Welcome

Welcome to CheckPoint CloudGuard Guides!

Overview

How to Get Started
Concepts
Platforms

Products

Secrets Scanning
Infrastructure as Code
CI/CD Hardening
Open Source

SpectralOps

Dashboard
Triage Issues
Sources
Reports
Integrations
Profile
Team & User Permissions (RBAC)
Teams and Asset Mapping
Custom Rules
SSO
SCM

Usage

CLI
Configuration
Output
Detectors

Integrations

Productivity
- Jira
- Confluence
Cloud Automation
- Terraform Cloud Run task
Git Provider Bot
- Github Bot
- Gitlab Bot
Pre receive Git hooks
- Gitlab pre receive hook
- Bitbucket pre receive hook
CI/CD
- Gitlab Pipeline

config policies

Memcached
MySQL
Kafka
PostgreSQL
Airflow
Redis

secrets policies

Secrets

aws policies

Elastic Load Balancing (ELB)
Region
Application Load Balancer
Amazon EC2 Instance
Simple Storage Service (S3)
Network Load Balancer
IAM User
IAM Role
Amazon Elastic File System (EFS)
AWS Security Group
AWS Identity and Access Management (IAM)
Amazon RDS
CloudTrail
AWS Nat Gateway
Amazon ElastiCache
AWS Network-Firewall
IAM Policy
Amazon Elastic Container Service
IAM Server Certificate
AWS Lambda
Amazon API Gateway
AWS Certificate Manager
Amazon VPC Endpoints
EKS Cluster
Amazon Secrets Manager
Amazon Kinesis
Amazon ElasticSearch service
Amazon SageMaker
Amazon DynamoDB
AWS Transit Gateway
Subnet
- Ensure AWS VPC subnets have automatic public IP assignment disabled
Amazon Elastic Block Storage (EBS)
IAM Group
Amazon CloudFront
Simple Queue Service (SQS)
EC2 Auto Scaling Group
Amazon Systems Manager document
- Amazon System Manager Document should not be publicly available
- Ensure that public System Manager Documents include parameters
SNS Topic
AWS Config
- Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel
Amazon ECS Task Definitions
- Enable container's health checks
- Container metadata
IAM SAML Identity Provider
- Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Route53RecordSetGroup
- Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
- Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
Amazon Route 53
Amazon VPC
Amazon Elastic Container Service - Cluster
Route53 Hosted Zone
- Use Route53 for scalable, secure DNS service in AWS.
AWS Key Management Service (KMS)
Amazon Redshift
Amazon Systems Manager Parameter
- Ensure that sensitive parameters are encrypted
Amazon Machine Image (AMI)
- Ensure that EC2 AMIs are not publicly accessible
EMR Cluster
Amazon NACL
- Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Route Table
- Ensure AWS NAT Gateways are being utilized instead of the default route
AWS EcrRepository

kubernetes policies

Pods
Kubernetes Role
Node
Kubernetes Role Binding
Network Policies
Kubernetes Service Account
- Ensure that Service Account Tokens are only mounted where necessary (RBAC)
- Ensure that default service accounts are not actively used (RBAC - ServiceAccount)
Pod Security Policies
Service
- CVE-2020-8554: Services should not use 'externalIPs'
- Services should not expose SSH port

google policies

Virtual Machine Instances
Kubernetes Cluster
GCP AlertPolicy
GCP IAM Policy
GCP CloudSql
GCP Security Group
Storage Bucket
GCP IAM User
GCP API Key
Google Cloud Function
GCP VPC Network
Subnet
GCP Project
BigQuery
Service Account
Cloud Key Management Service
- Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
Google Pub/Sub
- Ensure PubSub service is encrypted, with customer managed encryption keys.
GCP DNS Managed Zone
Https Load Balancer Proxy
- Ensure No HTTPS Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
- Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
Log Sink
- Ensure That Sinks Are Configured for All Log Entries
GCP Dataproc Cluster
- Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
GCP EssentialContact
- Ensure Essential Contacts is Configured for Organization
- Ensure Essential Contacts are defined for your Google Cloud organization

