Jump to Content
CloudGuard Docs
GuidesAPI ReferenceChangelogDiscussions
Log InCloudGuard Docs
Guides
Log In
GuidesAPI ReferenceChangelogDiscussions

Welcome

  • Welcome to CheckPoint CloudGuard Guides!

Overview

  • How to Get Started
  • Concepts
  • Platforms

Products

  • Secrets Scanning
  • Infrastructure as Code
  • CI/CD Hardening
  • Open Source

SpectralOps

  • Dashboard
  • Triage Issues
  • Sources
  • Reports
  • Integrations
  • Profile
  • Team & User Permissions (RBAC)
  • Teams and Asset Mapping
  • Custom Rules
  • SSO
    • Setup SSO (SAML 2.0)
    • Setup SSO with OKTA
    • Setup SSO with OneLogin
  • SCM

Usage

  • CLI
  • Configuration
  • Output
  • Detectors
    • Quick Start
    • Building Detectors
    • Logic Rules (OPA)
    • Codeprinting
    • The Detector Engine

Integrations

  • Productivity
    • Jira
    • Confluence
  • Cloud Automation
    • Terraform Cloud Run task
  • Git Provider Bot
    • Github Bot
    • Gitlab Bot
  • Pre receive Git hooks
    • Gitlab pre receive hook
    • Bitbucket pre receive hook
  • CI/CD
    • Gitlab Pipeline

config policies

  • Memcached
    • Memcache: default binding to world
    • Memcache: configured to run as root
    • Memcache: configured to use UDP
  • MySQL
    • MySQL allowing symbolic links invites various attacks
    • MySQL: usage of short password
    • MySQL: configured to run as root
    • MySQL: binding to world
  • Kafka
    • Kafka: using dated SSL/TLS protocols is insecure
    • Kafka: accepting unauthenticated connections is insecure
    • Kafka: hardcoded password in configuration is insecure
    • Kafka: usage of short password
  • PostgreSQL
    • Postgres: no password / trusted host configuration
    • Postgres: no password / trusted host configuration
    • Postgres: SSL/TLS is off
    • Postgres: default binding to world
  • Airflow
    • Airflow: Use of REST API Token
    • Airflow: Visible Fernet Key
    • Airflow: default binding to world
  • Redis
    • Redis: usage of weak password (ACL)
    • Redis: protected-mode no and default binding to world
    • Redis: protected-mode and weak ACL configuration
    • Redis: Usage of Visible Host

secrets policies

  • Secrets
    • Data files / database files found
    • SaaS vendor credentials should not be visible
    • Cloud services keys should not be visible or hardcoded
    • Cloud services hosts should not be visible or hardcoded
    • Log shipping access/API detail visible
    • Build or artifact systems access details visible
    • Visible private key or sensitive file
    • SaaS services hosts should not be visible or hardcoded
    • Visible sensitive data (PII/other)
    • AWS S3 Buckets: Visible endpoint
    • Potential keys or passwords are visible/hardcoded
    • App/framework keys or passwords are visible/hardcoded
    • Cloud services keys should not be visible or hardcoded
    • Sensitive File Found

