure that 'Public access level' is disabled for storage accounts with blob containers
    • Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
    • Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
    • Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
    • Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
    • Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
    • Ensure Minimum TLS Encryption Version For Storage Account
    • Ensure that Containers and its blobs are not exposed publicly
    • Ensure that Storage Account has Microsoft Defender for Cloud enabled
    • Ensure Private Endpoints are used to access Storage Accounts
    • Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
    • Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure Application Gateway
    • Ensure Application Gateway is using the latest version of TLS encryption
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
    • Ensure Application Gateway is using Https protocol
  • Virtual Network
    • Ensure that Virtual Networks Subnets have Security Groups
    • Ensure that Azure Virtual Network subnet is configured with a Network Security Group
    • Ensure that Azure Virtual network peering is connected
  • Log Profile
    • Ensure that a Log Profile exists
    • Ensure that Activity Log Retention is set 365 days or greater
    • Ensure the log profile captures activity logs for all regions including global
    • Ensure audit profile captures all the activities
    • Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure AKS
    • Ensure that you are using authorized IP address ranges to secure access to the API server
    • Ensure that your Cluster Pool contains at least 3 Nodes
    • Ensure that a network policy is in place to secure traffic between pods
    • Ensure that Azure CNI Networking is enabled
    • Ensure that the pod security policy is enabled in your AKS cluster
    • Enable role-based access control (RBAC) within Azure Kubernetes Services
    • Ensure Azure Kubernetes Service (AKS) Cluster Dashboard Is Disabled
    • Ensure Azure Monitoring Enabled For Azure Kubernetes Service (AKS) Cluster
  • Web Apps service
    • Ensure remote debugging has been disabled for your production Web App
    • Ensure that Register with Azure Active Directory is enabled on App Service
    • Ensure Web App is using the latest version of TLS encryption
    • Ensure App Service Authentication is set up for apps in Azure App Service - Webapp
    • Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
    • Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
    • Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure That 'PHP version' is the Latest, If Used to Run the Web App
    • Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
    • Ensure that 'Java version' is the latest, if used to run the Web App
    • Ensure that 'Java version' is the latest, if used to run the Linux Web App
    • Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App
    • Ensure FTP deployments are Disabled
  • Azure Cosmos DB
    • Ensure That Private Endpoints Are Used Where Possible
    • Ensure Cosmos DB account access is not allowed from all networks
    • Ensure Cosmos DB account is encrypted with customer-managed keys
    • Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
    • Ensure to filter source Ips for Cosmos DB Account
  • Azure Monitor Logs
    • Ensure that a 'Diagnostic Setting' exists
    • Ensure Diagnostic Setting captures appropriate categories
  • Azure Resource Group
    • Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure Disk Storage
    • Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure Virtual Network Gateway
    • Ensure Virtual Network Gateway is configured with Cryptographic Algorithm
  • Azure Analysis Services
    • Ensure that firewall rules are enabled and configured for Analysis services server
  • Azure role-based access control
    • Ensure to audit role assignments that have implicit managed identity permissions
    • Ensure to audit role assignments that have implicit 'Owner' permissions
    • Ensure to audit role assignments that have implicit role management permissions
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure Role Definition
    • Ensure custom role definition doesn't have excessive permissions (Wildcard)
  • Azure Active Directory
    • Ensure that Azure Active Directory Admin is configured for SQL Server
    • Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
    • Ensure That 'Number of methods required to reset' is set to '2'
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • My SQL DB Flexible Server
    • Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server
    • Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • My SQL DB Single Server
    • Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server
  • Auto Provisioning Settings
    • Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Security Contact
    • Ensure 'Additional email addresses' is Configured with a Security Contact Email
    • Ensure That 'Notify about alerts with the following severity' is Set to 'High'
    • Ensure That 'All users with the following roles' is set to 'Owner'
    • Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts
  • Defender Plans
    • Ensure That Microsoft Defender for Servers Is Set to 'On'
    • Ensure That Microsoft Defender for App Services Is Set To 'On'
    • Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
    • Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
    • Ensure That Microsoft Defender for Storage Is Set To 'On'
    • Ensure that Microsoft Defender for Container Registries is set to 'On'
    • Ensure That Microsoft Defender for Key Vault Is Set To 'On'
    • Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
    • Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
    • Ensure That Microsoft Defender for Containers Is Set To 'On'
    • Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
    • Ensure That Microsoft Defender for DNS Is Set To 'On'
    • Ensure That Microsoft Defender for Databases Is Set To 'On'
  • PostgreSQL Flexible Server
    • Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
  • Defender Integrations
    • Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
    • Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • AD Security Defaults
    • Ensure Security Defaults is enabled on Azure Active Directory
  • AD Authorization Policy
    • Ensure That 'Users Can Register Applications' Is Set to 'No'
    • Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
    • Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
    • Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • AD Access Reviews Schedule Definition
    • Ensure Guest Users Are Reviewed on a Regular Basis