azure policies

SQL Server on Virtual Machines
Virtual Machine
Azure Key Vault
Network security group
Azure SQL Database
Security Center - Policy
- Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
Azure Alert Rule
Spring Cloud
Azure Network Watcher
- Ensure that Network Watcher is 'Enabled'
Network Security Group flow logs
- Ensure Flow-Logs Retention Policy is greater than 90 days
- Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Azure Redis Cache
Container Registry
Azure functions
Azure Database for PostgreSQL
Azure Storage Account
Azure Application Gateway
Virtual Network
Log Profile
Azure AKS
Web Apps service
Azure Cosmos DB
Azure Monitor Logs
- Ensure that a 'Diagnostic Setting' exists
- Ensure Diagnostic Setting captures appropriate categories
Azure Resource Group
- Ensure that Resource Locks are set for Mission-Critical Azure Resources
Azure Disk Storage
- Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
Azure Virtual Network Gateway
- Ensure Virtual Network Gateway is configured with Cryptographic Algorithm
Azure Analysis Services
- Ensure that firewall rules are enabled and configured for Analysis services server
Azure role-based access control
Azure Role Definition
- Ensure custom role definition doesn't have excessive permissions (Wildcard)
Azure Active Directory
My SQL DB Flexible Server
- Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server
- Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
My SQL DB Single Server
- Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server
Auto Provisioning Settings
- Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Security Contact
Defender Plans
PostgreSQL Flexible Server
- Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
Defender Integrations
- Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
AD Security Defaults
- Ensure Security Defaults is enabled on Azure Active Directory
AD Authorization Policy
AD Access Reviews Schedule Definition
- Ensure Guest Users Are Reviewed on a Regular Basis

cft policies

AWS Key Management Service (KMS)
Amazon RDS
Elastic Load Balancing (ELB)
- Ensure that ELB V2 Listener protocol is not HTTP or TCP
- Ensure ELB enforces recommended SSL/TLS protocol version
AWS Key Management Service (KMS)
Amazon ElasticSearch service
Amazon RDS DBCluster
- Ensure RDS cluster has IAM authentication enabled
- Ensure that RDS DB cluster has encryption enabled
Amazon API Gateway
AWS ElasticLoadBalancingV2 LoadBalancer
Amazon RDS GlobalCluster
- Ensure that RDS global cluster has encryption enabled
AWS CloudFront Distribution
AWS Lambda
AWS Lambda
- Ensure that there is no wildcard action in Lambda permission
- Ensure that there is no wildcard principal in Lambda permission
Amazon Elastic File System (EFS)
- Ensure that your Amazon EFS file systems are encrypted
AWS Lambda
- Ensure that AWS lambda layer version permissions does not have a wildcard principal
AWS DocDB DBClusterParameterGroup
- Ensure DocDB TLS is not disabled
Amazon DynamoDB
- Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
AWS EC2 SecurityGroupEgress
- Ensure that every security group egress object has a description
VPC Subnet
- Ensure AWS VPC subnets have automatic public IP assignment disabled
AWS ElasticLoadBalancingV2 TargetGroup
- Ensure that ELB target group has a health check enabled
DB Security Group
- Ensure that AWS DB Security Group does not allow public access
Amazon Kinesis
- Ensure AWS Kinesis streams are encrypted with KMS customer master keys
AWS Backup BackupVault
- Ensure Backup Vault is encrypted at rest using KMS CMK
AWS Identity and Access Management (IAM)
- Ensure That Access Key Rotation Is Less Than 90 Days
Simple Storage Service (S3)
Amazon EC2 Instance
Amazon Elastic Block Storage (EBS)
- Ensure that EBS volume has encryption enabled
AWS DocDB DBCluster
AWS AutoScaling LaunchConfiguration
- Ensure all data stored in the Launch configuration EBS is securely encrypted
AWS DAX Cluster
- Ensure DAX is encrypted at rest (default is unencrypted)
AWS IAM Policy
AWS Managed Policy
IAM User
IAM Role
IAM Group
CloudTrail
AWS ElasticLoadBalancing LoadBalancer
AWS ApiGateway Stage
AWS ApiGatewayV2 Stage
- Ensure API Gateway V2 has Access Logging enabled
Amazon NACL
- Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
AWS Security Group
AWS EC2 SecurityGroup
Amazon EC2 Instance
- Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true

Docker policies

Docker

alicloud policies

Alicloud

SCM Policies

Gitlab Settings API
Gitlab Pipelines
GitHub Settings API
GitHub Actions
Azure Pipelines

serverless-framework

AWS Serverless Framework

openapi

OpenAPI

Malicious open source packages

Malicious code execution
Malicious import
Malicious harvester
Troll package
Malicious code demonstration
Malicious code download & execution
Malicious domain
Remote shell enabler
Malicious author
Stealing PII

Powered by

secrets policies
Secrets

Log shipping access/API detail visible

Updated 6 months ago

Cloud services hosts should not be visible or hardcoded

Build or artifact systems access details visible