aws policies

  • Elastic Load Balancing (ELB)
    • Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups
    • Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups
    • ELB secured listener certificate expires in one month
    • ELB is setup with HTTPS for secure communication
    • Remove Weak Ciphers for ELB
    • ELB - Recommended SSL/TLS protocol version
    • ELB secured listener certificate expires in one week
    • ELB is created with Access logs enabled
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • ELB with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • ELB with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • ELB with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • ELB with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • ELB with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • ELB with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • ELB with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • ELB with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • ELB with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • ELB with service 'POP3' (TCP:110) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • ELB with service 'SNMP' (UDP:161) is exposed to a small network scope
    • ELB with service 'Telnet' (TCP:23) is exposed to a small network scope
    • ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • ELB with service 'SMTP' (TCP:25) is exposed to a small network scope
    • ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • ELB with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • ELB with service 'DNS' (UDP:53) is exposed to a small network scope
    • ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • ELB with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • ELB with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • ELB with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • ELB with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • ELB with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • ELB with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • ELB with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • ELB with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • ELB with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • ELB with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public ELB with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public ELB with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public ELB with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public ELB with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public ELB with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public ELB with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public ELB with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public ELB with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public ELB with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public ELB with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public ELB with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public ELB with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public ELB with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public ELB with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public ELB with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public ELB with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public ELB with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public ELB with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public ELB with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public ELB with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public ELB with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public ELB with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public ELB with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public ELB with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public ELB with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public ELB with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public ELB with service DNS (UDP:53) is potentially exposed to the public internet
    • Public ELB with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public ELB with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public ELB with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public ELB with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public ELB with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public ELB with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public ELB with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public ELB with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public ELB with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public ELB with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public ELB with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • ELB with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • ELB with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • ELB with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • ELB with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • ELB with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • ELB with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • ELB with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • ELB with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • ELB with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • ELB with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • ELB with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • ELB with service 'POP3' (TCP:110) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • ELB with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • ELB with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • ELB with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • ELB with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • ELB with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • ELB with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • ELB with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • ELB with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • ELB with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • ELB with service 'DNS' (UDP:53) is exposed to a wide network scope
    • ELB with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • ELB with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • ELB with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • ELB with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • ELB with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • ELB with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • ELB with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • ELB with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public ELB with service 'POP3' (TCP:110) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public ELB with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public ELB with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public ELB with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public ELB with service 'DNS' (UDP:53) is exposed to a small public network
    • Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public ELB with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public ELB with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public ELB with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public ELB with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public ELB with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public ELB with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public ELB with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public ELB with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public ELB with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public ELB with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public ELB with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public ELB with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public ELB with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public ELB with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public ELB with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public ELB with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public ELB with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • ELB with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • ELB with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • ELB with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • ELB with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • ELB with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • ELB with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • ELB with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • ELB with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • ELB with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • Region
    • Ensure AWS Config is enabled in all regions
    • Ensure that IAM Access analyzer is enabled for all regions
    • Process for Security Group Management - Detection of new Security Groups
    • Ensure CloudTrail is enabled in all regions
    • Ensure VPC Flow Logging is Enabled in all Applicable Regions
    • Amazon GuardDuty service is enabled
  • Application Load Balancer
    • ALB secured listener certificate expires in one week
    • ALB secured listener certificate about to expire in one month
    • Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP
    • Make sure that ALB is protected by a WAF
    • Enable ALB Elastic Load Balancer v2 (ELBv2) access log
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • Ensure Invalid Headers Are Dropped In ALB
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • ApplicationLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public ApplicationLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • Amazon EC2 Instance
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Ensure IAM instance roles are used for AWS resource access from instances
    • Instances are Configured under Virtual Private Cloud
    • Instances outside of Europe region
    • Instances with Direct Connect virtual interface should not have public interfaces
    • Use encrypted storage for instances that might host a database.
    • Instances outside of Brazilian region
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port
    • Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port
    • Ensure that EC2 instance's volumes are encrypted
    • Ensure that EC2 instance's custom AMI is encrypted at rest
    • Ensure that EC2 instance's custom AMI is not publicly shared
    • Ensure that EC2 Metadata Service only allows IMDSv2
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Instance with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • Instance with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • Instance with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • Instance with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • Instance with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • Instance with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • Instance with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • Instance with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • Instance with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • Instance with service 'POP3' (TCP:110) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • Instance with service 'SNMP' (UDP:161) is exposed to a small network scope
    • Instance with service 'Telnet' (TCP:23) is exposed to a small network scope
    • Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • Instance with service 'SMTP' (TCP:25) is exposed to a small network scope
    • Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • Instance with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • Instance with service 'DNS' (UDP:53) is exposed to a small network scope
    • Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • Instance with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • Instance with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • Instance with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • Instance with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • Instance with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • Instance with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • Instance with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • Instance with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • Instance with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • Instance with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public Instance with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public Instance with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public Instance with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public Instance with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public Instance with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public Instance with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public Instance with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public Instance with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public Instance with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public Instance with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public Instance with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public Instance with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public Instance with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public Instance with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public Instance with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public Instance with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public Instance with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public Instance with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public Instance with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public Instance with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public Instance with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public Instance with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public Instance with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public Instance with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public Instance with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public Instance with service DNS (UDP:53) is potentially exposed to the public internet
    • Public Instance with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public Instance with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public Instance with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public Instance with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public Instance with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public Instance with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public Instance with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public Instance with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public Instance with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public Instance with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public Instance with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • Instance with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • Instance with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • Instance with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • Instance with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • Instance with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • Instance with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • Instance with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • Instance with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • Instance with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • Instance with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • Instance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • Instance with service 'POP3' (TCP:110) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • Instance with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • Instance with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • Instance with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • Instance with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • Instance with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • Instance with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • Instance with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • Instance with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • Instance with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • Instance with service 'DNS' (UDP:53) is exposed to a wide network scope
    • Instance with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • Instance with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • Instance with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • Instance with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • Instance with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • Instance with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • Instance with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • Instance with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public Instance with service 'POP3' (TCP:110) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public Instance with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public Instance with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public Instance with service 'DNS' (UDP:53) is exposed to a small public network
    • Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public Instance with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public Instance with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public Instance with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public Instance with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public Instance with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public Instance with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public Instance with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public Instance with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public Instance with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public Instance with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public Instance with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public Instance with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public Instance with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public Instance with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public Instance with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public Instance with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public Instance with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • Instance with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • Instance with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • Instance with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • Instance with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • Instance with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • Instance with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • Instance with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • Instance with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • Instance with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
    • EC2 Instance - there shouldn't be any High level findings in Inspector Scans
    • Instances without Inspector runs in the last 30 days
    • Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
    • Ensure IMDS Response Hop Limit is Set to One
  • Simple Storage Service (S3)
    • Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
    • Ensure that Static website hosting is disabled on your S3 bucket
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
    • Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users
    • S3 bucket CloudTrail logs ACL should not allow public access
    • Ensure that your AWS CloudTrail logging bucket has MFA delete enabled
    • S3 bucket should have server access logging enabled
    • Ensure that S3 Buckets are encrypted with CMK
    • Ensure S3 Bucket Policy is set to deny HTTP requests
    • Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
    • Ensure MFA Delete is enabled on S3 buckets
    • Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users
    • S3 bucket should have versioning enabled
    • Ensure that Object-level logging for write events is enabled for S3 bucket
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
    • Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users
    • Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)
    • S3 Buckets outside of Europe
    • Ensure all data in Amazon S3 has been discovered, classified and secured when required.
    • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
    • Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users
    • S3 Buckets outside of Brazil
    • Ensure that S3 Bucket is encrypted at rest
    • Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users
    • Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)
    • Ensure Enabling Versioning For S3 Bucket
    • Ensure that S3 buckets are not publicly accessible
    • Ensure that S3 buckets are not publicly accessible without a condition
    • S3 bucket should not be world-listable from anonymous users
    • S3 bucket should not be world-writable from anonymous users
    • S3 bucket should not have writable permissions from anonymous users
    • S3 bucket should not have world-readable permissions from anonymous users
    • S3 bucket should not allow delete actions from all principals without a condition
    • S3 bucket should not allow get actions from all principals without a condition
    • S3 bucket should not allow list actions from all principals without a condition
    • S3 bucket should not allow put or restore actions from all principals without a condition
    • S3 buckets should not grant any external privileges via ACL
    • S3 bucket should not allow delete actions from all principals
    • S3 bucket should not allow get actions from all principals with a condition
    • S3 bucket should not allow list actions from all principals
    • S3 bucket should not allow put or restore actions from all principals
    • Ensure S3 buckets are not publicly accessible without a condition
    • Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level
    • Ensure S3 buckets are not publicly accessible
  • Network Load Balancer
    • Ensure to update the Security Policy of the Network Load Balancer
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
    • NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
    • NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
    • NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
    • NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
    • NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
    • NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
    • NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
    • NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
    • NetworkLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
    • NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
    • NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
    • Public NetworkLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
    • NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
    • Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
    • Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
    • Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
    • NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
    • NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
  • IAM User
    • Ensure IAM users have either access key or console password enabled
    • Ensure inactive user for 30 days or greater are disabled
    • Ensure inactive user for 90 days or greater are disabled
    • Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account
    • Ensure IAM Users Receive Permissions Only Through Groups
    • IamUser with Admin or wide permissions without MFA enabled
    • Do not setup access keys during initial user setup for all IAM users that have a console password
    • Ensure 'root' account does not have an active X.509 signing certificate
    • Ensure whether IAM users are members of at least one IAM group
    • Ensure there is only one active access key available for any single IAM user
    • Ensure credentials unused for 45 days or greater are disabled (Second access key)
    • Use managed policies instead of inline IAM Policies
    • Ensure credentials unused for 45 days or greater are disabled (Console password)
    • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
    • Ensure second access key is rotated every 30 days or less
    • Ensure credentials unused for 45 days or greater are disabled (First access key)
    • Ensure first access key is rotated every 30 days or less
    • Ensure second access key is rotated every 45 days or less
    • Ensure no 'root' user account access key exists
    • Ensure inactive IAM access keys are deleted
    • Ensure IAM User do not have administrator privileges
    • Ensure access keys are rotated every 90 days or less (Second access key)
    • Ensure first access key is rotated every 45 days or less
    • Ensure access keys are rotated every 90 days or less (First access key)
    • Eliminate use of the 'root' user for administrative and daily tasks
    • Ensure IAM user password is rotated every 90 days or less
    • Ensure hardware MFA is enabled for the 'root' user account
    • Ensure IAM users have either access key or console password enabled
    • Ensure IAM users have either access key or console password enabled
    • Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)
    • Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days)
  • IAM Role
    • Ensure that Role names cannot be enumerable
    • Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
    • Ensure EKS Node Group IAM role do not have administrator privileges
    • Unused IAM role more than 90 days
    • Ensure cross-account IAM Role uses MFA or external ID as a condition
    • Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)
    • Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
  • Amazon Elastic File System (EFS)
    • Amazon EFS must have an associated tag
    • Ensure that encryption is enabled for EFS file systems
    • Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
  • AWS Security Group
    • Restrict outbound traffic to that which is necessary, and specifically deny all other traffic
    • Ensure that Security Groups are not open to all
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure the default security group of every VPC restricts all traffic
    • Remove Unused Security Groups
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Remove Unused Security Groups that are open to all
    • Security Groups must be defined under a Virtual Private Cloud
    • Process for Security Group Management - Managing security groups
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
    • Default Security Groups - with network policies
    • Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
    • Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS Identity and Access Management (IAM)
    • Password Policy must require at least one number
    • Ensure IAM password policy requires minimum length of 14 or greater
    • Ensure IAM password policy require at least one lowercase letter
    • Ensure IAM password policy expires passwords within 90 days or less
    • Ensure security contact information is registered
    • Ensure IAM password policy requires at least one uppercase letter
    • Ensure IAM password policy prevents password reuse
    • Ensure IAM password policy require at least one symbol
    • Credentials report was generated in the last 24 hours
    • Enforce Password Policy
    • Credentials report was generated in the last 24 hours
    • Enforce Password Policy
    • Ensure IAM password policy prevents password reuse
    • Ensure IAM password policy require at least one lowercase letter
    • Ensure IAM password policy require at least one symbol
    • Ensure IAM password policy requires at least one uppercase letter
    • Ensure IAM password policy requires minimum length of 14 or greater
    • Ensure IAM Users Receive Permissions Only Through Groups
    • Ensure IAM policies are attached only to groups or roles
    • Password Policy must require at least one number
    • Ensure IAM password policy expires passwords within 90 days or less
    • Ensure IAM policies that allow full *:* administrative privileges are not attached
    • Ensure AWS Config is enabled in all regions
  • Amazon RDS
    • RDS should not have Public Interface
    • Ensures that AWS RDS databases are encrypted using Customer Managed Keys
    • Ensure that public access is not given to RDS Instance
    • Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
    • Ensure that encryption-at-rest is enabled for RDS Instances
    • Ensure AWS RDS instances have Multi-Availability Zone enabled
    • Ensure AWS RDS retention policy is at least 7 days
    • RDS Databases with Direct Connect virtual interface should not have public interfaces
    • Ensure AWS RDS instances have Automatic Backup set up
    • RDS should not have been open to a large scope
    • Ensure that RDS database instance enforces SSL/TLS for all connections
    • Ensure that RDS database instance doesn't use its default endpoint port
    • Ensure that encryption is enabled for AWS RDSDBCluster Storage
    • Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled
    • Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless)
    • Verify that there are no Amazon RDS database instances currently operational within the public subnets of our AWS Virtual Private Cloud (VPC).
    • Ensure Aurora PostgreSQL is not exposed to local file read vulnerability
  • CloudTrail
    • Ensure CloudTrail configuration changes are monitored
    • Ensure a log metric filter and alarm exist for SSM actions
    • Ensure a log metric filter and alarm exists for AWS MFA Deletion for IAM users
    • Ensure AWS Config configuration changes are monitored
    • Ensure security group changes are monitored
    • Ensure a log metric filter and alarm exist for usage of 'root' account
    • Ensure appropriate subscribers to each SNS topic
    • Ensure VPC changes are monitored
    • Ensure changes to network gateways are monitored
    • Ensure disabling or scheduled deletion of customer created CMKs is monitored
    • Ensure Network Access Control Lists (NACL) changes are monitored
    • Ensure a log metric filter and alarm exist for IAM login profile changes
    • Ensure AWS Organizations changes are monitored
    • Ensure CloudTrail log file validation is enabled
    • Ensure AWS Management Console authentication failures are monitored
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure S3 bucket policy changes are monitored
    • Ensure unauthorized API calls are monitored
    • Ensure multi-regions trail exists for each AWS CloudTrail
    • Ensure CloudTrail trails are integrated with CloudWatch Logs
    • Ensure management console sign-in without MFA is monitored
    • Ensure IAM policy changes are monitored
    • Ensure route table changes are monitored
    • Ensure a log metric filter and alarm exist for STS 'AssumeRole' action
    • Ensure that Object-level logging for read events is enabled for S3 bucket
    • Ensure a log metric filter and alarm exist for EC2 instance changes
    • Ensure a log metric filter and alarm exist for EC2 Large instance changes
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure multi-regions trail exists for each AWS CloudTrail
    • Ensure CloudTrail log file validation is enabled
    • Ensure CloudTrail trails are integrated with CloudWatch Logs
    • Ensure CloudTrail logs have KmsKeyId defined
    • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
    • Ensure CloudTrail Logging is Enabled
  • AWS Nat Gateway
    • Ensure that NAT gateway is not associated in a private subnet
    • Ensure NAT gateway state is available
    • Ensure NAT gateway has a name tag
    • Ensure NAT gateway has a name tag
  • Amazon ElastiCache
    • Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements
    • Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments
    • Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled
    • Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
    • Ensure Amazon ElastiCache Redis clusters have the Multi-AZ feature enabled
    • Ensure that the latest version of Redis is used for your AWS ElastiCache clusters
    • Ensure that the latest version of Memcached is used for your AWS ElastiCache clusters
  • AWS Network-Firewall
    • Ensure Network firewall alerts logging is enabled
    • Ensure Network firewall resides in a dedicated subnet
    • Ensure Network firewall have subnet change protection enabled
    • Ensure Network firewall status is not FAILED
    • Ensure Network firewall flow logging is enabled
    • Ensure Network firewall have policy change protection enabled
    • Ensure Network firewall delete protection enabled
    • Ensure Network firewall delete protection enabled
    • Ensure Network firewall have subnet change protection enabled
    • Ensure Network firewall have policy change protection enabled
    • Ensure Network firewall resides in a dedicated subnet
  • IAM Policy
    • Ensure AWS IAM policies do not grant 'assume role' permission across all services
    • Ensure IAM user, group, or role should have IAM access key permissions restricted
    • Ensure AWS IAM policies allow only the required privileges for each role
    • Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users
    • Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
    • Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element
    • Ensure IAM policies that allow full '*:*' administrative privileges are not attached
    • Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
    • Ensure a support role has been created to manage incidents with AWS Support
    • Ensure undedicated AWS IAM managed policies do not have full action permissions
    • Ensure all IAM policies are in use
    • Ensure IAM user, group, or role should have MFA permissions restricted
    • Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
  • Amazon Elastic Container Service
    • Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols
    • ECS Service with Admin Roles
    • Ensure there are no inline policies attached to the ECS service
    • Ensure that at least one Load Balancer is attached to the service
    • Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
    • Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard)
  • IAM Server Certificate
    • Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
    • SSL/TLS certificates expire in 45 days
    • SSL/TLS certificates expire in one week
    • SSL/TLS certificates expire in one month
    • Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix
  • AWS Lambda
    • Ensure AWS Lambda function is configured inside a VPC
    • Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard)
    • Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports
    • Ensure AWS Lambda functions have tracing enabled
    • Lambda Functions must have an associated tag
    • Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
    • Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
    • Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)
    • Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard)
    • Ensure that Lambda Function is not publicly exposed via resource policy without a condition
    • Ensure that Lambda Function URL is secured with IAM authentication
    • Ensure Lambda functions are not using deprecated runtimes
    • Ensure that Amazon Lambda functions are referencing active execution roles
    • Ensure that your Amazon Lambda functions have access to VPC-only resources.
  • Amazon API Gateway
    • Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet
    • Ensure that all requestValidatorId in API Gateway are not null
    • Ensure that all authorization Type in API Gateway are not set to None
    • Ensure that an API Key is required on a Method Request
    • Ensure API gateway policy limits public access
    • Ensure API gateway has WAF
    • Ensure API Gateway endpoints has client certificate authentication
  • AWS Certificate Manager
    • Ensure invalid or failed certificates are removed from ACM
    • Ensure that all the expired SSL/TLS certificates are removed from ACM
    • Ensure ACM certificate was not issued before the Heartbleed security bug fix
    • ACM has a PENDING_VALIDATION Certificate
    • Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
    • Ensure ACM only has certificates with single domain names, and none with wildcard domain names
    • ACM has soon to be expired certificates
    • Ensure the AWS Certificate Manager (ACM) has no unused certificates
  • Amazon VPC Endpoints
    • Ensure VPC Endpoint has a name tag
    • Ensure that VPC Endpoint policy does not provide excessive permissions
    • Ensure that the VPC Endpoint status is Available state
    • Ensure that VPC Endpoint policy won't allow all actions
    • Ensure VPC Endpoint has a name tag
  • EKS Cluster
    • EksCluster should not have more than one security group
    • EksCluster should not be publicly accessed
    • Ensure that AWS EKS Cluster control plane logging is enabled
    • Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0
    • Ensure EKS cluster version is up-to-date
  • Amazon Secrets Manager
    • Ensure that AWS Secret Manager Secret rotation is enabled
    • Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
    • Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
    • Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
    • Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
  • Amazon Kinesis
    • AWS Kinesis streams are encrypted with customer managed CMK
    • AWS Kinesis data streams have server side encryption (SSE) enabled
    • Ensure AWS Kinesis Streams Keys are rotated
  • Amazon ElasticSearch service
    • Ensure OpenSearch should have IAM permissions restricted
    • Enforce creation of ElasticSearch domains within your VPCs
    • Ensure that encryption of data at rest is enabled on Elasticsearch domains
    • Ensure that node-to-node encryption is enabled for Elasticsearch service
  • Amazon SageMaker
    • Ensure that SageMaker is placed in VPC
    • Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled
    • Ensure SageMaker Notebook Instance Data Encryption is enabled
    • Ensure that SageMaker Notebook does not have direct internet access
  • Amazon DynamoDB
    • Ensure that AWS DynamoDB is encrypted using customer-managed CMK
    • Ensure Amazon DynamoDB tables have continuous backups enabled
    • DynamoDB Accelerator (DAX) clusters should be encrypted at rest
    • Identify and remove any unused AWS DynamoDB tables to optimize AWS costs
  • AWS Transit Gateway
    • Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
    • Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
    • Ensure Transit gateway have a name tag
    • Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
    • Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
    • Ensure Transit gateway have a name tag
  • Subnet
    • Ensure AWS VPC subnets have automatic public IP assignment disabled
  • Amazon Elastic Block Storage (EBS)
    • Ensure EBS Volume Encryption is Enabled in all Regions
    • Ensure AWS EBS Volumes are attached to instances
    • Attached EBS volumes should be encrypted at-rest
  • IAM Group
    • Ensure IAM groups have at least one IAM User attached
    • Ensure that IamGroup does not have Inline policies
    • Ensure IAM group do not have administrator privileges
  • Amazon CloudFront
    • Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates
    • Use encrypted connection between CloudFront and origin server
    • Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
    • Ensure AWS CloudFront web distribution with geo restriction is enabled
    • Determine if CloudFront CDN is in use
    • Ensure AWS CloudFront distribution with access logging is enabled
    • AWS Cloud Front - WAF Integration
    • Use secure ciphers in CloudFront distribution
    • CloudFront distributions should require encryption in transit
    • CloudFront distributions should encrypt traffic to custom origins
    • Ensure CloudFront origins don't use insecure SSL protocols
  • Simple Queue Service (SQS)
    • Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
    • Ensure that SQS policy won't allow all actions from all principals
    • Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs
    • Ensure that SQS policy won't allow all actions from all principals without a condition
    • Ensure SQS Dead-letter queue is not configured to send messages to the source queue
    • Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
    • Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
    • Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
    • Ensure that SQS policy won't allow all actions from all principals
    • Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
  • EC2 Auto Scaling Group
    • Ensure Auto Scaling group have scaling cooldown configured
    • Ensure Auto Scaling group being used with multiple Availability zones
    • Ensure Auto Scaling group does not have suspended processes
    • Ensure Auto Scaling group being used with multiple Availability zones
    • Ensure Auto Scaling group does not have suspended processes
    • Ensure Auto Scaling group have scaling cooldown configured
  • Amazon Systems Manager document
    • Amazon System Manager Document should not be publicly available
    • Ensure that public System Manager Documents include parameters
  • SNS Topic
    • Ensure SNS Topics aren't publicly accessible
    • Ensure SNS topic have active subscriptions
    • Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
    • Ensure SNS Topics administrative actions aren't publicly executable without a condition
    • Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
    • Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
    • Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
    • Ensure SNS Topics aren't publicly accessible
    • Ensure SNS Topics administrative actions aren’t publicly executable
  • AWS Config
    • Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel
  • Amazon ECS Task Definitions
    • Enable container's health checks
    • Container metadata
  • IAM SAML Identity Provider
    • Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • Route53RecordSetGroup
    • Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
    • Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
  • Amazon Route 53
    • Expired Route 53 Domain Names
    • AWS Route 53 Domain Name Renewal (30 days before expiration)
    • AWS Route 53 Domain Name Renewal (7 days before expiration)
    • Enable AWS Route 53 Domain Transfer Lock
    • Enable AWS Route 53 Domain Auto Renew
  • Amazon VPC
    • Ensure VPC flow logging is enabled in all VPCs
    • Ensure the number of private gateways is within the AWS limit for each region
    • Identify unused AWS VPCs
    • Ensure VPC flow logging is enabled in all VPCs
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Ensure the default security group of every VPC restricts all traffic
    • Ensure routing tables for security groups peering are \"least access\"
  • Amazon Elastic Container Service - Cluster
    • Prefer using IAM roles for tasks rather than using IAM roles for an instance
    • Ensure that at least one instance is registered with an ECS Cluster
    • ECS Cluster At-Rest Encryption
    • ECS Cluster should not have running container instances with unconnected agents
  • Route53 Hosted Zone
    • Use Route53 for scalable, secure DNS service in AWS.
  • AWS Key Management Service (KMS)
    • Ensure only usable Customer Managed Keys are in the AWS KMS
    • Ensure rotation for customer created symmetric CMKs is enabled
    • Ensure rotation for customer created CMKs is enabled
    • Ensure rotation for customer created CMKs is enabled
    • Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion
  • Amazon Redshift
    • Ensure AWS Redshift clusters are not publicly accessible
    • Use KMS CMK customer-managed keys for Redshift clusters
    • Ensure AWS Redshift instances are encrypted
    • Connections to Amazon Redshift clusters should be encrypted in transit
  • Amazon Systems Manager Parameter
    • Ensure that sensitive parameters are encrypted
  • Amazon Machine Image (AMI)
    • Ensure that EC2 AMIs are not publicly accessible
  • EMR Cluster
    • Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
    • Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
    • Ensure EMR clusters nodes should not have public IP
  • Amazon NACL
    • Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • Route Table
    • Ensure AWS NAT Gateways are being utilized instead of the default route
  • AWS EcrRepository
    • Ensure that ECR image tags are immutable.
    • Ensure that ECR image scan on push is enabled.
    • Ensure that ECR repositories are encrypted.
    • Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.
    • Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.
    • Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images.
    • Ensure that Amazon ECR image repositories are using lifecycle policies.