cft policies

  • AWS Key Management Service (KMS)
    • Ensure that KMS key has key rotation enabled
    • Ensure that the KMS key have key rotation enabled
    • Ensure that KMS key policy does not allow access to everyone
    • Ensure that there is no wildcard action in an inline KMS key policy
    • Ensure that there is no wildcard principal in an inline KMS key policy
    • Ensure that an inline KMS key policy does not allow full administrative rights
  • Amazon RDS
    • Ensure enhanced monitoring for Amazon RDS instances is enabled
    • Ensure that RDS IAM authentication is enabled
    • Ensure RDS instances have backup policy
    • Ensure RDS instances have Multi-AZ enabled
    • Ensure AWS RDS database instance is not publicly accessible
    • Ensure that encryption is enabled for RDS Instances
  • Elastic Load Balancing (ELB)
    • Ensure that ELB V2 Listener protocol is not HTTP or TCP
    • Ensure ELB enforces recommended SSL/TLS protocol version
  • AWS Key Management Service (KMS)
    • Ensure that there is no wildcard action in an inline KMS replica key policy
    • Ensure that there is no wildcard principal in an inline KMS replica key policy
    • Ensure that an inline KMS replica key policy does not allow full administrative rights
    • Ensure A Pod Runs Without Privileged Containers
  • Amazon ElasticSearch service
    • Ensure that encryption of data at rest is enabled on Elasticsearch domains
    • Ensure that there is no Wildcard principal in ElasticSearch access policy
    • Ensure Elasticsearch Domain enforces HTTPS
    • Ensure that there is no wildcard action in ElasticSearch access policy
    • Ensure Elasticsearch Domain Logging is enabled
    • Ensure that node-to-node encryption is enabled for Elasticsearch service
  • Amazon RDS DBCluster
    • Ensure RDS cluster has IAM authentication enabled
    • Ensure that RDS DB cluster has encryption enabled
  • Amazon API Gateway
    • Ensure that all authorization Type in API Gateway is not set to None
    • Ensure that an API Key is required on a Method Request
    • Ensure API gateway methods are not publicly accessible
  • AWS ElasticLoadBalancingV2 LoadBalancer
    • Ensure that access logging is enabled for the ELB v2
    • Ensure that a Load balancer is not internet facing
    • Ensure that ELB v2 drops invalid headers
  • Amazon RDS GlobalCluster
    • Ensure that RDS global cluster has encryption enabled
  • AWS CloudFront Distribution
    • CloudFront Distribution should have WAF enabled
    • Ensure Cloudfront distribution has Access Logging enabled
    • Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
  • AWS Lambda
    • Ensure AWS Lambda functions have tracing enabled
    • Ensure that AWS Lambda function is configured for function-level concurrent execution limit
    • Ensure that AWS Lambda function is configured for a Dead Letter Queue
    • Lambda Functions must have an associated tag
  • AWS Lambda
    • Ensure that there is no wildcard action in Lambda permission
    • Ensure that there is no wildcard principal in Lambda permission
  • Amazon Elastic File System (EFS)
    • Ensure that your Amazon EFS file systems are encrypted
  • AWS Lambda
    • Ensure that AWS lambda layer version permissions does not have a wildcard principal
  • AWS DocDB DBClusterParameterGroup
    • Ensure DocDB TLS is not disabled
  • Amazon DynamoDB
    • Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
  • AWS EC2 SecurityGroupEgress
    • Ensure that every security group egress object has a description
  • VPC Subnet
    • Ensure AWS VPC subnets have automatic public IP assignment disabled
  • AWS ElasticLoadBalancingV2 TargetGroup
    • Ensure that ELB target group has a health check enabled
  • DB Security Group
    • Ensure that AWS DB Security Group does not allow public access
  • Amazon Kinesis
    • Ensure AWS Kinesis streams are encrypted with KMS customer master keys
  • AWS Backup BackupVault
    • Ensure Backup Vault is encrypted at rest using KMS CMK
  • AWS Identity and Access Management (IAM)
    • Ensure That Access Key Rotation Is Less Than 90 Days
  • Simple Storage Service (S3)
    • Ensure all S3 buckets employ encryption-at-rest
    • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
    • S3 bucket should not allow all actions from all principals
    • S3 bucket should not allow delete actions from all principals
    • S3 bucket should not allow 'get' actions from all principals
    • S3 bucket should not allow list actions from all principals
    • S3 bucket should not allow put actions from all principals
    • S3 bucket should not allow restoring object actions from all principals
    • Ensure that the S3 bucket is not publicly readable
    • Ensure that the S3 bucket is not publicly writable
    • Ensure that S3 server access logging is enabled
    • Ensure that S3 bucket has versioning enabled
    • Ensure that the S3 bucket has lifecycle configuration enabled
    • Ensure that the S3 bucket has object lock enabled
  • Amazon EC2 Instance
    • Ensure that the root block device has encryption enabled
    • Ensure AWS EC2 Instances use IAM Roles to control access
    • Ensure that address source/destination check is enabled on the instance
    • Amazon EC2 instance must have an associated tag
    • Ensure that EC2 API termination protection is enabled
    • Ensure that EC2 instance does not have public IP enabled
    • Ensure that EC2 is EBS optimized
    • Ensure that detailed monitoring for EC2 instances is enabled
  • Amazon Elastic Block Storage (EBS)
    • Ensure that EBS volume has encryption enabled
  • AWS DocDB DBCluster
    • Ensure DocDB is encrypted at rest
    • Ensure DocDB has audit logs enabled
    • Ensure DocDB Logging is enabled
  • AWS AutoScaling LaunchConfiguration
    • Ensure all data stored in the Launch configuration EBS is securely encrypted
  • AWS DAX Cluster
    • Ensure DAX is encrypted at rest (default is unencrypted)
  • AWS IAM Policy
    • Ensure that there is no wildcard action in an IAM policy
    • Ensure that the IAM Policy does not grant full administrative rights
    • Ensure that IAM policy is not directly attached to a user
  • AWS Managed Policy
    • Ensure that there is no wildcard action in a customer managed IAM policy
    • Ensure that customer managed IAM policy does not grant full administrative rights
    • Ensure that a customer managed IAM policy is not directly attached to a user
  • IAM User
    • Ensure that IAM user does not have directly embedded policy
    • Ensure that password reset is required in IAM login profile
    • Ensure that there is no wildcard action in an inline IAM user policy
    • Ensure that there is no wildcard resource in an inline IAM user policy
    • Ensure that an inline IAM user policy does not allow full administrative rights
  • IAM Role
    • Ensure that IAM Role cannot be assumed by anyone
    • Ensure that there is no wildcard action in an inline IAM role policy
    • Ensure that there is no wildcard resource in an inline IAM role policy
    • Ensure that an inline IAM role policy does not allow full administrative rights
  • IAM Group
    • Ensure that there is no wildcard action in an inline IAM group policy
    • Ensure that there is no wildcard resources in an inline IAM group policy
    • Ensure that an inline IAM group policy does not allow full administrative rights
  • CloudTrail
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure CloudTrail is enabled in all regions
    • Ensure CloudTrail logging is enabled
    • Ensure CloudTrail log file validation is enabled
    • Ensure that CloudTrail is integrated with CloudWatch
  • AWS ElasticLoadBalancing LoadBalancer
    • Ensure that access logging is enabled for the classic ELB
    • Ensure that a classic Load balancer is not internet facing
    • Ensure that ELB has a health check setup
    • Ensure that ELB Listener protocol is HTTPS or SSL
  • AWS ApiGateway Stage
    • Ensure API Gateway has Access Logging enabled
    • Ensure API Gateway caching is enabled
    • Ensure API Gateway has X-Ray Tracing enabled
  • AWS ApiGatewayV2 Stage
    • Ensure API Gateway V2 has Access Logging enabled
  • Amazon NACL
    • Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS Security Group
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to ElasticSearch (TCP:9300)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to Kibana (TCP:5601)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to Redis (TCP:6379)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27017)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27018)
    • Ensure that every security group ingress object has a description
  • AWS EC2 SecurityGroup
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018)
    • Ensure that every security group ingress rule has a description
    • Ensure that every security group egress rule has a description
    • Ensure every security groups rule has a description
  • Amazon EC2 Instance
    • Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true