kubernetes policies

  • Pods
    • Apply Security Context to Your Pods and Containers
    • Ensure that the seccomp profile is set to docker/default in your pod definitions
    • Ensure that an application uses secrets are as files over secrets as environment variables
    • Ensure that the default namespace is not used
    • Ensure SecurityContext Field Is Set
    • CPU & Memory Limits Should be Set
    • CPU & Memory Requests Should be Set
    • Image Tag should not be 'latest'
    • Image Tag should not be blank
    • Use Read-Only Filesystem
    • Do not admit containers with docker socket bind mount
    • Do not admit root containers
    • Do not admit containers with SYS_ADMIN capability
    • Do not generally permit containers with allowPrivilegeEscalation
    • Run as a high-UID user
    • Do not generally permit privileged containers
    • Pod containers should not share the host process ID namespace
    • Pod should not use the node network namespace
    • Host device path mounts should not be used
    • Pod containers should not share the host IPC namespace
    • Do not override DNS settings in Pod
    • SELinux options should not be configured on containers
    • CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =
    • Ensure that the --token-auth-file parameter is not set (API Server)
    • Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server)
    • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
    • Ensure that the --client-ca-file argument is set as appropriate (API Server)
    • Ensure that the --etcd-cafile argument is set as appropriate (API Server)
    • Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager)
    • Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
    • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd)
    • Ensure that the --client-cert-auth argument is set to true (etcd)
    • Ensure that the --auto-tls argument is not set to true (etcd)
    • Ensure that the --experimental-encryption-provider-config argument is set as appropriate (API Server)
    • Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)
    • Ensure that the --client-cert-auth argument is set to true (etcd) (Openshift)
    • Ensure that the --auto-tls argument is not set to true (etcd) (Openshift)
    • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)
    • Ensure that the --peer-client-cert-auth argument is set to true (etcd) (Openshift)
    • Ensure that the --peer-auto-tls argument is not set to true (etcd) (Openshift)
    • Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift)
    • Ensure that the admission control plugin AlwaysAdmit is not set (API Server)
    • Ensure that the --basic-auth-file argument is not set (API Server)
    • Ensure that the --profiling argument is set to false (API Server)
    • Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)
    • Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server)
    • Ensure that the admission control plugin PodSecurityPolicy is set (API Server)
    • Ensure that the --authorization-mode argument includes RBAC (API Server)
    • Ensure that the --profiling argument is set to false (Scheduler)
    • Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager)
    • Ensure that the --profiling argument is set to false (Controller Manager)
    • Ensure that the --use-service-account-credentials argument is set to true (Controller Manager)
    • Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)
    • Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd)
    • Ensure that the --peer-client-cert-auth argument is set to true (etcd)
    • Ensure that the --peer-auto-tls argument is not set to true (etcd)
    • Ensure that Containers are not running in privileged mode
    • Do not admit root containers
    • Ensure containers are secured with AppArmor profile
    • Ensure that the --anonymous-auth argument is set to false (API Server)
    • Ensure that Containers are not running with dangerous capabilities
    • Ensure that Containers are not running with insecure capabilities
    • Ensure that the --authorization-mode argument includes Node (API Server)
    • Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server)
    • Ensure that the --DenyServiceExternalIPs is not set
    • Ensure that the --kubelet-https argument is set to true
    • Minimize the admission of HostPath volumes
    • Minimize the admission of containers which use HostPorts
    • Ensure that the --request-timeout argument is set as appropriate (API Server)
    • Ensure that the --encryption-provider-config argument is set as appropriate (API Server)
    • Ensure that a minimal audit policy is created (API Server)
    • Ensure that encryption providers are appropriately configured (API Server)
    • Ensure that the API Server only makes use of Strong Cryptographic Ciphers (API Server)
    • Ensure that a unique Certificate Authority is used for etcd
    • Ensure that the --audit-log-path argument is set as appropriate (API Server)
    • Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server)
    • Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server)
    • Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server)
    • Ensure that the AdvancedAuditing argument is not set to false (API Server)
    • Ensure that the --service-account-lookup argument is set to true (API Server)
    • Ensure that the admission control plugin ServiceAccount is set (API Server)
    • Ensure that the --insecure-allow-any-token argument is not set (API Server)
    • Ensure that the --insecure-bind-address argument is not set (API Server)
    • Ensure that the --insecure-port argument is set to 0 (API Server)
    • Ensure that the --secure-port argument is not set to 0 (API Server)
    • Ensure that the --repair-malformed-updates argument is set to false (API Server)
    • Ensure that the admission control plugin AlwaysPullImages is set (API Server)
    • Ensure that the admission control plugin NamespaceLifecycle is set (API Server)
    • Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server)
    • Ensure that the --authorization-mode argument is set to Node (API Server)
    • Ensure that the admission control plugin NodeRestriction is set (API Server)
    • Ensure that the admission control plugin EventRateLimit is set (API Server)
    • Ensure that the --address argument is set to 127.0.0.1 (Scheduler)
    • Ensure that the --address argument is set to 127.0.0.1 (Controller Manager)
    • Ensure that the admission control plugin DenyEscalatingExec is set (API Server)
    • Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
    • Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
    • Ensure pods outside of kube-system do not have access to node volume
    • Ensure that the --service-account-key-file argument is set as appropriate (API Server)
  • Kubernetes Role
    • Minimize access to secrets (RBAC)
    • Minimize wildcard use in Roles and ClusterRoles (RBAC)
    • Profiling (metric) is protected by RBAC (RBAC) (Openshift)
    • Profiling (pprof) is protected by RBAC (RBAC) (Openshift)
    • Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift)
  • Node
    • Ensure that the --anonymous-auth argument is set to false (Kubelet)
    • Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)
    • Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
    • Ensure that the --hostname-override argument is not set (Kubelet) (Openshift)
    • Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)
    • Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
    • Ensure that the --event-qps argument is set to 0 (Kubelet)
    • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
    • Ensure that the --read-only-port argument is set to 0 (Kubelet)
    • Ensure that the --rotate-certificates argument is not set to false (Kubelet)
    • Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)
    • Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
    • Ensure that the --rotate-certificates argument is not set to false (Kubelet) (Openshift)
    • Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) (Openshift)
    • Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)
    • Ensure that the --rotate-certificates argument is not present or is set to true (Kubelet)
    • Ensure that the --hostname-override argument is not set (Kubelet)
    • Ensure that the --cadvisor-port argument is set to 0 (Kubelet)
    • Ensure that garbage collection is configured as appropriate (Kubelet) (Openshift)
  • Kubernetes Role Binding
    • Ensure that the cluster-admin role is only used where required (RBAC)
    • Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC)
    • Ensure that default service accounts are not actively used. (RBAC)
    • Minimize access to create pods (RBAC)
    • Ensure that the cluster-admin role is not being used
    • Ensure that anonymous requests are authorized (RBAC)(Openshift)
    • Ensure that the cluster-admin role is only used where required (RBAC - ClusterRoleBinding)
    • Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)
    • Limit binding of Anonymous User
  • Network Policies
    • Ensure that the CNI in use supports Network Policies
    • Ensure Traffic Between Client and Load Balancer Use HTTPS Protocol Only
    • Restrict Traffic Among Pods with a Network Policy
  • Kubernetes Service Account
    • Ensure that Service Account Tokens are only mounted where necessary (RBAC)
    • Ensure that default service accounts are not actively used (RBAC - ServiceAccount)
  • Pod Security Policies
    • Minimize the admission of containers wishing to share the host IPC namespace (PSP)
    • Minimize the admission of privileged containers (PSP)
    • Minimize the admission of containers wishing to share the host network namespace (PSP)
    • Minimize the admission of containers with allowPrivilegeEscalation (PSP)
    • Minimize the admission of containers with added capabilities (PSP)
    • Minimize the admission of containers wishing to share the host process ID namespace (PSP)
    • Minimize the admission of root containers (PSP)
    • Ensure Object Have An Valid Email Address Annotation
    • Ensure Object Have An Owner Label
    • Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster
    • Minimize the admission of containers with the NET_RAW capability (PSP)
    • Minimize the admission of containers to RootFilesystem (PSP)
    • Minimize the admission of FSGroup applied to some volumes (PSP)
    • Minimize the admission of primary group ID the containers are run with (PSP)
    • Minimize the admission of SupplementalGroups in containers (PSP)
  • Service
    • CVE-2020-8554: Services should not use 'externalIPs'
    • Services should not expose SSH port

google policies

  • Virtual Machine Instances
    • Ensure GCP VM Instances have Labels
    • Public VMInstance with service VNC Server(TCP:5900) is exposed to a wide public network
    • VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide network scope
    • Ensure oslogin is enabled for a Virtual Machine
    • Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide public network
    • Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a small public network
    • Ensure VM Instance should not have public IP
    • VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide network scope
    • VMInstance with service VNC Listener(TCP:5500) is exposed to a small network scope
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a large network
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet
    • VMInstance with service DNS(UDP:53) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a small network
    • Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide public network
    • VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • Ensure That Compute Instances Have Confidential Computing Enabled
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a small network
    • VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small network scope
    • VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network
    • VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to a large network
    • Public VMInstance with service VNC Server(TCP:5900) is exposed to a small public network
    • Public VMInstance with service POP3(TCP:110) is exposed to a wide public network
    • VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide network scope
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to a large network
    • Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide public network
    • Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small public network
    • VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small network scope
    • VMInstance with service POP3(TCP:110) is exposed to a small network scope
    • Ensure That IP Forwarding Is Not Enabled on Instances
    • VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to a small network
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a large network
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet
    • Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a small public network
    • VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet
    • Public VMInstance with service Puppet Master(TCP:8140) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8080) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to a small network
    • Ensure Compute Instances Are Launched With Shielded VM Enabled
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a small network
    • VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small network scope
    • Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide public network
    • Public VMInstance with service VNC Listener(TCP:5500) is exposed to a wide public network
    • VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small network scope
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet
    • Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a small public network
    • VMInstance with service SMTP(TCP:25) is exposed to a wide network scope
    • VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to a large network
    • VMInstance with service Known internal web port(TCP:8000) is exposed to a small network scope
    • VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small network scope
    • Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network
    • Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide public network
    • Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide public network
    • VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide network scope
    • Public VMInstance with service LDAP SSL(TCP:636) is exposed to a wide public network
    • Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide public network
    • Public VMInstance with service Known internal web port(TCP:8000) is exposed to a wide public network
    • VMInstance with service VNC Listener(TCP:5500) is exposed to a wide network scope
    • VMInstance with service DNS(UDP:53) is exposed to a small network scope
    • VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide network scope
    • VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small network scope
    • Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small public network
    • Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide public network
    • VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small network scope
    • Public VMInstance with service Cassandra(TCP:7001) is exposed to a wide public network
    • Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small public network
    • VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide network scope
    • Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small public network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to a large network
    • Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances
    • Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8080) is exposed to a small network scope
    • VMInstance with service Telnet(TCP:23) is exposed to a wide network scope
    • VMInstance with service MySQL(TCP:3306) is exposed to a wide network scope
    • VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small network scope
    • VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet
    • VMInstance with service MySQL(TCP:3306) is exposed to a small network scope
    • VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide network scope
    • VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small network scope
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network
    • Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a small public network
    • Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide public network
    • Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a small public network
    • VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network
    • Public VMInstance with service VNC Listener(TCP:5500) is exposed to a small public network
    • Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
    • VMInstance with service POP3(TCP:110) is exposed to a wide network scope
    • Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide public network
    • VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a large network
    • Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small public network
    • Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide public network
    • VMInstance with service Memcached SSL(UDP:11215) is exposed to a small network scope
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a large network
    • Public VMInstance with service MySQL(TCP:3306) is exposed to a small public network
    • Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide public network
    • VMInstance with service Known internal web port(TCP:8000) is exposed to a wide network scope
    • Asset does not contain a network tag
    • VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide network scope
    • Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a large network
    • VMInstance with unencrypted Mongo (TCP:27017) is exposed to a large network
    • VMInstance with service Memcached SSL(TCP:11214) is exposed to a small network scope
    • VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide network scope
    • VMInstance with service SMTP(TCP:25) is exposed to a small network scope
    • VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small network scope
    • Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a small public network
    • Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a small public network
    • VMInstance with service LDAP SSL(TCP:636) is exposed to a wide network scope
    • Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small public network
    • VMInstance with service SNMP(UDP:161) is exposed to a wide network scope
    • VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide network scope
    • VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet
    • VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide network scope
    • Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small public network
    • VMInstance with service VNC Server(TCP:5900) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network
    • VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small network scope
    • VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small network scope
    • Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small public network
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to a small network
    • Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide public network
    • Public VMInstance with service SMTP(TCP:25) is exposed to a small public network
    • Public VMInstance with service MySQL(TCP:3306) is exposed to a wide public network
    • VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a large network
    • Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a small public network
    • VMInstance with service Memcached SSL(TCP:11215) is exposed to a small network scope
    • VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet
    • Ensure That Compute Instances Do Not Have Public IP Addresses
    • VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
    • Public VMInstance with service DNS(UDP:53) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide public network
    • Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small public network
    • VMInstance with service Microsoft-DS(TCP:445) is exposed to a small network scope
    • Public VMInstance with service POP3(TCP:110) is exposed to a small public network
    • VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet
    • Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
    • Public VMInstance with service Cassandra(TCP:7001) is exposed to a small public network
    • Public VMInstance with service Known internal web port(TCP:8080) is exposed to a small public network
    • Public VMInstance with service SNMP(UDP:161) is exposed to a small public network
    • Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide public network
    • Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide public network
    • Public VMInstance with service SNMP(UDP:161) is exposed to a wide public network
    • Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide public network
    • Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide public network
    • VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet
    • Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small public network
    • Public VMInstance with service Puppet Master(TCP:8140) is exposed to a small public network
    • Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide public network
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a small network
    • Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small public network
    • VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small network scope
    • VMInstance with service Puppet Master(TCP:8140) is exposed to a wide network scope
    • Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a small public network
    • VMInstance with service VNC Server(TCP:5900) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(UDP:139) is exposed to a small network scope
    • Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide public network
    • Public VMInstance with service Telnet(TCP:23) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4505) is exposed to a small network scope
    • Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide public network
    • VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small network scope
    • VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide network scope
    • VMInstance with service Cassandra(TCP:7001) is exposed to a small network scope
    • VMInstance with service Telnet(TCP:23) is exposed to a small network scope
    • VMInstance with service SaltStack Master(TCP:4506) is exposed to a small network scope
    • VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network
    • VMInstance with service Puppet Master(TCP:8140) is exposed to a small network scope
    • Public VMInstance with service DNS(UDP:53) is exposed to a small public network
    • VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • VMInstance with service SNMP(UDP:161) is exposed to a small network scope
    • Public VMInstance with service Known internal web port(TCP:8080) is exposed to a wide public network
    • VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide network scope
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network
    • Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide public network
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet
    • VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small network scope
    • Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small public network
    • VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet
    • VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide network scope
    • VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide network scope
    • VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide network scope
    • VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide network scope
    • Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide public network
    • Public VMInstance with service Telnet(TCP:23) is exposed to a wide public network
    • VMInstance with service Cassandra(TCP:7001) is exposed to a wide network scope
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to a small network
    • VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small network scope
    • Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide public network
    • Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide public network
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to a small network
    • VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network
    • VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet
    • VMInstance with service Memcached SSL(UDP:11214) is exposed to a small network scope
    • Ensure That Instances Are Not Configured To Use the Default Service Account
    • Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small public network
    • Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a small public network
    • VMInstance with service LDAP SSL(TCP:636) is exposed to a small network scope
    • VMInstance with unencrypted LDAP (TCP:389) is exposed to a large network
    • Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small public network
    • VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide network scope
    • Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a small public network
    • VMInstance with service Postgres SQL(UDP:5432) is exposed to a small network scope
    • VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide network scope
    • VMInstance with service Postgres SQL(TCP:5432) is exposed to a small network scope
    • Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small public network
    • Public VMInstance with service Known internal web port(TCP:8000) is exposed to a small public network
    • Public VMInstance with service LDAP SSL(TCP:636) is exposed to a small public network
    • Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide public network
    • VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet
    • VMInstance with service MSSQL Server(TCP:1433) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(TCP:139) is exposed to a small network scope
    • VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide network scope
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet
    • VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet
    • VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a small network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to a small network
    • Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
    • VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet
    • Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a small public network
    • VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet
    • Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports.
    • Ensure that no VMInstance allows incoming traffic from 0.0.0.0/0 to the ICMP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP DB port.
    • Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP DB port.
    • Enable 2FA for VM Instances using OS Login
    • Ensure that instances are not configured to use the default service account
  • Kubernetes Cluster
    • Ensure Network policy is enabled on Kubernetes Engine Clusters
    • Ensure Kubernetes Clusters are configured with Labels
    • Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled
    • Ensure GKE Clusters use specific purpose-designed networks instead of the default network
    • Ensure `Automatic node repair` is enabled for Kubernetes Clusters
    • Ensure Kubernetes Cluster is created with Alias IP ranges enabled
    • Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
    • Ensure Automatic node upgrades are enabled on Kubernetes Engine Clusters nodes
    • Ensure Kubernetes Cluster is created with Client Certificate enabled
    • Ensure default Service account is not used for Project access in Kubernetes Clusters
    • Ensure Master authorized networks are set to Enabled on Kubernetes Engine Clusters
    • Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
    • Ensure Kubernetes web UI / Dashboard is disabled
    • Ensure Kubernetes Cluster is created with Private cluster enabled
    • Ensure the GKE Cluster alpha cluster feature is disabled
    • Ensure GKE Cluster HTTP load balancing is enabled
    • Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
    • Ensure PodSecurityPolicy Configuration Enabled For Google Kubernetes Engine (GKE) Cluster
    • Ensure 'master_auth' Block Exists For Google Kubernetes Engine (GKE) Cluster
    • Ensure 'master_auth' Block Exists For Google Kubernetes Engine (GKE) Cluster
  • GCP AlertPolicy
    • Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
    • Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
    • Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
    • Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
    • Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
    • Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP IAM Policy
    • Ensure permissions to impersonate a service account are not granted at project level
    • Avoid using pre-IAM basic (primitive) roles
    • Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
    • Ensure that Corporate Login Credentials are Used
    • Ensure That Cloud Audit Logging Is Configured Properly
  • GCP CloudSql
    • Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
    • Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled
    • Ensure Cloud SQL instances have labels
    • Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
    • Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)
    • Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
    • Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
    • Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
    • Ensure That Cloud SQL Database Instances Do Not Have Public IPs
    • Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
    • Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
    • Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
    • Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
    • Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'
    • Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
    • Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
    • Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    • Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
    • Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
    • Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
    • Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
    • Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
    • Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
    • Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
    • Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances
    • Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag
  • GCP Security Group
    • Ensure Global Firewall rule should not allows all traffic
    • Ensure That SSH Access Is Restricted From the Internet
    • Ensure That RDP Access Is Restricted From the Internet
    • Ensure Excluding RDP Port For Google Compute Firewall
  • Storage Bucket
    • Ensure that Cloud Storage bucket has usage logs enabled
    • Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
    • Storage Bucket outside of Europe
    • Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
    • Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
    • Ensure Versioning Enabled For a new bucket in Google cloud storage service (GCS)
  • GCP IAM User
    • Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
    • User did not log in the past 90 days
    • Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
    • Ensure that multi-factor authentication is enabled for admin users
    • Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
    • Suspended user account unused for more than 6 months
    • Ensure GCP IAM user does not have permissions to deploy all resources
    • Ensure GCP IAM user does not have permissions to deploy all resources
  • GCP API Key
    • Ensure API Keys Are Rotated Every 90 Days
    • Ensure API Keys Only Exist for Active Services
    • Ensure API Keys Are Restricted to Only APIs That Application Needs Access
    • Ensure unrestricted API keys are not available within your GCP projects
  • Google Cloud Function
    • Ensure that all the deployed cloud functions are in 'active' mode
    • Ensure that at least one event trigger was configured in your function
    • Ensure Google Cloud Function is configured with a VPC connector
  • GCP VPC Network
    • Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
    • Ensure Legacy Networks Do Not Exist for Older Projects
    • Ensure That the Default Network Does Not Exist in a Project
    • Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • Subnet
    • Ensure Private Google Access is enabled for all subnetworks in VPC Network
    • Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
    • Ensure Logging Configuration for Google Compute Subnetwork
  • GCP Project
    • Ensure Oslogin Is Enabled for a Project
    • Ensure Cloud Asset Inventory Is Enabled
    • Ensure 'Access Approval' is 'Enabled'
  • BigQuery
    • Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
    • Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
    • Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
  • Service Account
    • Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
    • Ensure That Service Account Has No Admin Privileges
    • Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
    • Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
  • Cloud Key Management Service
    • Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
    • Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • Google Pub/Sub
    • Ensure PubSub service is encrypted, with customer managed encryption keys.
  • GCP DNS Managed Zone
    • Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
    • Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
    • Ensure That DNSSEC Is Enabled for Cloud DNS
  • Https Load Balancer Proxy
    • Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
    • Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
  • Log Sink
    • Ensure That Sinks Are Configured for All Log Entries
  • GCP Dataproc Cluster
    • Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP EssentialContact
    • Ensure Essential Contacts is Configured for Organization
    • Ensure Essential Contacts are defined for your Google Cloud organization