Docker policies

  • Docker
    • Ensure Using 'ADD' instead of 'COPY' for copying files from filesystem
    • Ensure Local cache path not used in apk add
    • Ensure delete installations lists after installation by 'apt'
    • Ensure Pin version in 'apt-get' install
    • Ensure no manual input in 'apt install'
    • Ensure disabling recommended package in apt-get (--no-install-recommends)
    • Ensure minimal execution of 'chown'
    • Ensure no manual input in 'yum install'
    • Ensure 'yum install' has pinned version
    • Ensure zypper install has pinned version
    • Ensure not to use in RUN both 'curl' and 'wget'
    • Ensure not to use the same alias in multiple 'FROM'
    • Ensure 'RUN' shell command has pipefail flag
    • Enure not to expose UNIX ports out of range
    • Ensure 'apk' add has pinned version for package
    • Ensure pip install has pinned version for package
    • Ensure no specific platform in FROM command
    • Ensure no relative workdir path
    • Ensure to run yum clean command
    • Ensure not using the current FROM alias as COPY '--from' value
    • Ensure remove any unused 'FROM' aliases (not used by 'COPY --from')
    • Ensure in COPY of multiple source the destination always end with '/'
    • Ensure not expose SSH Port 22
    • Ensure hardcoded version in gem install
    • Ensure to hardcoded image version in dockerfile
    • Ensure not use 'root' in the last 'USER' call in dockerfile
    • Ensure 'dnf clean' after 'dnf install' for image storage space saving
    • Ensure no manual input in 'dnf' install
    • Ensure use 'USER' before 'CMD' or 'ENTRYPOINT' your application
    • Ensure 'HEALTHCHECK' is set
    • Ensure to pin version specification in 'dnf install'
    • Ensure use 'Zypper clean' after 'Zypper install'
    • Ensure no manual input in 'Zypper install'
    • Ensure 'ENTRYPOINT' and 'CMD' arguments using a valid JSON values
    • Ensure Pin version in 'npm' install
    • Ensure use '--no-cache-dir' in pip install
    • Ensure Using 'WORKDIR' rather than 'RUN cd' command
    • Ensure not use sudo by 'RUN'
    • Ensure not more then one 'ENTRYPOINT' in dockerfile