azure policies

  • SQL Server on Virtual Machines
    • Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
    • Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
    • Ensure that Azure Active Directory Admin is configured
    • Ensure Azure SQL Server data replication with Fail Over groups
    • Ensure the entire Azure infrastructure doesn't have access to Azure SQL Server
    • Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All'
    • Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
    • Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
    • Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
    • Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
    • Ensure that SQL Server Auditing Retention is greater than 90 days
    • Ensure that 'Auditing' is set to 'On'
    • Restrict Azure SQL Server accessibility to a minimal address range
    • Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days
    • Ensure that 'Auditing' Retention is 'greater than 90 days'
    • Ensure that Azure Active Directory Admin is Configured for SQL Servers
    • Ensure that ADS - ATP 'Send alerts to' is set
    • Avoid using names like 'Admin' for an Azure SQL Server admin account login
    • Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
    • Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
    • Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Virtual Machine
    • Ensure that Azure Virtual Machine is assigned to an availability set
    • Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
    • Virtual machine administrative OMI/OMS service port (5986) is publicly accessible
    • Ensure that at least one Network Security Group is attached to all VMs and subnets that are public
    • Virtual machine administrative OMI/OMS service port (5985) is publicly accessible
    • Virtual machine administrative OMI/OMS service port (1270) is publicly accessible
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports
    • Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
    • Ensure Virtual Machines are utilizing Managed Disks
    • Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure Key Vault
    • Key vault should have purge protection enabled
    • Ensure that the Expiration Date is set for all Keys in Key Vaults
    • Ensure Azure Key Vaults are Used to Store Secrets
    • Ensure that the Expiration Date is set for all Secrets in Key Vaults
    • Ensure that logging for Azure Key Vault is 'Enabled'
    • Ensure the Key Vault is Recoverable
    • Ensure that Private Endpoints are Used for Azure Key Vault
    • Enable Role Based Access Control for Azure Key Vault
  • Network security group
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure that MSQL (TCP:4333) is restricted from the Internet
    • Ensure FTP deployments are disabled
    • Ensure that CIFS (UDP:445) is restricted from the Internet
    • Ensure that Windows RPC (TCP:135) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on TCP protocol
    • Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied
    • Ensure that PostgreSQL (TCP:5432) is restricted from the Internet
    • Ensure that VNC Server (TCP:5900) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on UDP protocol
    • Ensure that SQL Server (TCP:1433) is restricted from the Internet
    • Ensure that FTP-Data (TCP:20) is restricted from the Internet
    • Ensure that NetBIOS (UDP:138) is restricted from the Internet
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ICMP (Ping)
    • Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
    • Remove unused Network Security Groups
    • Ensure that Windows SMB (TCP:445) is restricted from the Internet
    • Ensure that DNS (TCP:53) is restricted from the Internet
    • Overly permissive NSG Inbound rule to all traffic on ANY protocol
    • Ensure that NetBIOS (UDP:137) is restricted from the Internet
    • Ensure that MySQL (TCP:3306) is restricted from the Internet
    • Ensure that SMTP (TCP:25) is restricted from the Internet
    • Ensure that DNS (UDP:53) is restricted from the Internet
    • Ensure that SSH access from the Internet is evaluated and restricted
    • Ensure that SQL Server (UDP:1434) is restricted from the Internet
    • Ensure that RDP access from the Internet is evaluated and restricted
    • Ensure that VNC Listener (TCP:5500) is restricted from the Internet
    • Ensure that Telnet (TCP:23) is restricted from the Internet
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure Flow-Logs are Enabled on NSG
    • Ensure that Oracle Database (TCP:1521) is restricted from the Internet
    • Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019
    • Ensure that HTTP protocol (TCP:80) is restricted from the Internet
    • Ensure that HTTPS protocol (TCP:443) is restricted from the Internet
  • Azure SQL Database
    • Ensure that SQL Database Auditing Retention is greater than 90 days
    • Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
    • Ensure that SQL Database Auditing is Enabled
    • Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Security Center - Policy
    • Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure Alert Rule
    • Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
    • Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
    • Ensure that Activity Log Alert exists for Delete Network Security Group
    • Ensure that activity log alert exists for the Delete Network Security Group Rule
    • Ensure that Activity Log Alert exists for Delete Policy Assignment
    • Ensure that Activity Log Alert exists for Create or Update Security Solution
    • Ensure that Activity Log Alert exists for Delete Security Solution
    • Ensure that Activity Log Alert exists for Create or Update Network Security Group
    • Ensure that Activity Log Alert exists for Create Policy Assignment
    • Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
    • Ensure that Activity Log Alert exists for Delete Public IP Address rule
    • Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
    • Ensure that an activity log alert is created for Delete PostgreSQL Database events
  • Spring Cloud
    • Ensure that Spring Cloud App has end-to-end TLS enabled
    • Ensure that Spring Cloud App enforces HTTPS connections
    • Ensure that Spring Cloud App has system-assigned managed identity enabled
  • Azure Network Watcher
    • Ensure that Network Watcher is 'Enabled'
  • Network Security Group flow logs
    • Ensure Flow-Logs Retention Policy is greater than 90 days
    • Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
  • Azure Redis Cache
    • Redis cache should have a backup
    • Ensure that Redis is updated regularly with security and operational updates.
    • Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources
    • Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
    • Ensure that the Redis Cache accepts only SSL connections
    • Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet
    • Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
    • Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs
    • Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol
  • Container Registry
    • Ensure that admin user is disabled for Container Registry
    • Ensure Container Registry has locks
    • Ensure to not use the deprecated Classic registry
  • Azure functions
    • Ensure that Health Check is enabled for your Function App
    • Ensure remote debugging has been disabled for your production Azure Functions
    • Ensure Function App is using the latest version of TLS encryption
    • Managed identity should be used in your Function App
    • Function App should only be accessible over HTTPS
    • Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure that Application Service Logs are Enabled for Containerized Function Apps
    • Ensure App Service Authentication is set up for apps in Azure App Service - FunctionApp
    • Ensure FTP deployments are Disabled for FunctionApp
  • Azure Database for PostgreSQL
    • Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
    • Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
    • Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
    • Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
    • Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
    • Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
    • Ensure that Geo Redundant Backups is enabled on PostgreSQL
    • Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
    • Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
    • Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
    • Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database
  • Azure Storage Account
    • Storage Accounts outside Europe
    • Ensure that 'Secure transfer required' is set to 'Enabled'
    • Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
    • Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
    • Ensure Default Network Access Rule for Storage Accounts is Set to Deny
    • Storage Accounts outside Brazil
    • Ensure that 'Secure transfer required' is set to 'Enabled' for Storage Accounts
    • Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs
    • Ensure Storage logging is enabled for Queue service for read, write, and delete requests
    • Ensure default network access rule for Storage Accounts is set to deny
    • Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
    • Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
    • Ensure that 'Public access level' is disabled for storage accounts with blob containers
    • Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
    • Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
    • Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
    • Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
    • Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
    • Ensure Minimum TLS Encryption Version For Storage Account
    • Ensure that Containers and its blobs are not exposed publicly
    • Ensure that Storage Account has Microsoft Defender for Cloud enabled
    • Ensure Private Endpoints are used to access Storage Accounts
    • Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
    • Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure Application Gateway
    • Ensure Application Gateway is using the latest version of TLS encryption
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
    • Ensure Application Gateway is using Https protocol
  • Virtual Network
    • Ensure that Virtual Networks Subnets have Security Groups
    • Ensure that Azure Virtual Network subnet is configured with a Network Security Group
    • Ensure that Azure Virtual network peering is connected
  • Log Profile
    • Ensure that a Log Profile exists
    • Ensure that Activity Log Retention is set 365 days or greater
    • Ensure the log profile captures activity logs for all regions including global
    • Ensure audit profile captures all the activities
    • Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure AKS
    • Ensure that you are using authorized IP address ranges to secure access to the API server
    • Ensure that your Cluster Pool contains at least 3 Nodes
    • Ensure that a network policy is in place to secure traffic between pods
    • Ensure that Azure CNI Networking is enabled
    • Ensure that the pod security policy is enabled in your AKS cluster
    • Enable role-based access control (RBAC) within Azure Kubernetes Services
    • Ensure Azure Kubernetes Service (AKS) Cluster Dashboard Is Disabled
    • Ensure Azure Monitoring Enabled For Azure Kubernetes Service (AKS) Cluster
  • Web Apps service
    • Ensure remote debugging has been disabled for your production Web App
    • Ensure that Register with Azure Active Directory is enabled on App Service
    • Ensure Web App is using the latest version of TLS encryption
    • Ensure App Service Authentication is set up for apps in Azure App Service - Webapp
    • Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
    • Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
    • Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
    • Ensure That 'PHP version' is the Latest, If Used to Run the Web App
    • Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
    • Ensure that 'Java version' is the latest, if used to run the Web App
    • Ensure that 'Java version' is the latest, if used to run the Linux Web App
    • Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App
    • Ensure FTP deployments are Disabled
  • Azure Cosmos DB
    • Ensure That Private Endpoints Are Used Where Possible
    • Ensure Cosmos DB account access is not allowed from all networks
    • Ensure Cosmos DB account is encrypted with customer-managed keys
    • Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
    • Ensure to filter source Ips for Cosmos DB Account
  • Azure Monitor Logs
    • Ensure that a 'Diagnostic Setting' exists
    • Ensure Diagnostic Setting captures appropriate categories
  • Azure Resource Group
    • Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure Disk Storage
    • Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure Virtual Network Gateway
    • Ensure Virtual Network Gateway is configured with Cryptographic Algorithm
  • Azure Analysis Services
    • Ensure that firewall rules are enabled and configured for Analysis services server
  • Azure role-based access control
    • Ensure to audit role assignments that have implicit managed identity permissions
    • Ensure to audit role assignments that have implicit 'Owner' permissions
    • Ensure to audit role assignments that have implicit role management permissions
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure Role Definition
    • Ensure custom role definition doesn't have excessive permissions (Wildcard)
  • Azure Active Directory
    • Ensure that Azure Active Directory Admin is configured for SQL Server
    • Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
    • Ensure That 'Number of methods required to reset' is set to '2'
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
    • Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • My SQL DB Flexible Server
    • Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server
    • Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • My SQL DB Single Server
    • Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server
  • Auto Provisioning Settings
    • Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Security Contact
    • Ensure 'Additional email addresses' is Configured with a Security Contact Email
    • Ensure That 'Notify about alerts with the following severity' is Set to 'High'
    • Ensure That 'All users with the following roles' is set to 'Owner'
    • Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts
  • Defender Plans
    • Ensure That Microsoft Defender for Servers Is Set to 'On'
    • Ensure That Microsoft Defender for App Services Is Set To 'On'
    • Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
    • Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
    • Ensure That Microsoft Defender for Storage Is Set To 'On'
    • Ensure that Microsoft Defender for Container Registries is set to 'On'
    • Ensure That Microsoft Defender for Key Vault Is Set To 'On'
    • Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
    • Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
    • Ensure That Microsoft Defender for Containers Is Set To 'On'
    • Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
    • Ensure That Microsoft Defender for DNS Is Set To 'On'
    • Ensure That Microsoft Defender for Databases Is Set To 'On'
  • PostgreSQL Flexible Server
    • Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
  • Defender Integrations
    • Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
    • Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • AD Security Defaults
    • Ensure Security Defaults is enabled on Azure Active Directory
  • AD Authorization Policy
    • Ensure That 'Users Can Register Applications' Is Set to 'No'
    • Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
    • Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
    • Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • AD Access Reviews Schedule Definition
    • Ensure Guest Users Are Reviewed on a Regular Basis

cft policies

  • AWS Key Management Service (KMS)
    • Ensure that KMS key has key rotation enabled
    • Ensure that the KMS key have key rotation enabled
    • Ensure that KMS key policy does not allow access to everyone
    • Ensure that there is no wildcard action in an inline KMS key policy
    • Ensure that there is no wildcard principal in an inline KMS key policy
    • Ensure that an inline KMS key policy does not allow full administrative rights
  • Amazon RDS
    • Ensure enhanced monitoring for Amazon RDS instances is enabled
    • Ensure that RDS IAM authentication is enabled
    • Ensure RDS instances have backup policy
    • Ensure RDS instances have Multi-AZ enabled
    • Ensure AWS RDS database instance is not publicly accessible
    • Ensure that encryption is enabled for RDS Instances
  • Elastic Load Balancing (ELB)
    • Ensure that ELB V2 Listener protocol is not HTTP or TCP
    • Ensure ELB enforces recommended SSL/TLS protocol version
  • AWS Key Management Service (KMS)
    • Ensure that there is no wildcard action in an inline KMS replica key policy
    • Ensure that there is no wildcard principal in an inline KMS replica key policy
    • Ensure that an inline KMS replica key policy does not allow full administrative rights
    • Ensure A Pod Runs Without Privileged Containers
  • Amazon ElasticSearch service
    • Ensure that encryption of data at rest is enabled on Elasticsearch domains
    • Ensure that there is no Wildcard principal in ElasticSearch access policy
    • Ensure Elasticsearch Domain enforces HTTPS
    • Ensure that there is no wildcard action in ElasticSearch access policy
    • Ensure Elasticsearch Domain Logging is enabled
    • Ensure that node-to-node encryption is enabled for Elasticsearch service
  • Amazon RDS DBCluster
    • Ensure RDS cluster has IAM authentication enabled
    • Ensure that RDS DB cluster has encryption enabled
  • Amazon API Gateway
    • Ensure that all authorization Type in API Gateway is not set to None
    • Ensure that an API Key is required on a Method Request
    • Ensure API gateway methods are not publicly accessible
  • AWS ElasticLoadBalancingV2 LoadBalancer
    • Ensure that access logging is enabled for the ELB v2
    • Ensure that a Load balancer is not internet facing
    • Ensure that ELB v2 drops invalid headers
  • Amazon RDS GlobalCluster
    • Ensure that RDS global cluster has encryption enabled
  • AWS CloudFront Distribution
    • CloudFront Distribution should have WAF enabled
    • Ensure Cloudfront distribution has Access Logging enabled
    • Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
  • AWS Lambda
    • Ensure AWS Lambda functions have tracing enabled
    • Ensure that AWS Lambda function is configured for function-level concurrent execution limit
    • Ensure that AWS Lambda function is configured for a Dead Letter Queue
    • Lambda Functions must have an associated tag
  • AWS Lambda
    • Ensure that there is no wildcard action in Lambda permission
    • Ensure that there is no wildcard principal in Lambda permission
  • Amazon Elastic File System (EFS)
    • Ensure that your Amazon EFS file systems are encrypted
  • AWS Lambda
    • Ensure that AWS lambda layer version permissions does not have a wildcard principal
  • AWS DocDB DBClusterParameterGroup
    • Ensure DocDB TLS is not disabled
  • Amazon DynamoDB
    • Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
  • AWS EC2 SecurityGroupEgress
    • Ensure that every security group egress object has a description
  • VPC Subnet
    • Ensure AWS VPC subnets have automatic public IP assignment disabled
  • AWS ElasticLoadBalancingV2 TargetGroup
    • Ensure that ELB target group has a health check enabled
  • DB Security Group
    • Ensure that AWS DB Security Group does not allow public access
  • Amazon Kinesis
    • Ensure AWS Kinesis streams are encrypted with KMS customer master keys
  • AWS Backup BackupVault
    • Ensure Backup Vault is encrypted at rest using KMS CMK
  • AWS Identity and Access Management (IAM)
    • Ensure That Access Key Rotation Is Less Than 90 Days
  • Simple Storage Service (S3)
    • Ensure all S3 buckets employ encryption-at-rest
    • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
    • S3 bucket should not allow all actions from all principals
    • S3 bucket should not allow delete actions from all principals
    • S3 bucket should not allow 'get' actions from all principals
    • S3 bucket should not allow list actions from all principals
    • S3 bucket should not allow put actions from all principals
    • S3 bucket should not allow restoring object actions from all principals
    • Ensure that the S3 bucket is not publicly readable
    • Ensure that the S3 bucket is not publicly writable
    • Ensure that S3 server access logging is enabled
    • Ensure that S3 bucket has versioning enabled
    • Ensure that the S3 bucket has lifecycle configuration enabled
    • Ensure that the S3 bucket has object lock enabled
  • Amazon EC2 Instance
    • Ensure that the root block device has encryption enabled
    • Ensure AWS EC2 Instances use IAM Roles to control access
    • Ensure that address source/destination check is enabled on the instance
    • Amazon EC2 instance must have an associated tag
    • Ensure that EC2 API termination protection is enabled
    • Ensure that EC2 instance does not have public IP enabled
    • Ensure that EC2 is EBS optimized
    • Ensure that detailed monitoring for EC2 instances is enabled
  • Amazon Elastic Block Storage (EBS)
    • Ensure that EBS volume has encryption enabled
  • AWS DocDB DBCluster
    • Ensure DocDB is encrypted at rest
    • Ensure DocDB has audit logs enabled
    • Ensure DocDB Logging is enabled
  • AWS AutoScaling LaunchConfiguration
    • Ensure all data stored in the Launch configuration EBS is securely encrypted
  • AWS DAX Cluster
    • Ensure DAX is encrypted at rest (default is unencrypted)
  • AWS IAM Policy
    • Ensure that there is no wildcard action in an IAM policy
    • Ensure that the IAM Policy does not grant full administrative rights
    • Ensure that IAM policy is not directly attached to a user
  • AWS Managed Policy
    • Ensure that there is no wildcard action in a customer managed IAM policy
    • Ensure that customer managed IAM policy does not grant full administrative rights
    • Ensure that a customer managed IAM policy is not directly attached to a user
  • IAM User
    • Ensure that IAM user does not have directly embedded policy
    • Ensure that password reset is required in IAM login profile
    • Ensure that there is no wildcard action in an inline IAM user policy
    • Ensure that there is no wildcard resource in an inline IAM user policy
    • Ensure that an inline IAM user policy does not allow full administrative rights
  • IAM Role
    • Ensure that IAM Role cannot be assumed by anyone
    • Ensure that there is no wildcard action in an inline IAM role policy
    • Ensure that there is no wildcard resource in an inline IAM role policy
    • Ensure that an inline IAM role policy does not allow full administrative rights
  • IAM Group
    • Ensure that there is no wildcard action in an inline IAM group policy
    • Ensure that there is no wildcard resources in an inline IAM group policy
    • Ensure that an inline IAM group policy does not allow full administrative rights
  • CloudTrail
    • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    • Ensure CloudTrail is enabled in all regions
    • Ensure CloudTrail logging is enabled
    • Ensure CloudTrail log file validation is enabled
    • Ensure that CloudTrail is integrated with CloudWatch
  • AWS ElasticLoadBalancing LoadBalancer
    • Ensure that access logging is enabled for the classic ELB
    • Ensure that a classic Load balancer is not internet facing
    • Ensure that ELB has a health check setup
    • Ensure that ELB Listener protocol is HTTPS or SSL
  • AWS ApiGateway Stage
    • Ensure API Gateway has Access Logging enabled
    • Ensure API Gateway caching is enabled
    • Ensure API Gateway has X-Ray Tracing enabled
  • AWS ApiGatewayV2 Stage
    • Ensure API Gateway V2 has Access Logging enabled
  • Amazon NACL
    • Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS Security Group
    • Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to ElasticSearch (TCP:9300)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to Kibana (TCP:5601)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to Redis (TCP:6379)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27017)
    • Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27018)
    • Ensure that every security group ingress object has a description
  • AWS EC2 SecurityGroup
    • Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017)
    • Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018)
    • Ensure that every security group ingress rule has a description
    • Ensure that every security group egress rule has a description
    • Ensure every security groups rule has a description
  • Amazon EC2 Instance
    • Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true

Docker policies

  • Docker
    • Ensure Using 'ADD' instead of 'COPY' for copying files from filesystem
    • Ensure Local cache path not used in apk add
    • Ensure delete installations lists after installation by 'apt'
    • Ensure Pin version in 'apt-get' install
    • Ensure no manual input in 'apt install'
    • Ensure disabling recommended package in apt-get (--no-install-recommends)
    • Ensure minimal execution of 'chown'
    • Ensure no manual input in 'yum install'
    • Ensure 'yum install' has pinned version
    • Ensure zypper install has pinned version
    • Ensure not to use in RUN both 'curl' and 'wget'
    • Ensure not to use the same alias in multiple 'FROM'
    • Ensure 'RUN' shell command has pipefail flag
    • Enure not to expose UNIX ports out of range
    • Ensure 'apk' add has pinned version for package
    • Ensure pip install has pinned version for package
    • Ensure no specific platform in FROM command
    • Ensure no relative workdir path
    • Ensure to run yum clean command
    • Ensure not using the current FROM alias as COPY '--from' value
    • Ensure remove any unused 'FROM' aliases (not used by 'COPY --from')
    • Ensure in COPY of multiple source the destination always end with '/'
    • Ensure not expose SSH Port 22
    • Ensure hardcoded version in gem install
    • Ensure to hardcoded image version in dockerfile
    • Ensure not use 'root' in the last 'USER' call in dockerfile
    • Ensure 'dnf clean' after 'dnf install' for image storage space saving
    • Ensure no manual input in 'dnf' install
    • Ensure use 'USER' before 'CMD' or 'ENTRYPOINT' your application
    • Ensure 'HEALTHCHECK' is set
    • Ensure to pin version specification in 'dnf install'
    • Ensure use 'Zypper clean' after 'Zypper install'
    • Ensure no manual input in 'Zypper install'
    • Ensure 'ENTRYPOINT' and 'CMD' arguments using a valid JSON values
    • Ensure Pin version in 'npm' install
    • Ensure use '--no-cache-dir' in pip install
    • Ensure Using 'WORKDIR' rather than 'RUN cd' command
    • Ensure not use sudo by 'RUN'
    • Ensure not more then one 'ENTRYPOINT' in dockerfile

alicloud policies

  • Alicloud
    • Ensure Alibaba Cloud Action Trail logging across all regions
    • Ensure Alibaba Cloud OSS Bucket is Not Accessible To Public
    • Ensure Application Load Balancer (ALB) Listener Should Listen On HTTPS
    • Ensure Alibaba Cloud API Gateway API Protocol Set To 'HTTPS'
    • Ensure Alicloud KMS Possess Usable Customer Master Keys (CMK)
    • Ensure CS Kubernetes Node Pool Management Auto Repair is enabled
    • Ensure Database Instance is Not Publicly Accessible
    • Ensure Disk Encryption is Encrypted
    • Ensure ECS Data Disk KMD Key Id is Defined. The ID of the Key Management Service (KMS) key used by the disk.
    • Ensure KMS Key Has Low Rotation Period
    • Ensure Kubernetes Cluster is with Terway as CNI Network Plugin
    • Ensure Launch Template is Encrypted
    • Ensure Log Retention is High Than 90 Days
    • Ensure NAS File System is Encrypted
    • Ensure NAS File System is with KMS
    • Ensure ROS Stack Policy
    • Ensure OSS Bucket Encryption Using CMK is enabled
    • Ensure OSS Bucket Does Not Have Static Website
    • Ensure OSS Bucket Lifecycle Rule is enabled
    • Ensure OSS Bucket Logging is enabled
    • Ensure OSS Bucket Public Access is Disabled
    • Ensure OSS Bucket Transfer Acceleration is enabled
    • Ensure OSS Bucket Versioning is enabled
    • Ensure Public Security Group Rule is Not Set To All Ports or Protocols
    • Ensure Public Security Group Rule is Not Use Sensitive Port
    • Ensure Ram Account Password Policy Max Login Attempts is Low
    • Ensure Ram Account Password Policy Max Password Age is Recommended
    • Ensure Ram Account Password Policy is Required Minimum Length
    • Ensure Ram Account Password Policy is Required Numbers
    • Ensure RAM Account Password Policy is Required Symbols
    • Ensure RAM Account Password Policy is with Reuse Prevention
    • Ensure Ram Account Password Policy is Require At Least one Lowercase Character
    • Ensure RAM Account Password Policy is Require at Least one Uppercase Character
    • Ensure Ram Policy is Not Attached to a User
    • Ensure ROS Stack Notifications is enabled
    • Ensure ROS Stack Retention is Ensabled
    • Ensure ROS Stack is with Template
    • Ensure SLB Policy with Secure TLS Version In Use
    • Ensure Public Security Group Rule is Known Port
    • Ensure VPC Flow Logs Enabled
    • Ensure RDS Instance Log Connections is enabled
    • Ensure RDS Instance Log Disconnections is enabled
    • Ensure RDS Instance Log Duration is enabled
    • Ensure RDS Instance Publicly is Not Accessible
    • Ensure RDS Instance Retention Period is Recommended
    • Ensure RDS Instance SSL Action is enabled
    • Ensure RDS Instance TDE Status is enabled
    • Ensure RDS Instance Events is Logged
    • Ensure OSS Bucket is Not Allow All Actions From All Principals
    • Ensure OSS Bucket is Not Allow Delete Action From All Principal
    • Ensure OSS Bucket is Not Allow Delete Action From All Principals
    • Ensure OSS Bucket is Not Allow Put Action From All Principals
    • Ensure OSS Bucket Ip Restriction Enabled
    • Ensure OSS Buckets Secure Transport Enabled
    • Ensure RAM Security Preference is Enforce MFA Login

SCM Policies

  • Gitlab Settings API
    • Ensure to reset approvals on push
    • Ensure disabling self approving merge requests by the author
    • Ensure to prevent approvals by users who add commits
    • Ensure requiring user password to approve
    • Ensure use 'HTTPS' in all hooks
    • Ensure Enable SSL verification is enabled
    • Ensure require of minimum approvals before merge
    • Ensure require all discussions will be resolved before marge
    • Ensure the 'allow force push' setting is disabled.
  • Gitlab Pipelines
    • Ensure not to use the 'latest' tag for any GitLab pipelines images
    • Ensure to review suspicious use of 'curl' / 'wget' with CI environment CI_JOB_TOKEN or CI_REGISTRY_PASSWORD variable
    • Ensure to review suspicious use of 'netcat' in GitLab pipeline script
    • Ensure not directly use 'kubectl apply' in scripts
  • GitHub Settings API
    • Ensure no branch has 'force push' enabled
    • Ensure Vulnerability alerts are enabled
    • Ensure open Git branches are up to date before you can merge them into the code base
    • Ensure branch deletions are disabled
    • Ensure two administrators are set for each repository
    • Ensure inactive repositories are reviewed and archived periodically
    • Ensure webhooks of the package registry are secured
    • Verify that the organization has an SSH Certificate Authority server
    • Ensure an organization's identity is confirmed with a "Verified" badge
    • Ensure repository creation is limited to specific members
    • Ensure the organization requires members to use Multi-Factor Authentication (MFA)
    • Ensure inactive branches are periodically reviewed and removed
    • Ensure strict base permissions are set for repositories
    • Ensure inactive users are reviewed and removed periodically
    • Ensure the branch has Branch Protection
    • Ensure the maximum number of admins per repo is not exceeded
    • Ensure the maximum number of deploy keys per repo is not exceeded
    • Ensure the maximum number of webhooks per repo is not exceeded
    • Ensure branch has branch protection
    • Ensure the branch require code owner reviews
    • Ensure the branch require minimum code owner reviews
    • Ensure verification of signed commits for new changes before merging
    • Ensure the maximum number of users allowed to dismiss review is not exceeded
    • Ensure the GitHub action is restricted
    • Ensure the GitHub action created by Github has restrictions
    • Ensure only verified GitHub actions in-use
    • Ensure repo is private
    • Ensure branch requires linear history
    • Ensure the branch requires status checks to pass before merging
    • Ensure all open comments are resolved before allowing code change merging
    • Ensure branch protection rules are enforced for administrators
    • Ensure previous approvals are dismissed when updates are introduced to a code
    • Ensure disabling anonymous Git read access for a repository
    • Ensure organization's webhooks are secured
    • Ensure packages' organization has no public visibility
    • Ensure no branch has force push enabled
    • Ensure the branch has Branch Protection
    • Ensure Vulnerability alerts are enabled
    • Ensure the maximum number of admins per repo is not exceeded
    • Ensure branch require code owner reviews
    • Ensure branch require minimum code owner reviews
    • Ensure the maximum number of users allowed dismissing review is not exceeded
  • GitHub Actions
    • Ensure not to use the 'latest' tag for any GitHub actions image
    • Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS not set to true on environment variables
    • Ensure using safe curl command without secrets
    • Ensure the Netcat command not used
    • Ensure workflow_dispatch must be empty
    • Ensure not using pull_request_target event
    • Ensure using an intermediate environment variable
    • Ensure using HTTPS protocol
    • Ensure not using permissions to write all
    • Ensure not use docker --privileged
    • Ensure not directly use kubectl in script
    • Ensure not use sudo command
    • Ensure run commands are not vulnerable to shell injection
    • Ensure not use npm insall in the run command
    • Ensure not use uncontrolled values
  • Azure Pipelines
    • Ensure Containers Jobs Use a Non-Latest Version Tag
    • Ensure Container Job Uses a Version Digest
    • Ensure Set Variable Is Not Marked As a Secret
    • Ensure Azure Pipelines Workflows Are Without Usage of Image

serverless-framework

  • AWS Serverless Framework
    • Ensure Serverless Framework API should have HTTP Access Logging is enabled
    • Ensure Serverless Function Uses Encrypt Environment Variables
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that Serverless API With Content-Encoding
    • Ensure Serverless Framework Function should have associated tags
    • Ensure Serverless Framework Function Should Not Share IAM Roles
    • Ensure Serverless Framework API Endpoint Config Is Private
    • Ensure Serverless Framework API X-Ray Tracing Is Enabled
    • Ensure Serverless Framework Function Has Dead Letter Queue
    • Serverless Framework Function Has X-Ray Tracing
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges
    • Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges

openapi

  • OpenAPI
    • Ensure SecurityDefinitions Is Defined And Not Empty
    • Ensure Schema Array Items Type Should Be Defined
    • Ensure array schema should have the field `maxItems` set
    • Ensure API Keys are not sent as clear-text over an unencrypted channel
    • Ensure Global Security Field Is defined
    • Ensure that the format keyword is valid for the type defined in the schema
    • Ensure JSON object schema have 'properties' defined and 'additionalProperties' set to false
    • Ensure Maximum String Length Defined
    • Ensure All Paths Have Security Scheme
    • Ensure Numeric Schema Maximum Defined
    • Ensure Common Responses Defined
    • Ensure schema defined for each response that is not head or its code is not 204 or 304
    • Ensure The Schema Object defined and not empty to avoid accepting any JSON values
    • Ensure security object has defined rules in its array and rules are defined on securityScheme
    • Ensure security object for operations is not empty object or has any empty object definition
    • Ensure string schema with broad pattern
    • Ensure each operation define at least one success response

Malicious open source packages

  • Malicious code execution
  • Malicious import
  • Malicious harvester
  • Troll package
  • Malicious code demonstration
  • Malicious code download & execution
  • Malicious domain
  • Remote shell enabler
  • Malicious author
  • Stealing PII
Powered by 

GCP IAM User

Suggest Edits

GCP IAM User

An IAM user is an entity that you create in GCP to represent the person or service that uses it to interact with GCP.

Updated almost 3 years ago


  • Table of Contents
    • GCP IAM User