alicloud policies

  • Alicloud
    • Ensure Alibaba Cloud Action Trail logging across all regions
    • Ensure Alibaba Cloud OSS Bucket is Not Accessible To Public
    • Ensure Application Load Balancer (ALB) Listener Should Listen On HTTPS
    • Ensure Alibaba Cloud API Gateway API Protocol Set To 'HTTPS'
    • Ensure Alicloud KMS Possess Usable Customer Master Keys (CMK)
    • Ensure CS Kubernetes Node Pool Management Auto Repair is enabled
    • Ensure Database Instance is Not Publicly Accessible
    • Ensure Disk Encryption is Encrypted
    • Ensure ECS Data Disk KMD Key Id is Defined. The ID of the Key Management Service (KMS) key used by the disk.
    • Ensure KMS Key Has Low Rotation Period
    • Ensure Kubernetes Cluster is with Terway as CNI Network Plugin
    • Ensure Launch Template is Encrypted
    • Ensure Log Retention is High Than 90 Days
    • Ensure NAS File System is Encrypted
    • Ensure NAS File System is with KMS
    • Ensure ROS Stack Policy
    • Ensure OSS Bucket Encryption Using CMK is enabled
    • Ensure OSS Bucket Does Not Have Static Website
    • Ensure OSS Bucket Lifecycle Rule is enabled
    • Ensure OSS Bucket Logging is enabled
    • Ensure OSS Bucket Public Access is Disabled
    • Ensure OSS Bucket Transfer Acceleration is enabled
    • Ensure OSS Bucket Versioning is enabled
    • Ensure Public Security Group Rule is Not Set To All Ports or Protocols
    • Ensure Public Security Group Rule is Not Use Sensitive Port
    • Ensure Ram Account Password Policy Max Login Attempts is Low
    • Ensure Ram Account Password Policy Max Password Age is Recommended
    • Ensure Ram Account Password Policy is Required Minimum Length
    • Ensure Ram Account Password Policy is Required Numbers
    • Ensure RAM Account Password Policy is Required Symbols
    • Ensure RAM Account Password Policy is with Reuse Prevention
    • Ensure Ram Account Password Policy is Require At Least one Lowercase Character
    • Ensure RAM Account Password Policy is Require at Least one Uppercase Character
    • Ensure Ram Policy is Not Attached to a User
    • Ensure ROS Stack Notifications is enabled
    • Ensure ROS Stack Retention is Ensabled
    • Ensure ROS Stack is with Template
    • Ensure SLB Policy with Secure TLS Version In Use
    • Ensure Public Security Group Rule is Known Port
    • Ensure VPC Flow Logs Enabled
    • Ensure RDS Instance Log Connections is enabled
    • Ensure RDS Instance Log Disconnections is enabled
    • Ensure RDS Instance Log Duration is enabled
    • Ensure RDS Instance Publicly is Not Accessible
    • Ensure RDS Instance Retention Period is Recommended
    • Ensure RDS Instance SSL Action is enabled
    • Ensure RDS Instance TDE Status is enabled
    • Ensure RDS Instance Events is Logged
    • Ensure OSS Bucket is Not Allow All Actions From All Principals
    • Ensure OSS Bucket is Not Allow Delete Action From All Principal
    • Ensure OSS Bucket is Not Allow Delete Action From All Principals
    • Ensure OSS Bucket is Not Allow Put Action From All Principals
    • Ensure OSS Bucket Ip Restriction Enabled
    • Ensure OSS Buckets Secure Transport Enabled
    • Ensure RAM Security Preference is Enforce MFA Login

SCM Policies

  • Gitlab Settings API
    • Ensure to reset approvals on push
    • Ensure disabling self approving merge requests by the author
    • Ensure to prevent approvals by users who add commits
    • Ensure requiring user password to approve
    • Ensure use 'HTTPS' in all hooks
    • Ensure Enable SSL verification is enabled
    • Ensure require of minimum approvals before merge
    • Ensure require all discussions will be resolved before marge
    • Ensure the 'allow force push' setting is disabled.
  • Gitlab Pipelines
    • Ensure not to use the 'latest' tag for any GitLab pipelines images
    • Ensure to review suspicious use of 'curl' / 'wget' with CI environment CI_JOB_TOKEN or CI_REGISTRY_PASSWORD variable
    • Ensure to review suspicious use of 'netcat' in GitLab pipeline script
    • Ensure not directly use 'kubectl apply' in scripts
  • GitHub Settings API
    • Ensure no branch has 'force push' enabled
    • Ensure Vulnerability alerts are enabled
    • Ensure open Git branches are up to date before you can merge them into the code base
    • Ensure branch deletions are disabled
    • Ensure two administrators are set for each repository
    • Ensure inactive repositories are reviewed and archived periodically
    • Ensure webhooks of the package registry are secured
    • Verify that the organization has an SSH Certificate Authority server
    • Ensure an organization's identity is confirmed with a "Verified" badge
    • Ensure repository creation is limited to specific members
    • Ensure the organization requires members to use Multi-Factor Authentication (MFA)
    • Ensure inactive branches are periodically reviewed and removed
    • Ensure strict base permissions are set for repositories
    • Ensure inactive users are reviewed and removed periodically
    • Ensure the branch has Branch Protection
    • Ensure the maximum number of admins per repo is not exceeded
    • Ensure the maximum number of deploy keys per repo is not exceeded
    • Ensure the maximum number of webhooks per repo is not exceeded
    • Ensure branch has branch protection
    • Ensure the branch require code owner reviews
    • Ensure the branch require minimum code owner reviews
    • Ensure verification of signed commits for new changes before merging
    • Ensure the maximum number of users allowed to dismiss review is not exceeded
    • Ensure the GitHub action is restricted
    • Ensure the GitHub action created by Github has restrictions
    • Ensure only verified GitHub actions in-use
    • Ensure repo is private
    • Ensure branch requires linear history
    • Ensure the branch requires status checks to pass before merging
    • Ensure all open comments are resolved before allowing code change merging
    • Ensure branch protection rules are enforced for administrators
    • Ensure previous approvals are dismissed when updates are introduced to a code
    • Ensure disabling anonymous Git read access for a repository
    • Ensure organization's webhooks are secured
    • Ensure packages' organization has no public visibility
    • Ensure no branch has force push enabled
    • Ensure the branch has Branch Protection
    • Ensure Vulnerability alerts are enabled
    • Ensure the maximum number of admins per repo is not exceeded
    • Ensure branch require code owner reviews
    • Ensure branch require minimum code owner reviews
    • Ensure the maximum number of users allowed dismissing review is not exceeded
  • GitHub Actions
    • Ensure not to use the 'latest' tag for any GitHub actions image
    • Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS not set to true on environment variables
    • Ensure using safe curl command without secrets
    • Ensure the Netcat command not used
    • Ensure workflow_dispatch must be empty
    • Ensure not using pull_request_target event
    • Ensure using an intermediate environment variable
    • Ensure using HTTPS protocol
    • Ensure not using permissions to write all
    • Ensure not use docker --privileged
    • Ensure not directly use kubectl in script
    • Ensure not use sudo command
    • Ensure run commands are not vulnerable to shell injection
    • Ensure not use npm insall in the run command
    • Ensure not use uncontrolled values
  • Azure Pipelines
    • Ensure Containers Jobs Use a Non-Latest Version Tag
    • Ensure Container Job Uses a Version Digest
    • Ensure Set Variable Is Not Marked As a Secret
    • Ensure Azure Pipelines Workflows Are Without Usage of Image

serverless-framework

  • AWS Serverless Framework
    • Ensure Serverless Framework API should have HTTP Access Logging is enabled
    • Ensure Serverless Function Uses Encrypt Environment Variables
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that Serverless API With Content-Encoding
    • Ensure Serverless Framework Function should have associated tags
    • Ensure Serverless Framework Function Should Not Share IAM Roles
    • Ensure Serverless Framework API Endpoint Config Is Private
    • Ensure Serverless Framework API X-Ray Tracing Is Enabled
    • Ensure Serverless Framework Function Has Dead Letter Queue
    • Serverless Framework Function Has X-Ray Tracing
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges

openapi

  • OpenAPI
    • Ensure SecurityDefinitions Is Defined And Not Empty
    • Ensure Schema Array Items Type Should Be Defined
    • Ensure array schema should have the field `maxItems` set
    • Ensure API Keys are not sent as clear-text over an unencrypted channel
    • Ensure Global Security Field Is defined
    • Ensure that the format keyword is valid for the type defined in the schema
    • Ensure JSON object schema have 'properties' defined and 'additionalProperties' set to false
    • Ensure Maximum String Length Defined
    • Ensure All Paths Have Security Scheme
    • Ensure Numeric Schema Maximum Defined
    • Ensure Common Responses Defined
    • Ensure schema defined for each response that is not head or its code is not 204 or 304
    • Ensure The Schema Object defined and not empty to avoid accepting any JSON values
    • Ensure security object has defined rules in its array and rules are defined on securityScheme
    • Ensure security object for operations is not empty object or has any empty object definition
    • Ensure string schema with broad pattern
    • Ensure each operation define at least one success response

Malicious open source packages

  • Malicious code execution
  • Malicious import
  • Malicious harvester
  • Troll package
  • Malicious code demonstration
  • Malicious code download & execution
  • Malicious domain
  • Remote shell enabler
  • Malicious author
  • Stealing PII
Powered by 

Ensure using HTTPS protocol

HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Suggest Edits

Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC008

REMEDIATION

Remove http link or use https protocol

Read more:

  • https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner

Updated over 1 year ago


  • Table of Contents
    • REMEDIATION
    • Read more: