Jump to Content
Guides
API Reference
Log In
Log In
Guides
API Reference
Search
Welcome
Welcome to CheckPoint CloudGuard Guides!
Overview
How to Get Started
Concepts
Platforms
Products
Secrets Scanning
Infrastructure as Code
CI/CD Hardening
SpectralOps
Dashboard
Triage Issues
Scans
Sources
Reports
Integrations
Profile
Team & User Permissions (RBAC)
Teams and Asset Mapping
Custom Rules
SSO
Setup SSO (SAML 2.0)
Setup SSO with OKTA
Setup SSO with OneLogin
Usage
CLI
Configuration
Output
Detectors
Quick Start
Building Detectors
Logic Rules (OPA)
Codeprinting
The Detector Engine
Integrations
Productivity
Jira
Confluence
Slack
Cloud Automation
Terraform Cloud Run task
Git Provider Bot
Github Bot
Gitlab Bot
Pre receive Git hooks
Bitbucket pre receive hook
config policies
Memcached
Memcache: configured to run as root
Memcache: configured to use UDP
Memcache: default binding to world
MySQL
MySQL allowing symbolic links invites various attacks
MySQL: usage of short password
MySQL: configured to run as root
MySQL: binding to world
Kafka
Kafka: using dated SSL/TLS protocols is insecure
Kafka: accepting unauthenticated connections is insecure
Kafka: hardcoded password in configuration is insecure
Kafka: usage of short password
PostgreSQL
Postgres: no password / trusted host configuration
Postgres: default binding to world
Postgres: no password / trusted host configuration
Postgres: SSL/TLS is off
Airflow
Airflow: default binding to world
Airflow: Use of REST API Token
Airflow: Visible Fernet Key
Redis
Redis: usage of weak password (ACL)
Redis: protected-mode no and default binding to world
Redis: protected-mode and weak ACL configuration
secrets policies
Secrets
Data files / database files found
SaaS vendor credentials should not be visible
Cloud services keys should not be visible or hardcoded
Cloud services hosts should not be visible or hardcoded
Log shipping access/API detail visible
Build or artifact systems access details visible
Visible private key or sensitive file
SaaS services hosts should not be visible or hardcoded
Visible sensitive data (PII/other)
AWS S3 Buckets: Visible endpoint
Potential keys or passwords are visible/hardcoded
App/framework keys or passwords are visible/hardcoded
Cloud services keys should not be visible or hardcoded
aws policies
Elastic Load Balancing (ELB)
Public ELB with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet
ELB with service 'POP3' (TCP:110) is exposed to a wide network scope
ELB with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
ELB with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
Public ELB with service 'DNS' (UDP:53) is exposed to a small public network
Public ELB with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
ELB with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
ELB with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network
Public ELB with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Ensure that AWS Elastic Load Balancers (ELB) have no outbound rules in their security groups
ELB with service 'DNS' (UDP:53) is exposed to a wide network scope
ELB with service 'VNC Server' (TCP:5900) is exposed to a small network scope
Public ELB with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
ELB with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
Public ELB with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public ELB with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public ELB with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Public ELB with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
ELB with unencrypted Memcached (TCP:11211) is exposed to a small network scope
Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
ELB with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public ELB with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups
Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public ELB with service 'SNMP' (UDP:161) is exposed to a small public network
ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
ELB with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope
ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
ELB with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
ELB with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
ELB with service 'Telnet' (TCP:23) is exposed to a small network scope
Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet
Public ELB with service 'Telnet' (TCP:23) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public ELB with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
ELB with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
Public ELB with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
Public ELB with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Public ELB with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public ELB with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public ELB with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
ELB with service 'POP3' (TCP:110) is exposed to a small network scope
Public ELB with service SNMP (UDP:161) is potentially exposed to the public internet
Public ELB with service SMTP (TCP:25) is potentially exposed to the public internet
ELB with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
Public ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public ELB with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
ELB secured listener certificate expires in one month
ELB is setup with HTTPS for secure communication
Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public ELB with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
ELB with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
Public ELB with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
Public ELB with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public ELB with service 'Telnet' (TCP:23) is exposed to a small public network
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
ELB with administrative service: SSH (TCP:22) is exposed to a wide network scope
ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
Public ELB with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
ELB with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
ELB with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
ELB with unencrypted LDAP (TCP:389) is exposed to a small network scope
Public ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
ELB with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
Public ELB with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
Public ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
ELB with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
ELB with unencrypted LDAP (TCP:389) is exposed to a wide network scope
Public ELB with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public ELB with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Public ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
ELB with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
ELB with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
Public ELB with service Cassandra (TCP:7001) is potentially exposed to the public internet
Public ELB with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public ELB with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public ELB with service 'MySQL' (TCP:3306) is exposed to a small public network
ELB with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
ELB with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
ELB with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
ELB with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
ELB with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
Public ELB with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public ELB with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
ELB with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
ELB with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
ELB with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
ELB with service 'SNMP' (UDP:161) is exposed to a small network scope
Remove Weak Ciphers for ELB
ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
ELB with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
Public ELB with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public ELB with service Puppet Master (TCP:8140) is potentially exposed to the public internet
ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
Public ELB with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public ELB with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
ELB with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
Public ELB with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
ELB with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
ELB with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
Public ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public ELB with service 'MySQL' (TCP:3306) is exposed to the entire internet
ELB with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
Public ELB with service 'SNMP' (UDP:161) is exposed to the entire internet
ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public ELB with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
Public ELB with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public ELB with service 'Puppet Master' (TCP:8140) is exposed to a small public network
ELB with unencrypted Memcached (UDP:11211) is exposed to a small network scope
ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
ELB with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
ELB with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
Public ELB with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
ELB with unencrypted Mongo (TCP:27017) is exposed to a small network scope
Public ELB with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
ELB with service 'SMTP' (TCP:25) is exposed to a small network scope
ELB - Recommended SSL/TLS protocol version
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
ELB with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
Public ELB with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
ELB with service 'SNMP' (UDP:161) is exposed to a wide network scope
ELB with administrative service: SSH (TCP:22) is potentially exposed to the public internet
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
Public ELB with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
ELB with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
ELB with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
Public ELB with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public ELB with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
Public ELB with service POP3 (TCP:110) is potentially exposed to the public internet
Public ELB with service 'VNC Server' (TCP:5900) is exposed to the entire internet
ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
Public ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
ELB with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Public ELB with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public ELB with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
Public ELB with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
ELB with unencrypted Redis (TCP:6379) is exposed to a wide network scope
ELB with service 'MySQL' (TCP:3306) is exposed to a wide network scope
ELB with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
ELB with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
ELB with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
Public ELB with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
Public ELB with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
ELB with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public ELB with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
ELB with unencrypted LDAP (UDP:389) is exposed to a wide network scope
Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
ELB with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
Public ELB with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Public ELB with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public ELB with service DNS (UDP:53) is potentially exposed to the public internet
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
ELB with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
Public ELB with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
ELB with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
ELB with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
Public ELB with service 'DNS' (UDP:53) is exposed to the entire internet
ELB with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
ELB with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
ELB with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
ELB with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
ELB with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
Public ELB with service 'LDAP SSL' (TCP:636) is exposed to a small public network
ELB with service 'Cassandra' (TCP:7001) is exposed to a small network scope
ELB with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
ELB with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
ELB with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
Public ELB with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
ELB with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
ELB with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
ELB with service 'Telnet' (TCP:23) is exposed to a wide network scope
Public ELB with service 'POP3' (TCP:110) is exposed to a small public network
ELB with service 'DNS' (UDP:53) is exposed to a small network scope
ELB with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
ELB secured listener certificate expires in one week
ELB with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
ELB with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
ELB is created with Access logs enabled
Public ELB with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
ELB with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
ELB with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
Public ELB with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
ELB with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
ELB with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
Public ELB with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public ELB with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public ELB with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public ELB with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
ELB with unencrypted Redis (TCP:6379) is exposed to a small network scope
Public ELB with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
ELB with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
Public ELB with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public ELB with service 'VNC Listener' (TCP:5500) is exposed to a small public network
ELB with service 'MySQL' (TCP:3306) is exposed to a small network scope
ELB with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
Public ELB with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
ELB with unencrypted LDAP (UDP:389) is exposed to a small network scope
Public ELB with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
ELB with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
ELB with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
ELB with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
Public ELB with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public ELB with service MySQL (TCP:3306) is potentially exposed to the public internet
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
Public ELB with service Telnet (TCP:23) is potentially exposed to the public internet
ELB with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
ELB with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
Public ELB with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
ELB with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
ELB with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
ELB with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
Public ELB with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
ELB with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
ELB with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP DB port
Region
Ensure AWS Config is enabled in all regions
Ensure that IAM Access analyzer is enabled for all regions
Process for Security Group Management - Detection of new Security Groups
Ensure CloudTrail is enabled in all regions
Ensure VPC Flow Logging is Enabled in all Applicable Regions
Amazon GuardDuty service is enabled
Application Load Balancer
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
Public ApplicationLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
Public ApplicationLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
Public ApplicationLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Public ApplicationLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
Public ApplicationLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public ApplicationLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
ALB secured listener certificate expires in one week
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
Public ApplicationLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public ApplicationLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
ALB secured listener certificate about to expire in one month
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public ApplicationLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
Public ApplicationLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Public ApplicationLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
ApplicationLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public ApplicationLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
Public ApplicationLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Public ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Public ApplicationLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public ApplicationLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP
ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Public ApplicationLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
Public ApplicationLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
Public ApplicationLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
Public ApplicationLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
Public ApplicationLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public ApplicationLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Make sure that ALB is protected by a WAF
Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
ApplicationLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
ApplicationLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
Public ApplicationLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
Enable ALB Elastic Load Balancer v2 (ELBv2) access log
Public ApplicationLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public ApplicationLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
ApplicationLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
Public ApplicationLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
Public ApplicationLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
ApplicationLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
Public ApplicationLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
Public ApplicationLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public ApplicationLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
Public ApplicationLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
ApplicationLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
Public ApplicationLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Public ApplicationLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
ApplicationLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
Public ApplicationLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
ApplicationLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
ApplicationLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
Public ApplicationLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
ApplicationLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
ApplicationLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
Public ApplicationLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
Public ApplicationLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Public ApplicationLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
ApplicationLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
Public ApplicationLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
ApplicationLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
ApplicationLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
ApplicationLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
Public ApplicationLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
ApplicationLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
ApplicationLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP DB port
Ensure Invalid Headers Are Dropped In ALB
Amazon EC2 Instance
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
Ensure IAM instance roles are used for AWS resource access from instances
Instance with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
Instance with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Instance with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
Instances are Configured under Virtual Private Cloud
Instance with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
Public Instance with service 'Telnet' (TCP:23) is exposed to the entire internet
Instance with service 'Cassandra' (TCP:7001) is exposed to a small network scope
Public Instance with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Instance with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
Instance with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
Instance with unencrypted Memcached (TCP:11211) is exposed to a small network scope
Instance with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
Instance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Instance with service 'SNMP' (UDP:161) is exposed to a wide network scope
Public Instance with service 'Cassandra' (TCP:7001) is exposed to a small public network
Instance with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public Instance with service LDAP SSL (TCP:636) is potentially exposed to the public internet
Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
Instance with service 'Telnet' (TCP:23) is exposed to a small network scope
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
Public Instance with service MySQL (TCP:3306) is potentially exposed to the public internet
Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
EC2 Instance - there shouldn't be any High level findings in Inspector Scans
Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Instance with service 'POP3' (TCP:110) is exposed to a small network scope
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
Public Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
Instance with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
Public Instance with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
Instance with service 'POP3' (TCP:110) is exposed to a wide network scope
Instance with administrative service: SSH (TCP:22) is exposed to a wide network scope
Public Instance with service 'POP3' (TCP:110) is exposed to a small public network
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
Public Instance with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
Instance with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
Instance with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
Public Instance with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public Instance with service Telnet (TCP:23) is potentially exposed to the public internet
Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
Instance with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
Instance with unencrypted LDAP (TCP:389) is exposed to a small network scope
Instance with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Instance with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public Instance with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
Instance with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
Instance with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
Public Instance with service 'VNC Server' (TCP:5900) is exposed to the entire internet
Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public Instance with service Known internal web port (TCP:8000) is potentially exposed to the public internet
Public Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Instances outside of Europe region
Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public Instance with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
Public Instance with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet
Instance with service 'DNS' (UDP:53) is exposed to a small network scope
Public Instance with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
Public Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
Public Instance with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Instance with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
Public Instance with service Cassandra (TCP:7001) is potentially exposed to the public internet
Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
Public Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
Instance with service 'MySQL' (TCP:3306) is exposed to a small network scope
Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public Instance with service 'Known internal web port' (TCP:8080) is exposed to a small public network
Instances with Direct Connect virtual interface should not have public interfaces
Public Instance with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public Instance with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public Instance with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Instance with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
Instance with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Instance with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
Public Instance with service 'SNMP' (UDP:161) is exposed to the entire internet
Instance with unencrypted LDAP (TCP:389) is exposed to a wide network scope
Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
Instance with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
Instance with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
Public Instance with service 'MySQL' (TCP:3306) is exposed to a small public network
Instance with service 'DNS' (UDP:53) is exposed to a wide network scope
Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
Instance with unencrypted Memcached (UDP:11211) is exposed to a small network scope
Instance with service 'Telnet' (TCP:23) is exposed to a wide network scope
Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
Public Instance with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
Instance with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Instance with unencrypted Redis (TCP:6379) is exposed to a wide network scope
Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
Public Instance with service 'MySQL' (TCP:3306) is exposed to the entire internet
Instance with unencrypted LDAP (UDP:389) is exposed to a wide network scope
Public Instance with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
Instance with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
Instance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
Public Instance with service 'Puppet Master' (TCP:8140) is exposed to a small public network
Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope
Instance with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
Instance with unencrypted LDAP (UDP:389) is exposed to a small network scope
Public Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Instance with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
Instance with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
Use encrypted storage for instances that might host a database.
Instances without Inspector runs in the last 30 days
Public Instance with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
Public Instance with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
Instance with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
Public Instance with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public Instance with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet
Public Instance with service 'DNS' (UDP:53) is exposed to a small public network
Instance with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
Instance with unencrypted Mongo (TCP:27017) is exposed to a small network scope
Instance with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
Public Instance with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
Instance with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
Public Instance with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
Public Instance with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
Instance with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
Instance with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
Public Instance with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network
Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
Public Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
Public Instance with service SMTP (TCP:25) is potentially exposed to the public internet
Instance with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
Public Instance with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Instance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
Instance with service 'SMTP' (TCP:25) is exposed to a small network scope
Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
Instance with service 'SNMP' (UDP:161) is exposed to a small network scope
Instance with service 'MySQL' (TCP:3306) is exposed to a wide network scope
Instance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
Public Instance with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
Instance with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
Instance with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
Public Instance with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
Public Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
Instance with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
Public Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Instance with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
Instance with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
Instance with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
Instance with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
Public Instance with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Instance with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
Instance with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
Instance with unencrypted Redis (TCP:6379) is exposed to a small network scope
Public Instance with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
Instance with administrative service: SSH (TCP:22) is potentially exposed to the public internet
Public Instance with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
Public Instance with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public Instance with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Instance with service 'VNC Server' (TCP:5900) is exposed to a small network scope
Instance with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
Instance with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
Instance with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
Public Instance with service 'DNS' (UDP:53) is exposed to the entire internet
Public Instance with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public Instance with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Instance with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public Instance with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
Public Instance with service SNMP (UDP:161) is potentially exposed to the public internet
Instance with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
Instance with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
Public Instance with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
Public Instance with service POP3 (TCP:110) is potentially exposed to the public internet
Public Instance with service 'SNMP' (UDP:161) is exposed to a small public network
Public Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
Instance with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
Public Instance with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
Public Instance with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Instance with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
Public Instance with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public Instance with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
Instance with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
Instance with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
Public Instance with service 'LDAP SSL' (TCP:636) is exposed to a small public network
Instance with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
Public Instance with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public Instance with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
Public Instance with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
Instance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
Public Instance with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public Instance with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Public Instance with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
Public Instance with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
Instance with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
Instance with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
Public Instance with service 'Known internal web port' (TCP:8000) is exposed to a small public network
Public Instance with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
Instance with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
Instance with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
Public Instance with service 'VNC Listener' (TCP:5500) is exposed to a small public network
Public Instance with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Instance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
Instance with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
Public Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public Instance with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
Instance with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
Instance with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
Instance with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
Public Instance with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public Instance with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Instance with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
Public Instance with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
Public Instance with service DNS (UDP:53) is potentially exposed to the public internet
Public Instance with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Instance with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
Instance with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
Public Instance with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
Instances outside of Brazilian region
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port
Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known UDP DB port
Ensure that EC2 instance's volumes are encrypted
Ensure that EC2 instance's custom AMI is encrypted at rest
Ensure that EC2 instance's custom AMI is not publicly shared
Ensure that EC2 instances requires the use of Instance Metadata Service Version 2 (IMDSv2)
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Simple Storage Service (S3)
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure that Static website hosting is disabled on your S3 bucket
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
S3 bucket should not allow put or restore actions from all principals without a condition
Ensure that S3 bucket ACLs don't allow 'READ' access for anonymous / AWS authenticated users
S3 bucket CloudTrail logs ACL should not allow public access
Ensure that your AWS CloudTrail logging bucket has MFA delete enabled
S3 bucket should not allow get actions from all principals without a condition
S3 bucket should have server access logging enabled
S3 bucket should not allow delete actions from all principals
Ensure that S3 Buckets are encrypted with CMK
S3 bucket should not have world-readable permissions from anonymous users
S3 buckets should not grant any external privileges via ACL
Ensure S3 Bucket Policy is set to deny HTTP requests
S3 bucket should not be world-listable from anonymous users
S3 bucket should not allow list actions from all principals
Ensure S3 buckets are not publicly accessible
S3 bucket should not allow list actions from all principals without a condition
Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
Ensure MFA Delete is enable on S3 buckets
Ensure that S3 buckets are not publicly accessible without a condition
S3 bucket should not have writable permissions from anonymous users
S3 bucket should not allow get actions from all principals with a condition
Ensure S3 buckets are not publicly accessible without a condition
Ensure that S3 bucket ACLs don't allow 'WRITE' access for anonymous / AWS authenticated users
S3 bucket should have versioning enabled
S3 bucket should not allow put or restore actions from all principals
Ensure that object-level logging is enabled for S3 buckets
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure that S3 bucket ACLs don't allow 'READ_ACP' access for anonymous / AWS authenticated users
Ensure that S3 Bucket policy doesn't allow actions from all principals (Condition exists)
Ensure that S3 buckets are not publicly accessible
Ensure that AWS S3 Bucket block public ACLs is enabled at the account level or at the Bucket level
S3 bucket should not allow delete actions from all principals without a condition
S3 Buckets outside of Europe
Ensure all data in Amazon S3 has been discovered, classified and secured when required.
S3 bucket should not be world-writable from anonymous users
Ensure that S3 Buckets are configured with Block public access (bucket/account settings)
Ensure that S3 bucket ACLs don't allow 'WRITE_ACP' access for anonymous / AWS authenticated users
S3 Buckets outside of Brazil
Ensure that S3 Bucket is encrypted at rest
Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users
Ensure that S3 Bucket policy doesn't have excessive permissions (Allowing all actions)
Ensure Enabling Versioning For S3 Bucket
Network Load Balancer
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small public network
Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small public network
NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small network scope
Public NetworkLoadBalancer with service MSSQL Admin (TCP:1434) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small public network
NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to the entire internet
Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small public network
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small network scope
NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small network scope
Public NetworkLoadBalancer with service VNC Server (TCP:5900) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Hadoop Name Node (TCP:9000) is potentially exposed to the public internet
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small network scope
Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small public network
Ensure to update the Security Policy of the Network Load Balancer
NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is exposed to a small network scope
NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small network scope
NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small network scope
NetworkLoadBalancer with administrative service: SSH (TCP:22) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
Public NetworkLoadBalancer with service Puppet Master (TCP:8140) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SMTP (TCP:25) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a small public network
NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to the entire internet
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small public network
NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small network scope
NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a wide network scope
Public NetworkLoadBalancer with service Oracle DB SSL (UDP:2484) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to the entire internet
Public NetworkLoadBalancer with service NetBIOS Name Service (UDP:137) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small network scope
NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small public network
NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a wide network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small network scope
Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a small public network
NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small network scope
NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small public network
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small public network
Public NetworkLoadBalancer with service Telnet (TCP:23) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'NetBios Session Service' (UDP:139) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Known internal web port (TCP:8000) is potentially exposed to the public internet
NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a wide network scope
Public NetworkLoadBalancer with service POP3 (TCP:110) is potentially exposed to the public internet
NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small network scope
NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small public network
NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small network scope
NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a small network scope
NetworkLoadBalancer with administrative service: SSH (TCP:22) is exposed to a wide network scope
NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a wide network scope
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a wide network scope
NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a small network scope
Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to the entire internet
NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a small public network
NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to the entire internet
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a wide network scope
NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to the entire internet
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a small public network
Public NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to the entire internet
NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is exposed to a small network scope
NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a small network scope
Public NetworkLoadBalancer with service CIFS / SMB (TCP:3020) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to the entire internet
Public NetworkLoadBalancer with service SaltStack Master (TCP:4505) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a wide network scope
Public NetworkLoadBalancer with service MSSQL Browser Service (UDP:1434) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small public network
Public NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small public network
Public NetworkLoadBalancer with service 'Oracle DB SSL' (TCP:2484) is exposed to the entire internet
NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small network scope
Public NetworkLoadBalancer with service Memcached SSL (TCP:11214) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a small public network
Public NetworkLoadBalancer with service Memcached SSL (UDP:11215) is potentially exposed to the public internet
NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a wide network scope
Public NetworkLoadBalancer with service Microsoft-DS (TCP:445) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to the entire internet
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (UDP:138) is exposed to the entire internet
Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a small public network
NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a wide network scope
NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is potentially exposed to the public internet
Public NetworkLoadBalancer with service MSSQL Server (TCP:1433) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is potentially exposed to the public internet
NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a wide network scope
NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9200) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to the entire internet
Public NetworkLoadBalancer with service 'MSSQL Server' (TCP:1433) is exposed to the entire internet
Public NetworkLoadBalancer with service Cassandra OpsCenter agent (TCP:61621) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a wide network scope
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a small public network
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to the entire internet
NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to a wide network scope
NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a small network scope
Public NetworkLoadBalancer with service MSSQL Debugger (TCP:135) is potentially exposed to the public internet
Public NetworkLoadBalancer with service VNC Listener (TCP:5500) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Oracle DB SSL (TCP:2484) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a small public network
NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a wide network scope
NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small network scope
Public NetworkLoadBalancer with service Cassandra (TCP:7001) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to a wide network scope
Public NetworkLoadBalancer with service DNS (UDP:53) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to a small public network
Public NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to the entire internet
NetworkLoadBalancer with service 'Microsoft-DS' (TCP:445) is exposed to a small network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to the entire internet
NetworkLoadBalancer with administrative service: Remote Desktop (TCP:3389) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a wide network scope
NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a small public network
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to the entire internet
NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small network scope
Public NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to the entire internet
NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small network scope
Public NetworkLoadBalancer with service NetBios Datagram Service (UDP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SaltStack Master (TCP:4506) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11215) is exposed to the entire internet
NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Postgres SQL' (TCP:5432) is exposed to a small public network
Public NetworkLoadBalancer with service 'Mongo Web Portal' (TCP:27018) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Memcached (UDP:11211) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a wide network scope
Public NetworkLoadBalancer with service MySQL (TCP:3306) is potentially exposed to the public internet
NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a wide network scope
NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope
Public NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small public network
Public NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Prevalent known internal port (TCP:3000) is potentially exposed to the public internet
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to a small public network
NetworkLoadBalancer with unencrypted Memcached (TCP:11211) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11214) is exposed to the entire internet
Public NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to the entire internet
NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a small public network
Public NetworkLoadBalancer with service 'NetBios Session Service' (TCP:139) is exposed to a small public network
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a wide network scope
NetworkLoadBalancer with service 'Cassandra OpsCenter agent' (TCP:61621) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Redis (TCP:6379) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is exposed to a small network scope
NetworkLoadBalancer with service 'SNMP' (UDP:161) is exposed to a wide network scope
NetworkLoadBalancer with service 'MySQL' (TCP:3306) is exposed to a wide network scope
NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small network scope
Public NetworkLoadBalancer with service Postgres SQL (TCP:5432) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to a small public network
Public NetworkLoadBalancer with service SNMP (UDP:161) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a small public network
Public NetworkLoadBalancer with service 'Puppet Master' (TCP:8140) is exposed to the entire internet
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small public network
Public NetworkLoadBalancer with service Memcached SSL (TCP:11215) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Postgres SQL (UDP:5432) is potentially exposed to the public internet
NetworkLoadBalancer with service 'NetBIOS Name Service' (TCP:137) is exposed to a small network scope
NetworkLoadBalancer with service 'SQL Server Analysis Services' (TCP:2383) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is potentially exposed to the public internet
Public NetworkLoadBalancer with service SQL Server Analysis Services (TCP:2383) is potentially exposed to the public internet
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small network scope
NetworkLoadBalancer with service 'LDAP SSL' (TCP:636) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Hadoop Name Node' (TCP:9000) is exposed to the entire internet
NetworkLoadBalancer with service 'Cassandra' (TCP:7001) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Elastic search (TCP:9300) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a wide network scope
NetworkLoadBalancer with service 'SQL Server Analysis Service browser' (TCP:2382) is exposed to a wide network scope
Public NetworkLoadBalancer with service NetBios Session Service (TCP:139) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBIOS Name Service (TCP:137) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a wide network scope
Public NetworkLoadBalancer with service Mongo Web Portal (TCP:27018) is potentially exposed to the public internet
Public NetworkLoadBalancer with service Known internal web port (TCP:8080) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to a small public network
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
NetworkLoadBalancer with service 'CIFS / SMB' (TCP:3020) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network
Public NetworkLoadBalancer with service 'DNS' (UDP:53) is exposed to the entire internet
NetworkLoadBalancer with unencrypted Cassandra OpsCenter Website (TCP:8888) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'SaltStack Master' (TCP:4505) is exposed to a small public network
NetworkLoadBalancer with unencrypted LDAP (TCP:389) is potentially exposed to the public internet
NetworkLoadBalancer with service 'MSSQL Browser Service' (UDP:1434) is exposed to a wide network scope
NetworkLoadBalancer with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
NetworkLoadBalancer with service 'VNC Listener' (TCP:5500) is exposed to a small network scope
Public NetworkLoadBalancer with service 'NetBIOS Name Service' (UDP:137) is exposed to the entire internet
NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope
NetworkLoadBalancer with service 'SaltStack Master' (TCP:4506) is exposed to a wide network scope
NetworkLoadBalancer with service 'VNC Server' (TCP:5900) is exposed to a wide network scope
Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network
Public NetworkLoadBalancer with service 'Prevalent known internal port' (TCP:3000) is exposed to a small public network
Public NetworkLoadBalancer with service NetBios Session Service (UDP:139) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Known internal web port' (TCP:8080) is exposed to a small network scope
Public NetworkLoadBalancer with service 'Postgres SQL' (UDP:5432) is exposed to a small public network
Public NetworkLoadBalancer with service Memcached SSL (UDP:11214) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Cassandra Client (TCP:9042) is potentially exposed to the public internet
NetworkLoadBalancer with unencrypted Oracle DB (TCP:1521) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Known internal web port' (TCP:8000) is exposed to the entire internet
NetworkLoadBalancer with service 'MSSQL Admin' (TCP:1434) is exposed to a small network scope
Public NetworkLoadBalancer with service 'NetBios Datagram Service' (TCP:138) is exposed to a small public network
NetworkLoadBalancer with unencrypted Oracle DB (TCP:2483) is exposed to a wide network scope
NetworkLoadBalancer with service 'MSSQL Debugger' (TCP:135) is exposed to a small network scope
Public NetworkLoadBalancer with service LDAP SSL (TCP:636) is potentially exposed to the public internet
NetworkLoadBalancer with service 'Telnet' (TCP:23) is exposed to a small network scope
NetworkLoadBalancer with unencrypted Mongo (TCP:27017) is exposed to a small network scope
Public NetworkLoadBalancer with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Oracle DB SSL' (UDP:2484) is exposed to the entire internet
NetworkLoadBalancer with unencrypted LDAP (UDP:389) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (TCP:11215) is exposed to the entire internet
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
IAM User
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
Ensure inactive user for 30 days or greater are disabled
Ensure inactive user for 90 days or greater are disabled
Ensure VIRTUAL or HARDWARE MFA is enabled for the 'root' account
Ensure IAM Users Receive Permissions Only Through Groups
IamUser with Admin or wide permissions without MFA enabled
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure 'root' account does not have an active X.509 signing certificate
Ensure whether IAM users are members of at least one IAM group
Ensure AWS IAM users have no more than one active Access Key
Ensure credentials unused for 45 days or greater are disabled (Second access key)
Use managed policies instead of inline IAM Policies
Ensure credentials unused for 45 days or greater are disabled (Console password)
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure second access key is rotated every 30 days or less
Ensure credentials unused for 45 days or greater are disabled (First access key)
Ensure first access key is rotated every 30 days or less
Ensure second access key is rotated every 45 days or less
Ensure no root account access key exists
Ensure inactive IAM access keys are deleted
Ensure IAM User do not have administrator privileges
Ensure access keys are rotated every 90 days or less (Second access key)
Ensure first access key is rotated every 45 days or less
Ensure access keys are rotated every 90 days or less (First access key)
Avoid the use of the 'root' account
Ensure IAM user password is rotated every 90 days or less
Ensure IAM users have either access key or console password enabled
Ensure IAM users have either access key or console password enabled
IAM Role
Ensure IAM Role does not have inline policies
Ensure IAM users have either access key or console password enabled
Ensure that Role names cannot be enumerable
Ensure that IAM Role doesn't have excessive permissions (Allowing all actions)
Ensure that Trusted Policy Roles which can be assumed by external entities include a Condition String
Ensure EKS Node Group IAM role do not have administrator privileges
Unused IAM role more than 90 days
Ensure cross-account IAM Role uses MFA or external ID as a condition
Ensure that custom IAM Role doesn't have an overly permissive scope (Contains a wildcard)
Amazon Elastic File System (EFS)
Amazon EFS must have an associated tag
Ensure that your Amazon EFS file systems are encrypted
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
AWS Security Group
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
Restrict outbound traffic to that which is necessary, and specifically deny all other traffic
Ensure that Security Groups are not open to all
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Ensure the default security group of every VPC restricts all traffic
Remove Unused Security Groups
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Remove Unused Security Groups that are open to all
Security Groups must be defined under a Virtual Private Cloud
Process for Security Group Management - Managing security groups
Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
Default Security Groups - with network policies
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
AWS Identity and Access Management (IAM)
Password Policy must require at least one number
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy require at least one lowercase letter
Ensure IAM password policy expires passwords within 90 days or less
Ensure security contact information is registered
Enforce Password Policy
Credentials report was generated in the last 24 hours
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy prevents password reuse
Ensure IAM password policy require at least one symbol
Ensure IAM password policy prevents password reuse
Ensure IAM password policy require at least one lowercase letter
Ensure IAM password policy require at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM Users Receive Permissions Only Through Groups
Ensure IAM policies are attached only to groups or roles
Password Policy must require at least one number
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM policies that allow full *:* administrative privileges are not attached
Ensure AWS Config is enabled in all regions
Amazon RDS
RDS should not have Public Interface
Ensures that AWS RDS databases are encrypted using Customer Managed Keys
RDS should not have Public Interface open to a public scope
Ensure AWS RDS automatic minor upgrades are enabled
Ensure that encryption is enabled for RDS Instances
Ensure AWS RDS instances have Multi-Availability Zone enabled
Ensure AWS RDS retention policy is at least 7 days
RDS Databases with Direct Connect virtual interface should not have public interfaces
Ensure AWS RDS instances have Automatic Backup set up
RDS should not have be open to a large scope
CloudTrail
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for SSM actions
Ensure a log metric filter and alarm exists for AWS MFA Deletion for IAM users
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for usage of 'root' account
Ensure appropriate subscribers to each SNS topic
Ensure a log metric filter and alarm exist for VPC changes
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for IAM login profile changes
Ensure a log metric filter and alarm exists for AWS Organizations changes
Ensure CloudTrail log file validation is enabled
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure multi-regions trail exists for each AWS CloudTrail
Ensure that CloudTrail trails are integrated with CloudWatch Logs
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for STS 'AssumeRole' action
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure multi-regions trail exists for each AWS CloudTrail
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs have KmsKeyId defined
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
AWS Nat Gateway
Ensure that NAT gateway is not associated in a private subnet
Ensure NAT gateway state is available
Ensure NAT gateway has a name tag
Ensure NAT gateway has a name tag
Amazon ElastiCache
Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements
Ensure ElastiCache for Memcached is not used in AWS PCI DSS environments
Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled
Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
AWS Network-Firewall
Ensure Network firewall alerts logging is enabled
Ensure Network firewall resides in a dedicated subnet
Ensure Network firewall have subnet change protection enabled
Ensure Network firewall status is not FAILED
Ensure Network firewall flow logging is enabled
Ensure Network firewall have policy change protection enabled
Ensure Network firewall delete protection enabled
Ensure Network firewall delete protection enabled
Ensure Network firewall have subnet change protection enabled
Ensure Network firewall have policy change protection enabled
Ensure Network firewall resides in a dedicated subnet
IAM Policy
Ensure AWS IAM policies do not grant 'assume role' permission across all services
Ensure IAM user, group, or role should have IAM access key permissions restricted
Ensure AWS IAM policies allow only the required privileges for each role
Ensure IAM user, group, or role do not have access to create or update login profiles (passwords) for IAM users
Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions
Ensure IAM Policy do not have Effect: 'Allow' with 'NotAction' Element
Ensure IAM policies that allow full '*:*' administrative privileges are not created
Ensure 'AWSSupportServiceRolePolicy' policy does not use 'v20' policy version
Ensure policy attached to IAM identities requires SSL/TLS to manage IAM access keys
Ensure a support role has been created to manage incidents with AWS Support
Ensure undedicated AWS IAM managed policies do not have full action permissions
Ensure all IAM policies are in use
Ensure IAM user, group, or role should have MFA permissions restricted
Amazon Elastic Container Service
Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols
ECS Service with Admin Roles
Ensure there are no inline policies attached to the ECS service
Ensure that at least one Load Balancer is attached to the service
Ensure that ECS Service role doesn't have excessive permissions (Contains a wildcard)
Ensure that ECS Service managed role doesn't have an overly permissive scope (Contains a wildcard)
IAM Server Certificate
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
SSL/TLS certificates expire in 45 days
SSL/TLS certificates expire in one week
SSL/TLS certificates expire in one month
Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix
AWS Lambda
Ensure AWS Lambda function is configured inside a VPC
Ensure that Lambda Function execution role policy doesn't have excessive permissions (Contains a wildcard)
Ensure no lambda allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure AWS Lambda functions have tracing enabled
Lambda Functions must have an associated tag
Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
Ensure that Lambda Function's environment variables 'Encryption at Rest' feature uses Customer Master Keys (CMK)
Ensure that Lambda Function resource-based policy doesn't have excessive permissions (Contains a wildcard)
Ensure that Lambda Function is not publicly exposed via resource policy without a condition
Ensure that Lambda Function URL is secured with IAM authentication
Amazon API Gateway
Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet
Ensure that all requestValidatorId in API Gateway are not null
Ensure that all authorization Type in API Gateway are not set to None
Ensure that an API Key is required on a Method Request
AWS Certificate Manager
Ensure invalid or failed certificates are removed from ACM
Ensure that all the expired SSL/TLS certificates are removed from ACM
Ensure ACM certificate was not issued before the Heartbleed security bug fix
ACM has a PENDING_VALIDATION Certificate
Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
Ensure ACM only has certificates with single domain names, and none with wildcard domain names
ACM has soon to be expired certificates
Ensure the AWS Certificate Manager (ACM) has no unused certificates
Amazon VPC Endpoints
Ensure VPC Endpoint has a name tag
Ensure that VPC Endpoint policy won't allow all actions
Ensure that the VPC Endpoint status is Available state
Ensure that VPC Endpoint policy won't allow all actions
Ensure VPC Endpoint has a name tag
EKS Cluster
EksCluster should not have more than one security groups
EksCluster should not be publicly access
Ensure that AWS EKS Cluster control plane logging is enabled
Amazon Secrets Manager
Ensure that AWS Secret Manager Secret rotation is enabled
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Amazon Kinesis
AWS Kinesis streams are encrypted with customer managed CMK
AWS Kinesis data streams have server side encryption (SSE) enabled
Ensure AWS Kinesis Streams Keys are rotated
Amazon ElasticSearch service
Ensure OpenSearch should have IAM permissions restricted
Enforce creation of ElasticSearch domains within your VPCs
Ensure that encryption of data at rest is enabled on Elasticsearch domains
Ensure that node-to-node encryption is enabled for Elasticsearch service
Public Instance with service SQL Server Analysis Service browser (TCP:2382) is potentially exposed to the public internet
Public NetworkLoadBalancer with service NetBios Datagram Service (TCP:138) is potentially exposed to the public internet
Amazon SageMaker
Ensure that SageMaker is placed in VPC
Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled
Ensure SageMaker Notebook Instance Data Encryption is enabled
Ensure that SageMaker Notebook does not have direct internet access
Amazon DynamoDB
Ensure that AWS DynamoDB is encrypted using customer-managed CMK
Ensure Amazon DynamoDB tables have continuous backups enabled
AWS Transit Gateway
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
Ensure Transit gateway have a name tag
Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway
Ensure Transit gateway have a name tag
Subnet
Ensure AWS VPC subnets have automatic public IP assignment disabled
Amazon Elastic Block Storage (EBS)
Ensure EBS volume encryption is enabled
Ensure AWS EBS Volumes are attached to instances
IAM Group
Ensure IAM groups have at least one IAM User attached
Ensure that IamGroup does not have Inline policies
Ensure IAM group do not have administrator privileges
Amazon CloudFront
Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates
Use encrypted connection between CloudFront and origin server
Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
Ensure AWS CloudFront web distribution with geo restriction is enabled
Determine if CloudFront CDN is in use
Ensure AWS CloudFront distribution with access logging is enabled
AWS Cloud Front - WAF Integration
Use secure ciphers in CloudFront distribution
Simple Queue Service (SQS)
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
Ensure that SQS policy won't allow all actions from all principals
Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs
Ensure that SQS policy won't allow all actions from all principals without a condition
Ensure SQS Dead-letter queue is not configured to send messages to the source queue
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)
Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
Ensure that SQS policy won't allow all actions from all principals
Ensure there is a Dead Letter Queue configured for each Amazon SQS queue
EC2 Auto Scaling Group
Ensure Auto Scaling group have scaling cooldown configured
Ensure Auto Scaling group being used with multiple Availability zones
Ensure Auto Scaling group does not have suspended processes
Ensure Auto Scaling group being used with multiple Availability zones
Ensure Auto Scaling group does not have suspended processes
Ensure Auto Scaling group have scaling cooldown configured
Amazon Systems Manager document
Amazon System Manager Document should not be publicly available
Ensure that public System Manager Documents include parameters
SNS Topic
Ensure SNS Topics aren't publicly accessible
Ensure SNS topic have active subscriptions
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Ensure SNS Topics administrative actions aren't publicly executable without a condition
Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
Ensure SNS Topics aren't publicly accessible
Ensure SNS Topics administrative actions aren’t publicly executable
AWS Config
Ensure that the configuration recorder is set to 'on' and set S3 Bucket and SNS topic as your delivery channel
Amazon ECS Task Definitions
Enable container's health checks
Container metadata
IAM SAML Identity Provider
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Route53RecordSetGroup
Ensure S3 Bucket exists for A records routing traffic to an S3 Bucket website endpoint
Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
Amazon Route 53
Expired Route 53 Domain Names
AWS Route 53 Domain Name Renewal (30 days before expiration)
AWS Route 53 Domain Name Renewal (7 days before expiration)
Enable AWS Route 53 Domain Transfer Lock
Enable AWS Route 53 Domain Auto Renew
Public Instance with service 'Telnet' (TCP:23) is exposed to a small public network
Amazon VPC
Ensure VPC flow logging is enabled in all VPCs
Ensure the number of private gateways is within the AWS limit for each region
Identify unused AWS VPCs
Ensure VPC flow logging is enabled in all VPCs
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Ensure the default security group of every VPC restricts all traffic
Ensure routing tables for security groups peering are \"least access\"
Amazon Elastic Container Service - Cluster
Prefer using IAM roles for tasks rather than using IAM roles for an instance
Ensure that at least one instance is registered with an ECS Cluster
ECS Cluster At-Rest Encryption
ECS Cluster should not have running container instances with unconnected agents
Route53 Hosted Zone
Use Route53 for scalable, secure DNS service in AWS.
AWS Key Management Service (KMS)
Ensure only usable Customer Managed Keys are in the AWS KMS
Ensure rotation for customer created CMKs is enabled
Ensure rotation for customer created CMKs is enabled
Amazon Redshift
Ensure AWS Redshift clusters are not publicly accessible
Use KMS CMK customer-managed keys for Redshift clusters
Ensure AWS Redshift instances are encrypted
Amazon Systems Manager Parameter
Ensure that sensitive parameters are encrypted
Amazon Machine Image (AMI)
Ensure that EC2 AMIs are not publicly accessible
EMR Cluster
Ensure in-transit and at-rest encryption is enabled for Amazon EMR clusters
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3
Amazon NACL
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Route Table
Ensure AWS NAT Gateways are being utilized instead of the default route
Public NetworkLoadBalancer with service 'Memcached SSL' (UDP:11214) is exposed to a small public network
AWS EcrRepository
Ensure that ECR image tags are immutable.
Ensure that ECR image scan on push is enabled.
Ensure that ECR repositories are encrypted.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone.
Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone, even with a condition.
kubernetes policies
Pods
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure that the --secure-port argument is not set to 0 (API Server)
Ensure that the --peer-auto-tls argument is not set to true (etcd)
Ensure that the --kubelet-https argument is set to true
Apply Security Context to Your Pods and Containers
SELinux options should not be configured on containers
CVE-2022-0811: Prevent pods from having securityContext with sysctls that contains + or =
Ensure that the --peer-client-cert-auth argument is set to true (etcd) (Openshift)
Ensure that Containers are not running with insecure capabilities
Ensure that the --auto-tls argument is not set to true (etcd) (Openshift)
Do not admit containers with SYS_ADMIN capability
Ensure that the seccomp profile is set to docker/default in your pod definitions
Image Tag should not be blank
Ensure that the --profiling argument is set to false (Scheduler)
Ensure that the --etcd-cafile argument is set as appropriate (API Server)
Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
Ensure that Containers are not running in privileged mode
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd)
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (API Server)
Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (API Server)
Do not generally permit containers with allowPrivilegeEscalation
Ensure that the --client-cert-auth argument is set to true (etcd) (Openshift)
Ensure that the admission control plugin AlwaysPullImages is set (API Server)
Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
Ensure that the --use-service-account-credentials argument is set to true (Controller Manager)
Ensure that the --DenyServiceExternalIPs is not set
Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift)
CPU & Memory Requests Should be Set
Ensure that the --authorization-mode argument includes Node (API Server)
Ensure that the admission control plugin NodeRestriction is set (API Server)
Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (API Server)
Do not admit containers with docker socket bind mount
Ensure that the --profiling argument is set to false (Controller Manager)
Ensure containers are secured with AppArmor profile
Ensure that the --address argument is set to 127.0.0.1 (Controller Manager)
Pod containers should not share the host process ID namespace
Do not override DNS settings in Pod
Run as a high-UID user
Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)
Ensure pods outside of kube-system do not have access to node volume
Ensure that the --basic-auth-file argument is not set (API Server)
Ensure that the --authorization-mode argument is set to Node (API Server)
Ensure that Containers are not running with dangerous capabilities
Ensure that the admission control plugin EventRateLimit is set (API Server)
Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)
CPU & Memory Limits Should be Set
Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (API Server)
Ensure that the --audit-log-path argument is set as appropriate (API Server)
Ensure that the --client-cert-auth argument is set to true (etcd)
Ensure that the admission control plugin AlwaysAdmit is not set (API Server)
Image Tag should not be 'latest'
Ensure that the admission control plugin ServiceAccount is set (API Server)
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd)
Ensure that the admission control plugin NamespaceLifecycle is set (API Server)
Do not generally permit privileged containers
Ensure that the --service-account-key-file argument is set as appropriate (API Server)
Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)
Ensure that the --peer-client-cert-auth argument is set to true (etcd)
Host device path mounts should not be used
Ensure that the --service-account-lookup argument is set to true (API Server)
Do not admit root containers
Ensure that the --insecure-allow-any-token argument is not set (API Server)
Ensure that an application uses secrets are as files over secrets as environment variables
Ensure that the --experimental-encryption-provider-config argument is set as appropriate (API Server)
Minimize the admission of containers which use HostPorts
Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server)
Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager)
Ensure that the --auto-tls argument is not set to true (etcd)
Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (API Server)
Ensure that the --repair-malformed-updates argument is set to false (API Server)
Ensure that the --profiling argument is set to false (API Server)
Ensure that the admission control plugin PodSecurityPolicy is set (API Server)
Pod should not use the node network namespace
Ensure that the --token-auth-file parameter is not set (API Server)
Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
Ensure that the --address argument is set to 127.0.0.1 (Scheduler)
Ensure that the admission control plugin DenyEscalatingExec is set (API Server)
Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (etcd) (Openshift)
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager)
Use Read-Only Filesystem
Ensure that the --anonymous-auth argument is set to false (API Server)
Do not admit root containers
Minimize the admission of HostPath volumes
Ensure that the default namespace is not used
Ensure that the --client-ca-file argument is set as appropriate (API Server)
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (API Server)
Ensure that the --insecure-bind-address argument is not set (API Server)
Ensure that the AdvancedAuditing argument is not set to false (API Server)
Ensure that the --insecure-port argument is set to 0 (API Server)
Ensure that the --peer-auto-tls argument is not set to true (etcd) (Openshift)
Pod containers should not share the host IPC namespace
Ensure that the --authorization-mode argument includes RBAC (API Server)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Ensure SecurityContext Field Is Set
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
Kubernetes Role
Minimize access to secrets (RBAC)
Ensure that the healthz endpoints for the scheduler are protected by RBAC (RBAC) (Openshift)
Profiling (metric) is protected by RBAC (RBAC) (Openshift)
Profiling (pprof) is protected by RBAC (RBAC) (Openshift)
Minimize wildcard use in Roles and ClusterRoles (RBAC)
Node
Ensure that the --cadvisor-port argument is set to 0 (Kubelet)
Ensure that the --anonymous-auth argument is set to false (Kubelet)
Ensure that the --hostname-override argument is not set (Kubelet)
Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)
Ensure that the --hostname-override argument is not set (Kubelet) (Openshift)
Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)
Ensure that garbage collection is configured as appropriate (Kubelet) (Openshift)
Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
Verify that the RotateKubeletServerCertificate argument is set to true (Kubelet) (Openshift)
Ensure that the --event-qps argument is set to 0 (Kubelet)
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
Ensure that the --read-only-port argument is set to 0 (Kubelet)
Ensure that the --rotate-certificates argument is not set to false (Kubelet)
Ensure that the --rotate-certificates argument is not set to false (Kubelet) (Openshift)
Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)
Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
Kubernetes Role Binding
Ensure that the cluster-admin role is only used where required (RBAC)
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (RBAC)
Ensure that anonymous requests are authorized (RBAC)(Openshift)
Ensure that default service accounts are not actively used. (RBAC)
Minimize access to create pods (RBAC)
Ensure that the cluster-admin role is not being used
Ensure that the cluster-admin role is only used where required (RBAC - ClusterRoleBinding)
Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)
Service
Services should not expose SSH port
CVE-2020-8554: Services should not use 'externalIPs'
Network Policies
Ensure that the CNI in use supports Network Policies
Restrict Traffic Among Pods with a Network Policy
Ensure Traffic Between Client and Load Balancer Use HTTPS Protocol Only
Kubernetes Service Account
Ensure that Service Account Tokens are only mounted where necessary (RBAC)
Ensure that default service accounts are not actively used (RBAC - ServiceAccount)
Pod Security Policies
Minimize the admission of containers wishing to share the host IPC namespace (PSP)
Minimize the admission of privileged containers (PSP)
Minimize the admission of containers to RootFilesystem (PSP)
Minimize the admission of containers wishing to share the host network namespace (PSP)
Minimize the admission of containers with allowPrivilegeEscalation (PSP)
Minimize the admission of primary group ID the containers are run with (PSP)
Minimize the admission of containers with added capabilities (PSP)
Minimize the admission of containers wishing to share the host process ID namespace (PSP)
Minimize the admission of root containers (PSP)
Minimize the admission of SupplementalGroups in containers (PSP)
Minimize the admission of containers with the NET_RAW capability (PSP)
Minimize the admission of FSGroup applied to some volumes (PSP)
Ensure Object Have An Valid Email Address Annotation
Ensure Object Have An Owner Label
Ensure Sysctls Not Use Kernel Subsystems In A Kubernetes Cluster
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API Server)
google policies
Virtual Machine Instances
Ensure GCP VM Instances have Labels
Public VMInstance with service VNC Server(TCP:5900) is exposed to a wide public network
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide network scope
Ensure oslogin is enabled for a Virtual Machine
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide public network
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a small public network
Ensure VM Instance should not have public IP
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide network scope
VMInstance with service VNC Listener(TCP:5500) is exposed to a small network scope
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a large network
VMInstance with unencrypted LDAP (TCP:389) is exposed to the public internet
VMInstance with service DNS(UDP:53) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a small network
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide public network
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
Ensure that Compute instances have Confidential Computing enabled
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a small network
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small network scope
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network
VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a large network
Public VMInstance with service VNC Server(TCP:5900) is exposed to a small public network
Public VMInstance with service POP3(TCP:110) is exposed to a wide public network
VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide network scope
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a large network
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide public network
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small public network
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small network scope
VMInstance with service POP3(TCP:110) is exposed to a small network scope
Ensure that IP forwarding is not enabled on Instances
VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a small network
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a large network
VMInstance with unencrypted Mongo (TCP:27017) is exposed to the public internet
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a small public network
VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide network scope
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8080) is exposed to a wide network scope
VMInstance with unencrypted LDAP (UDP:389) is exposed to a small network
Ensure Compute instances are launched with Shielded VM enabled
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to a small network
VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small network scope
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a wide public network
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a wide public network
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small network scope
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a small public network
VMInstance with service SMTP(TCP:25) is exposed to a wide network scope
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide network scope
VMInstance with unencrypted LDAP (UDP:389) is exposed to a large network
VMInstance with service Known internal web port(TCP:8000) is exposed to a small network scope
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small network scope
Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide public network
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide public network
VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide network scope
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a wide public network
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide public network
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a wide public network
VMInstance with service VNC Listener(TCP:5500) is exposed to a wide network scope
VMInstance with service DNS(UDP:53) is exposed to a small network scope
VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide network scope
VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a small network scope
Public VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small public network
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide public network
VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small network scope
Public VMInstance with service Cassandra(TCP:7001) is exposed to a wide public network
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a small public network
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a wide network scope
Public VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a small public network
VMInstance with unencrypted Redis (TCP:6379) is exposed to a large network
Ensure 'Block Project-wide SSH keys' enabled for VM instances
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8080) is exposed to a small network scope
VMInstance with service Telnet(TCP:23) is exposed to a wide network scope
VMInstance with service MySQL(TCP:3306) is exposed to a wide network scope
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small network scope
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to the public internet
VMInstance with service MySQL(TCP:3306) is exposed to a small network scope
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide network scope
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small network scope
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a small public network
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a wide public network
Public VMInstance with service SaltStack Master(TCP:4506) is exposed to a small public network
VMInstance with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network
Public VMInstance with service VNC Listener(TCP:5500) is exposed to a small public network
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
VMInstance with service POP3(TCP:110) is exposed to a wide network scope
Public VMInstance with service SQL Server Analysis Service browser(TCP:2382) is exposed to a wide public network
VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a large network
Public VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small public network
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide public network
VMInstance with service Memcached SSL(UDP:11215) is exposed to a small network scope
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to a large network
Public VMInstance with service MySQL(TCP:3306) is exposed to a small public network
Public VMInstance with service NetBios Session Service(UDP:139) is exposed to a wide public network
VMInstance with service Known internal web port(TCP:8000) is exposed to a wide network scope
Asset does not contain a network tag
VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide network scope
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (TCP:1521) is exposed to a large network
VMInstance with unencrypted Mongo (TCP:27017) is exposed to a large network
VMInstance with service Memcached SSL(TCP:11214) is exposed to a small network scope
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a wide network scope
VMInstance with service SMTP(TCP:25) is exposed to a small network scope
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small network scope
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a small public network
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a small public network
VMInstance with service LDAP SSL(TCP:636) is exposed to a wide network scope
Public VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a small public network
VMInstance with service SNMP(UDP:161) is exposed to a wide network scope
VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide network scope
VMInstance with unencrypted Oracle DB (UDP:2483) is exposed to the public internet
VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide network scope
Public VMInstance with service NetBIOS Name Service(UDP:137) is exposed to a small public network
VMInstance with service VNC Server(TCP:5900) is exposed to a wide network scope
VMInstance with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a small network
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small network scope
VMInstance with service Oracle DB SSL(UDP:2484) is exposed to a small network scope
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a small public network
VMInstance with unencrypted Memcached (UDP:11211) is exposed to a small network
Public VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide public network
Public VMInstance with service SMTP(TCP:25) is exposed to a small public network
Public VMInstance with service MySQL(TCP:3306) is exposed to a wide public network
VMInstance with unencrypted Cassandra Client (TCP:9042) is exposed to a large network
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a small public network
VMInstance with service Memcached SSL(TCP:11215) is exposed to a small network scope
VMInstance with unencrypted Memcached (UDP:11211) is exposed to the public internet
Ensure that Compute instances do not have public IP addresses
VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
Public VMInstance with service DNS(UDP:53) is exposed to a wide public network
Public VMInstance with service Memcached SSL(TCP:11214) is exposed to a wide public network
Public VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a small public network
VMInstance with service Microsoft-DS(TCP:445) is exposed to a small network scope
Public VMInstance with service POP3(TCP:110) is exposed to a small public network
VMInstance with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet
Ensure 'Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Public VMInstance with service Cassandra(TCP:7001) is exposed to a small public network
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a small public network
Public VMInstance with service SNMP(UDP:161) is exposed to a small public network
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a wide public network
Public VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide public network
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a wide public network
Public VMInstance with service SNMP(UDP:161) is exposed to a wide public network
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a wide public network
Public VMInstance with service Postgres SQL(TCP:5432) is exposed to a wide public network
VMInstance with unencrypted LDAP (UDP:389) is exposed to the public internet
Public VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small public network
Public VMInstance with service Puppet Master(TCP:8140) is exposed to a small public network
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide public network
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to a small network
Public VMInstance with service Hadoop Name Node(TCP:9000) is exposed to a small public network
VMInstance with service MSSQL Debugger(TCP:135) is exposed to a small network scope
VMInstance with service Puppet Master(TCP:8140) is exposed to a wide network scope
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a small public network
VMInstance with service VNC Server(TCP:5900) is exposed to a small network scope
VMInstance with service NetBios Session Service(UDP:139) is exposed to a small network scope
Public VMInstance with service Memcached SSL(UDP:11215) is exposed to a wide public network
Public VMInstance with service Telnet(TCP:23) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4505) is exposed to a small network scope
Public VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide public network
VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small network scope
VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide network scope
VMInstance with service Cassandra(TCP:7001) is exposed to a small network scope
VMInstance with service Telnet(TCP:23) is exposed to a small network scope
VMInstance with service SaltStack Master(TCP:4506) is exposed to a small network scope
VMInstance with service Microsoft-DS(TCP:445) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network
VMInstance with service Puppet Master(TCP:8140) is exposed to a small network scope
Public VMInstance with service DNS(UDP:53) is exposed to a small public network
VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
VMInstance with service SNMP(UDP:161) is exposed to a small network scope
Public VMInstance with service Known internal web port(TCP:8080) is exposed to a wide public network
VMInstance with service SQL Server Analysis Services(TCP:2383) is exposed to a wide network scope
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network
Public VMInstance with service Oracle DB SSL(TCP:2484) is exposed to a wide public network
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet
VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small network scope
Public VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a small public network
VMInstance with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet
VMInstance with service Cassandra OpsCenter agent(TCP:61621) is exposed to a wide network scope
VMInstance with service NetBIOS Name Service(TCP:137) is exposed to a wide network scope
VMInstance with service MSSQL Server(TCP:1433) is exposed to a wide network scope
VMInstance with service Prevalent known internal port(TCP:3000) is exposed to a wide network scope
Public VMInstance with service Postgres SQL(UDP:5432) is exposed to a wide public network
Public VMInstance with service Telnet(TCP:23) is exposed to a wide public network
VMInstance with service Cassandra(TCP:7001) is exposed to a wide network scope
VMInstance with unencrypted LDAP (TCP:389) is exposed to a small network
VMInstance with service NetBios Datagram Service(TCP:138) is exposed to a small network scope
Public VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide public network
Public VMInstance with service Memcached SSL(TCP:11215) is exposed to a wide public network
VMInstance with unencrypted Memcached (TCP:11211) is exposed to a small network
VMInstance with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network
VMInstance with unencrypted Oracle DB (TCP:2483) is exposed to the public internet
VMInstance with service Memcached SSL(UDP:11214) is exposed to a small network scope
Ensure that instances are not configured to use the default service account
Public VMInstance with service MSSQL Browser Service(UDP:1434) is exposed to a small public network
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a small public network
VMInstance with service LDAP SSL(TCP:636) is exposed to a small network scope
VMInstance with unencrypted LDAP (TCP:389) is exposed to a large network
Public VMInstance with service NetBios Datagram Service(UDP:138) is exposed to a small public network
VMInstance with service SaltStack Master(TCP:4506) is exposed to a wide network scope
Public VMInstance with service Memcached SSL(UDP:11214) is exposed to a small public network
VMInstance with service Postgres SQL(UDP:5432) is exposed to a small network scope
VMInstance with service Mongo Web Portal(TCP:27018) is exposed to a wide network scope
VMInstance with service Postgres SQL(TCP:5432) is exposed to a small network scope
Public VMInstance with service CIFS / SMB(TCP:3020) is exposed to a small public network
Public VMInstance with service Known internal web port(TCP:8000) is exposed to a small public network
Public VMInstance with service LDAP SSL(TCP:636) is exposed to a small public network
Public VMInstance with service SaltStack Master(TCP:4505) is exposed to a wide public network
VMInstance with service MSSQL Admin(TCP:1434) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9200) is exposed to the public internet
VMInstance with service MSSQL Server(TCP:1433) is exposed to a small network scope
VMInstance with service NetBios Session Service(TCP:139) is exposed to a small network scope
VMInstance with service NetBios Session Service(TCP:139) is exposed to a wide network scope
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to the public internet
VMInstance with unencrypted Memcached (TCP:11211) is exposed to the public internet
VMInstance with unencrypted Elastic search (TCP:9300) is exposed to a small network
VMInstance with unencrypted Redis (TCP:6379) is exposed to a small network
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet
Public VMInstance with service MSSQL Server(TCP:1433) is exposed to a small public network
VMInstance with unencrypted Redis (TCP:6379) is exposed to the public internet
Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports.
Ensure that no VMInstance allows incoming traffic from 0.0.0.0/0 to the ICMP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP DB port.
Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known UDP DB port.
Kubernetes Cluster
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure Kubernetes Clusters are configured with Labels
Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled
Ensure GKE Clusters use specific purpose-designed networks instead of the default network
Ensure `Automatic node repair` is enabled for Kubernetes Clusters
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
Ensure Kubernetes Cluster is created with Client Certificate enabled
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Ensure Kubernetes web UI / Dashboard is disabled
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure the GKE Cluster alpha cluster feature is disabled
Ensure GKE Cluster HTTP load balancing is enabled
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
GCP AlertPolicy
Ensure that the log metric filter and alerts exist for Audit Configuration changes
Ensure that the log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for project ownership assignments/changes
Ensure that the log metric filter and alerts exist for VPC network changes
Ensure that the log metric filter and alerts exist for VPC network route changes
Ensure that the log metric filter and alerts exist for SQL instance configuration changes
Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes
GCP IAM Policy
Ensure permissions to impersonate a service account are not granted at project level
Avoid using pre-IAM basic (primitive) roles
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure that corporate login credentials are used
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
GCP CloudSql
Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
Ensure that Cloud SQL - MYSQL instance have Point-in-time recovery enabled
Ensure Cloud SQL instances have labels
Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'default' or stricter
Ensure that Cloud SQL instances do not have public IPs
Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'
Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure that Cloud SQL database instances are configured with automated backups
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
GCP Security Group
Ensure Global Firewall rule should not allows all traffic
Ensure that SSH access is restricted from the internet
Ensure that RDP access is restricted from the internet
Storage Bucket
Ensure that Cloud Storage bucket has usage logs enabled
Ensure that Cloud Storage bucket is not anonymously or publicly accessible
Storage Bucket outside of Europe
Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
GCP IAM User
Ensure that multi-factor authentication is enabled for all non-service accounts
User did not log in the past 90 days
Ensure that Separation of duties is enforced while assigning service account related roles to users
Ensure that multi-factor authentication is enabled for admin users
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Suspended user account unused more then 6 months
GCP API Key
Ensure API keys are rotated every 90 days
Ensure API keys are not created for a project
Ensure API keys are restricted to only APIs that application needs access
Google Cloud Function
Ensure that all the deployed cloud functions are in 'active' mode
Ensure that at least one event trigger was configured in your function
GCP VPC Network
Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
Ensure legacy networks do not exist for a project
Ensure the default network does not exist in a project
Ensure that Cloud DNS logging is enabled for all VPC networks
Subnet
Ensure Private Google Access is enabled for all subnetworks in VPC Network
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
GCP Project
Ensure oslogin is enabled for a Project
Ensure Cloud Asset Inventory Is Enabled
Ensure 'Access Approval' is 'Enabled'
BigQuery
Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
Ensure that BigQuery datasets are not anonymously or publicly accessible
Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
Service Account
Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
Ensure that there are only GCP-managed service account keys for each service account
Ensure that Service Account has no Admin privileges
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Ensure that there are only GCP-managed service account keys for each service account
Ensure that Service Account has no Admin privileges
Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Ensure that there are only GCP-managed service account keys for each service account
Ensure that Service Account has no Admin privileges
Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Ensure that service accounts are not granted with permissions to use other service accounts or set iam policies
Cloud Key Management Service
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
Google Pub/Sub
Ensure PubSub service is encrypted, with customer managed encryption keys.
GCP DNS Managed Zone
Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure that DNSSEC is enabled for Cloud DNS
Https Load Balancer Proxy
Ensure no HTTPS proxy load balancers permit SSL policies with weak cipher suites
Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites
Log Sink
Ensure that sinks are configured for all log entries
GCP Dataproc Cluster
Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
GCP EssentialContact
Ensure Essential Contacts is Configured for Organization
azure policies
SQL Server on Virtual Machines
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
Ensure SQL server's TDE protector is encrypted with Customer-managed key
Ensure that Azure Active Directory Admin is configured
Ensure Azure SQL Server data replication with Fail Over groups
Ensure entire Azure infrastructure doesn't have access to Azure SQL Server
Ensure that ADS - 'Advanced Threat Protection types' (ATP) is set to 'All'
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
Ensure that SQL Server Auditing Retention is greater than 90 days
Ensure that SQL server 'Auditing' is set to 'On'
Restrict Azure SQL Server accessibility to a minimal address range
Ensure SQL Server Threat Detection is Enabled and Retention Logs are greater than 90 days
Ensure that SQL Server 'Auditing' Retention is 'greater than 90 days'
Ensure that Azure SQL Server Admin is configured with AD Authentication
Ensure that ADS - ATP 'Send alerts to' is set
Avoid using names like 'Admin' for an Azure SQL Server admin account login
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server
Ensure that VA setting 'Send scan reports to' is configured for a SQL server
Virtual Machine
VirtualMachine with service POP3 (TCP:110) is exposed to the entire internet
VirtualMachine with service Telnet (TCP:23) is exposed to a small public network scope
VirtualMachine with service SQL Server Analysis Service browser (TCP:2382) is exposed to the entire internet
VirtualMachine with service DNS (UDP:53) is exposed to the entire internet
VirtualMachine with service CIFS / SMB (TCP:3020) is exposed to a small network scope
VirtualMachine with service SaltStack Master (TCP:4506) is exposed to a small network scope
VirtualMachine with service SNMP (UDP:161) is exposed to the entire internet
VirtualMachine with service Oracle DB SSL (UDP:2484) is exposed to a small network scope
VirtualMachine with unencrypted Oracle DB (UDP:2483) is exposed to a small network scope
VirtualMachine with service SQL Server Analysis Services (TCP:2383) is exposed to a small network scope
VirtualMachine with service Memcached SSL (TCP:11214) is exposed to the entire internet
VirtualMachine with service MySQL (TCP:3306) is exposed to a small public network
VirtualMachine with unencrypted LDAP (TCP:389) is exposed to the public internet
VirtualMachine with service Memcached SSL (UDP:11215) is exposed to the entire internet
VirtualMachine with service VNC Server (TCP:5900) is exposed to the entire internet
VirtualMachine with unencrypted Elastic search (TCP:9300) is exposed to a small network scope
VirtualMachine with service Cassandra OpsCenter agent (TCP:61621) is exposed to a small network scope
VirtualMachine with service MSSQL Debugger (TCP:135) is exposed to a small public network scope
VirtualMachine with service Postgres SQL (UDP:5432) is exposed to a small public network
VirtualMachine with service Cassandra OpsCenter agent (TCP:61621) is exposed to the entire internet
VirtualMachine with service Memcached SSL (UDP:11215) is exposed to a small public network scope
VirtualMachine with service MSSQL Server (TCP:1433) is exposed to the entire internet
VirtualMachine with service SaltStack Master (TCP:4505) is exposed to a small public network scope
VirtualMachine with service Memcached SSL (UDP:11214) is exposed to the entire internet
VirtualMachine with service NetBios Session Service (TCP:139) is exposed to a small public network scope
VirtualMachine with service SaltStack Master (TCP:4505) is exposed to the entire internet
VirtualMachine with unencrypted Memcached (UDP:11211) is exposed to a large network scope
VirtualMachine with service SMTP (TCP:25) is exposed to a small public network scope
VirtualMachine with service MSSQL Debugger (TCP:135) is exposed to the entire internet
VirtualMachine with unencrypted Elastic search (TCP:9200) is exposed to the public internet
VirtualMachine with service Mongo Web Portal (TCP:27018) is exposed to a small network scope
VirtualMachine with service Puppet Master (TCP:8140) is exposed to a small public network scope
VirtualMachine with service VNC Listener (TCP:5500) is exposed to the entire internet
VirtualMachine with service Telnet (TCP:23) is exposed to a small public network
VirtualMachine with service Telnet (TCP:23) is exposed to a small network scope
VirtualMachine with unencrypted LDAP (UDP:389) is exposed to a large network scope
VirtualMachine with service SNMP (UDP:161) is exposed to a small public network
VirtualMachine with service NetBIOS Name Service (TCP:137) is exposed to the entire internet
VirtualMachine with service Known internal web port (TCP:8080) is exposed to a small public network
VirtualMachine with unencrypted Oracle DB (TCP:1521) is exposed to the public internet
VirtualMachine with unencrypted Mongo (TCP:27017) is exposed to the public internet
VirtualMachine with service MySQL (TCP:3306) is exposed to the entire internet
VirtualMachine with unencrypted Oracle DB (TCP:2483) is exposed to a small network scope
VirtualMachine with service NetBIOS Name Service (UDP:137) is exposed to a small network scope
VirtualMachine with unencrypted LDAP (TCP:389) is exposed to a small network scope
VirtualMachine with service MSSQL Debugger (TCP:135) is exposed to a small network scope
VirtualMachine with administrative service: SSH (TCP:22) is too exposed to the public internet
VirtualMachine with service NetBios Datagram Service (UDP:138) is exposed to a small network scope
VirtualMachine with service Postgres SQL (UDP:5432) is exposed to a small network scope
VirtualMachine with service NetBIOS Name Service (UDP:137) is exposed to the entire internet
VirtualMachine with service NetBios Session Service (UDP:139) is exposed to a small public network scope
VirtualMachine with service SQL Server Analysis Services (TCP:2383) is exposed to a small public network scope
VirtualMachine with service DNS (UDP:53) is exposed to a small public network scope
VirtualMachine with service NetBios Session Service (UDP:139) is exposed to a small network scope
VirtualMachine with service VNC Listener (TCP:5500) is exposed to a small network scope
VirtualMachine with service SQL Server Analysis Service browser (TCP:2382) is exposed to a small public network scope
VirtualMachine with service VNC Server (TCP:5900) is exposed to a small public network
VirtualMachine with service Memcached SSL (UDP:11214) is exposed to a small public network scope
VirtualMachine with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a small network scope
VirtualMachine with service SaltStack Master (TCP:4505) is exposed to a small network scope
VirtualMachine with unencrypted Memcached (UDP:11211) is exposed to the public internet
VirtualMachine with service Prevalent known internal port (TCP:3000) is exposed to a small public network scope
VirtualMachine with service SaltStack Master (TCP:4506) is exposed to a small public network
VirtualMachine with service SaltStack Master (TCP:4505) is exposed to a small public network
VirtualMachine with service POP3 (TCP:110) is exposed to a small public network scope
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
VirtualMachine with unencrypted Redis (TCP:6379) is exposed to the public internet
VirtualMachine with service NetBios Session Service (UDP:139) is exposed to a small public network
VirtualMachine with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to a large network scope
VirtualMachine with service NetBIOS Name Service (UDP:137) is exposed to a small public network scope
VirtualMachine with service Hadoop Name Node (TCP:9000) is exposed to the entire internet
VirtualMachine with service SaltStack Master (TCP:4506) is exposed to the entire internet
VirtualMachine with service MSSQL Browser Service (UDP:1434) is exposed to a small network scope
VirtualMachine with service Oracle DB SSL (UDP:2484) is exposed to a small public network scope
VirtualMachine with service Postgres SQL (UDP:5432) is exposed to a small public network scope
VirtualMachine with unencrypted LDAP (UDP:389) is exposed to the public internet
VirtualMachine with service MySQL (TCP:3306) is exposed to a small public network scope
VirtualMachine with service SQL Server Analysis Service browser (TCP:2382) is exposed to a small public network
VirtualMachine with service Cassandra (TCP:7001) is exposed to a small public network
VirtualMachine with service Mongo Web Portal (TCP:27018) is exposed to the entire internet
VirtualMachine with service SaltStack Master (TCP:4506) is exposed to a small public network scope
VirtualMachine with unencrypted Memcached (TCP:11211) is exposed to a small network scope
VirtualMachine with unencrypted Oracle DB (TCP:2483) is exposed to the public internet
VirtualMachine with service Puppet Master (TCP:8140) is exposed to a small public network
VirtualMachine with service SQL Server Analysis Services (TCP:2383) is exposed to the entire internet
VirtualMachine with service Microsoft-DS (TCP:445) is exposed to a small public network
VirtualMachine with service Hadoop Name Node (TCP:9000) is exposed to a small public network scope
VirtualMachine with service SMTP (TCP:25) is exposed to a small public network
VirtualMachine with service Cassandra OpsCenter agent (TCP:61621) is exposed to a small public network scope
VirtualMachine with service MSSQL Debugger (TCP:135) is exposed to a small public network
VirtualMachine with service SQL Server Analysis Services (TCP:2383) is exposed to a small public network
VirtualMachine with service SMTP (TCP:25) is exposed to the entire internet
VirtualMachine with service Postgres SQL (TCP:5432) is exposed to a small public network
VirtualMachine with service MSSQL Server (TCP:1433) is exposed to a small public network scope
VirtualMachine with unencrypted Elastic search (TCP:9300) is exposed to a large network scope
VirtualMachine with service CIFS / SMB (TCP:3020) is exposed to the entire internet
VirtualMachine with service NetBios Datagram Service (TCP:138) is exposed to a small public network scope
VirtualMachine with unencrypted Cassandra Thrift (TCP:9160) is exposed to the public internet
VirtualMachine with unencrypted LDAP (TCP:389) is exposed to a large network scope
VirtualMachine with service Known internal web port (TCP:8080) is exposed to a small network scope
VirtualMachine with service NetBIOS Name Service (TCP:137) is exposed to a small public network scope
VirtualMachine with service POP3 (TCP:110) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a large network scope
VirtualMachine with service Postgres SQL (TCP:5432) is exposed to the entire internet
VirtualMachine with unencrypted Cassandra Monitoring (TCP:7199) is exposed to a small network scope
VirtualMachine with service SNMP (UDP:161) is exposed to a small public network scope
VirtualMachine with unencrypted Cassandra Client (TCP:9042) is exposed to a small network scope
VirtualMachine with service VNC Listener (TCP:5500) is exposed to a small public network
VirtualMachine with service Known internal web port (TCP:8080) is exposed to the entire internet
VirtualMachine with service Known internal web port (TCP:8000) is exposed to a small public network
VirtualMachine with unencrypted Cassandra Client (TCP:9042) is exposed to the public internet
VirtualMachine with service NetBIOS Name Service (TCP:137) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Monitoring (TCP:7199) is exposed to the public internet
VirtualMachine with service Memcached SSL (TCP:11214) is exposed to a small public network scope
VirtualMachine with service Telnet (TCP:23) is exposed to the entire internet
VirtualMachine with service Cassandra (TCP:7001) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a small network scope
VirtualMachine with service MSSQL Server (TCP:1433) is exposed to a small public network
VirtualMachine with service Prevalent known internal port (TCP:3000) is exposed to a small public network
VirtualMachine with service Mongo Web Portal (TCP:27018) is exposed to a small public network
VirtualMachine with unencrypted Oracle DB (UDP:2483) is exposed to the public internet
VirtualMachine with service Memcached SSL (TCP:11214) is exposed to a small public network
VirtualMachine with service Known internal web port (TCP:8000) is exposed to a small network scope
VirtualMachine with service Puppet Master (TCP:8140) is exposed to the entire internet
VirtualMachine with service Known internal web port (TCP:8080) is exposed to a small public network scope
VirtualMachine with unencrypted Memcached (TCP:11211) is exposed to the public internet
VirtualMachine with service Mongo Web Portal (TCP:27018) is exposed to a small public network scope
VirtualMachine with service MSSQL Admin (TCP:1434) is exposed to the entire internet
VirtualMachine with service LDAP SSL (TCP:636) is exposed to a small network scope
VirtualMachine with service MSSQL Browser Service (UDP:1434) is exposed to a small public network scope
VirtualMachine with service Microsoft-DS (TCP:445) is exposed to the entire internet
VirtualMachine with unencrypted Cassandra Thrift (TCP:9160) is exposed to a large network scope
VirtualMachine with service Memcached SSL (UDP:11214) is exposed to a small public network
VirtualMachine with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a large network scope
VirtualMachine with service Memcached SSL (TCP:11215) is exposed to a small public network scope
VirtualMachine with unencrypted Oracle DB (UDP:2483) is exposed to a large network scope
VirtualMachine with service Postgres SQL (UDP:5432) is exposed to the entire internet
VirtualMachine with service SMTP (TCP:25) is exposed to a small network scope
VirtualMachine with service Memcached SSL (UDP:11215) is exposed to a small public network
VirtualMachine with service Memcached SSL (UDP:11215) is exposed to a small network scope
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope
VirtualMachine with service VNC Server (TCP:5900) is exposed to a small public network scope
VirtualMachine with service Prevalent known internal port (TCP:3000) is exposed to the entire internet
VirtualMachine with service Postgres SQL (TCP:5432) is exposed to a small public network scope
VirtualMachine with unencrypted Oracle DB (TCP:1521) is exposed to a large network scope
VirtualMachine with unencrypted Mongo (TCP:27017) is exposed to a large network scope
VirtualMachine with service Microsoft-DS (TCP:445) is exposed to a small network scope
VirtualMachine with service NetBios Datagram Service (TCP:138) is exposed to a small public network
VirtualMachine with service NetBios Datagram Service (UDP:138) is exposed to a small public network
VirtualMachine with service Known internal web port (TCP:8000) is exposed to a small public network scope
VirtualMachine with service Prevalent known internal port (TCP:3000) is exposed to a small network scope
VirtualMachine with service Oracle DB SSL (UDP:2484) is exposed to the entire internet
VirtualMachine with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to a small network scope
VirtualMachine with service Oracle DB SSL (UDP:2484) is exposed to a small public network
VirtualMachine with service DNS (UDP:53) is exposed to a small network scope
VirtualMachine with service Puppet Master (TCP:8140) is exposed to a small network scope
VirtualMachine with service LDAP SSL (TCP:636) is exposed to the entire internet
VirtualMachine with service NetBios Session Service (TCP:139) is exposed to the entire internet
VirtualMachine with service Cassandra (TCP:7001) is exposed to the entire internet
VirtualMachine with service Oracle DB SSL (TCP:2484) is exposed to the entire internet
VirtualMachine with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to the public internet
VirtualMachine with service MSSQL Server (TCP:1433) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Thrift (TCP:9160) is exposed to a small network scope
VirtualMachine with unencrypted Mongo (TCP:27017) is exposed to a small network scope
VirtualMachine with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet
VirtualMachine with service Oracle DB SSL (TCP:2484) is exposed to a small public network scope
VirtualMachine with service Hadoop Name Node (TCP:9000) is exposed to a small public network
VirtualMachine with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
VirtualMachine with unencrypted Cassandra OpsCenter Website (TCP:8888) is exposed to the public internet
VirtualMachine with service Memcached SSL (TCP:11215) is exposed to the entire internet
VirtualMachine with service LDAP SSL (TCP:636) is exposed to a small public network scope
VirtualMachine with service DNS (UDP:53) is exposed to a small public network
VirtualMachine with service SNMP (UDP:161) is exposed to a small network scope
VirtualMachine with service LDAP SSL (TCP:636) is exposed to a small public network
VirtualMachine with service MSSQL Admin (TCP:1434) is exposed to a small public network
VirtualMachine with service Cassandra OpsCenter agent (TCP:61621) is exposed to a small public network
VirtualMachine with administrative service: SSH (TCP:22) is exposed to a wide network scope
VirtualMachine with unencrypted Redis (TCP:6379) is exposed to a large network scope
VirtualMachine with service Hadoop Name Node (TCP:9000) is exposed to a small network scope
VirtualMachine with service Oracle DB SSL (TCP:2484) is exposed to a small public network
VirtualMachine with unencrypted Cassandra OpsCenter Monitoring (TCP:61620) is exposed to the public internet
VirtualMachine with service NetBios Datagram Service (TCP:138) is exposed to a small network scope
VirtualMachine with service MSSQL Admin (TCP:1434) is exposed to a small public network scope
VirtualMachine with service MSSQL Browser Service (UDP:1434) is exposed to the entire internet
VirtualMachine with unencrypted Redis (TCP:6379) is exposed to a small network scope
VirtualMachine with service Microsoft-DS (TCP:445) is exposed to a small public network scope
VirtualMachine with service VNC Listener (TCP:5500) is exposed to a small public network scope
VirtualMachine with unencrypted LDAP (UDP:389) is exposed to a small network scope
VirtualMachine with service CIFS / SMB (TCP:3020) is exposed to a small public network
VirtualMachine with service NetBIOS Name Service (UDP:137) is exposed to a small public network
VirtualMachine with service NetBios Datagram Service (UDP:138) is exposed to the entire internet
VirtualMachine with service Known internal web port (TCP:8000) is exposed to the entire internet
VirtualMachine with unencrypted Oracle DB (TCP:2483) is exposed to a large network scope
VirtualMachine with service VNC Server (TCP:5900) is exposed to a small network scope
VirtualMachine with unencrypted Elastic search (TCP:9200) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Internode Communication (TCP:7000) is exposed to a large network scope
VirtualMachine with service SQL Server Analysis Service browser (TCP:2382) is exposed to a small network scope
VirtualMachine with unencrypted Elastic search (TCP:9200) is exposed to a large network scope
VirtualMachine with service Cassandra (TCP:7001) is exposed to a small public network scope
VirtualMachine with unencrypted Memcached (TCP:11211) is exposed to a large network scope
VirtualMachine with service NetBIOS Name Service (TCP:137) is exposed to a small public network
VirtualMachine with service Memcached SSL (TCP:11215) is exposed to a small public network
VirtualMachine with service POP3 (TCP:110) is exposed to a small public network
VirtualMachine with service CIFS / SMB (TCP:3020) is exposed to a small public network scope
VirtualMachine with service Oracle DB SSL (TCP:2484) is exposed to a small network scope
VirtualMachine with unencrypted Oracle DB (TCP:1521) is exposed to a small network scope
VirtualMachine with unencrypted Memcached (UDP:11211) is exposed to a small network scope
VirtualMachine with service NetBios Datagram Service (UDP:138) is exposed to a small public network scope
VirtualMachine with unencrypted Elastic search (TCP:9300) is exposed to the public internet
VirtualMachine with service Memcached SSL (TCP:11214) is exposed to a small network scope
VirtualMachine with service NetBios Datagram Service (TCP:138) is exposed to the entire internet
VirtualMachine with service MSSQL Browser Service (UDP:1434) is exposed to a small public network
VirtualMachine with service NetBios Session Service (UDP:139) is exposed to the entire internet
VirtualMachine with service Postgres SQL (TCP:5432) is exposed to a small network scope
VirtualMachine with service MySQL (TCP:3306) is exposed to a small network scope
VirtualMachine with service MSSQL Admin (TCP:1434) is exposed to a small network scope
VirtualMachine with unencrypted Cassandra Client (TCP:9042) is exposed to a large network scope
VirtualMachine with service NetBios Session Service (TCP:139) is exposed to a small public network
VirtualMachine with service Memcached SSL (TCP:11215) is exposed to a small network scope
VirtualMachine with service Memcached SSL (UDP:11214) is exposed to a small network scope
VirtualMachine with service NetBios Session Service (TCP:139) is exposed to a small network scope
Ensure that Azure Virtual Machine is assigned to an availability set
Ensure that 'OS and Data' disks are encrypted with CMK
Virtual machine administrative OMI/OMS service port (5986) is publicly accessible
Ensure that at least one Network Security Group is attached to all VMs and subnets that are public
Virtual machine administrative OMI/OMS service port (5985) is publicly accessible
Virtual machine administrative OMI/OMS service port (1270) is publicly accessible
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-UDP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known TCP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known DB-TCP ports
Ensure no Virtual Machine allow incoming traffic from 0.0.0.0/0 to Known UDP ports
Ensure Virtual Machines are utilizing Managed Disks
Ensure that the endpoint protection for all Virtual Machines is installed
Azure Key Vault
Key vault should have purge protection enabled
Ensure that the expiration date is set on all keys
Ensure Azure Keyvaults are used to store secrets
Ensure that the expiration date is set on all Secrets
Ensure that logging for Azure KeyVault is 'Enabled'
Ensure the Key Vault is Recoverable
Network security group
Ensure Flow-Logs are Enabled on NSG
Ensure that MSQL (TCP:4333) is restricted from the Internet
Ensure FTP deployments are disabled
Ensure that CIFS (UDP:445) is restricted from the Internet
Ensure that Windows RPC (TCP:135) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on TCP protocol
Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied
Ensure that PostgreSQL (TCP:5432) is restricted from the Internet
Ensure that VNC Server (TCP:5900) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on UDP protocol
Ensure that SQL Server (TCP:1433) is restricted from the Internet
Ensure that FTP-Data (TCP:20) is restricted from the Internet
Ensure that NetBIOS (UDP:138) is restricted from the Internet
Ensure no security groups allow ingress from 0.0.0.0/0 to ICMP (Ping)
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Remove unused Network Security Groups
Ensure that Windows SMB (TCP:445) is restricted from the Internet
Ensure that DNS (TCP:53) is restricted from the Internet
Overly permissive NSG Inbound rule to all traffic on ANY protocol
Ensure that NetBIOS (UDP:137) is restricted from the Internet
Ensure that MySQL (TCP:3306) is restricted from the Internet
Ensure that SMTP (TCP:25) is restricted from the Internet
Ensure that DNS (UDP:53) is restricted from the Internet
Ensure that SSH access is restricted from the internet
Ensure that SQL Server (UDP:1434) is restricted from the Internet
Ensure that RDP access is restricted from the internet
Ensure that VNC Listener (TCP:5500) is restricted from the Internet
Ensure that Telnet (TCP:23) is restricted from the Internet
Ensure Flow-Logs are Enabled on NSG
Ensure Flow-Logs are Enabled on NSG
Azure SQL Database
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
Ensure that SQL Database Auditing Retention is greater than 90 days
Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
Ensure that SQL Database Auditing is Enabled
Ensure that 'Data encryption' is set to 'On' on a SQL Database
Security Center - Policy
Ensure ASC Default policy setting 'Monitor Disk Encryption' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor JIT Network Access' is not 'Disabled'
Ensure ASC Default policy setting 'Enable Next Generation Firewall(NGFW) Monitoring' is not 'Disabled'
Ensure ASC Default policy setting 'Web Application Firewall Monitoring Effect' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor System Updates' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor OS Vulnerabilities' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor Adaptive Application Whitelisting' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor Endpoint Protection' is not 'Disabled'
Ensure ASC Default policy setting 'System Configurations Monitoring Effect' is not 'Disabled'
Ensure ASC Default policy setting 'Storage Encryption Monitoring Effect' is not 'Disabled'
Ensure ASC Default policy setting 'Monitor Vulnerability Assessment' is not 'Disabled'
Ensure ASC Default policy setting 'SQL Encryption Monitoring Effect' is not 'Disabled'
Ensure ASC Default policy setting 'SQL Auditing Monitoring Effect' is not 'Disabled'
Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'
Azure Alert Rule
Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that activity log alert exists for the Delete Network Security Group Rule
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Create Policy Assignment
Spring Cloud
Ensure that Spring Cloud App has end-to-end TLS enabled
Ensure that Spring Cloud App enforces HTTPS connections
Ensure that Spring Cloud App has system-assigned managed identity enabled
Azure Network Watcher
Ensure that Network Watcher is 'Enabled'
Network Security Group flow logs
Ensure Flow-Logs are Enabled on NSG
Ensure Flow-Logs Retention Policy is greater than 90 days
Azure Redis Cache
Redis cache should have a backup
Ensure that Redis is updated regularly with security and operational updates. Note this feature is only available to Premium tier Redis Caches.
Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources
Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
Ensure that the Redis Cache accepts only SSL connections
Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet
Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs
Container Registry
Ensure to not use the deprecated Classic registry
Ensure that admin user is disabled for Container Registry
Ensure Container Registry has locks
Ensure to not use the deprecated Classic registry
Azure functions
Ensure that Health Check is enabled for your Function App
Ensure remote debugging has been disabled for your production Azure Functions
Ensure function app is using the latest version of TLS encryption
Managed identity should be used in your Function App
Function App should only be accessible over HTTPS
Ensure the Function app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure that Application Service Logs are Enabled for Containerized Function Apps
Enable Function App Service Authentication
Ensure FTP deployments are Disabled for FunctionApp
Azure Database for PostgreSQL
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Ensure that Geo Redundant Backups is enabled on PostgreSQL
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Azure Storage Account
Ensure that Storage account supports customer-managed keys encryption for Files
Ensure that Storage account supports customer-managed keys encryption for Blobs
Storage Accounts outside Europe
Ensure that 'Secure transfer required' is set to 'Enabled'
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Ensure storage for critical data are encrypted with Customer Managed Key
Ensure default network access rule for Storage Accounts is set to deny
Storage Accounts outside Brazil
Ensure that 'Secure transfer required' is set to 'Enabled' for Storage Accounts
Ensure the blob is recoverable - enable 'Soft Delete' setting for blobs
Ensure Storage logging is enabled for Queue service for read, write, and delete requests
Ensure default network access rule for Storage Accounts is set to deny
Ensure Soft Delete is Enabled for Azure Storage
Ensure the 'Minimum TLS version' is set to 'Version 1.2'
Ensure that 'Public access level' is set to Private for blob containers
Ensure That Storage Account Access Keys are Periodically Regenerated
Ensure the storage container storing the activity logs is not publicly accessible
Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests
Ensure Minimum TLS Encryption Version For Storage Account
Ensure that Containers and its blobs are not exposed publicly
Azure Application Gateway
Ensure Application Gateway is using the latest version of TLS encryption
Ensure Azure Application Gateway Web application firewall (WAF) is enabled
Ensure Application Gateway is using Https protocol
Virtual Network
Ensure that Virtual Networks Subnets have Security Groups
Ensure that Azure Virtual Network subnet is configured with a Network Security Group
Ensure that Azure Virtual network peering is connected
Log Profile
Ensure that a Log Profile exists
Ensure that Activity Log Retention is set 365 days or greater
Ensure the log profile captures activity logs for all regions including global
Ensure audit profile captures all the activities
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
Azure AKS
Ensure that you are using authorized IP address ranges in order to secure access to the API server
Ensure that your Cluster Pool contains at least 3 Nodes
Ensure that a network policy is in place to secure traffic between pods
Ensure that Azure CNI Networking is enabled
Ensure that the pod security policy is enabled in your AKS cluster
Enable role-based access control (RBAC) within Azure Kubernetes Services
Ensure Azure Kubernetes Service (AKS) Cluster Dashboard Is Disabled
Ensure Azure Monitoring Enabled For Azure Kubernetes Service (AKS) Cluster
Web Apps service
Ensure remote debugging has been disabled for your production Web App
Ensure that Register with Azure Active Directory is enabled on App Service
Ensure Web App is using the latest version of TLS encryption
Enable App Service Authentication on Azure App Service
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Ensure that 'HTTP Version' is the latest, if used to run the web app
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure That 'PHP version' is the Latest, If Used to Run the Windows Web App
Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Linux Web App
Ensure that 'Java version' is the latest, if used to run the Windows Web App
Ensure that 'Java version' is the latest, if used to run the Linux Web App
Ensure That 'PHP version' is the Latest, If Used to Run the Linux Web App
Ensure FTP deployments are Disabled for webapp
Azure Cosmos DB
Ensure Cosmos DB account is using Private Endpoints
Ensure Cosmos DB account access is not allowed from all networks
Ensure Cosmos DB account is encrypted with customer-managed keys
Ensure Cosmos DB account public network access is disabled
Ensure to filter source Ips for Cosmos DB Account
Azure Monitor Logs
Ensure that Azure Monitor Logs is configured to export Activity Logs
Ensure Diagnostic Setting captures appropriate categories
Azure Resource Group
Ensure that Azure Resource Group has resource lock enabled
Azure Disk Storage
Ensure that 'Unattached disks' are encrypted with CMK
Azure Virtual Network Gateway
Ensure Virtual Network Gateway is configured with Cryptographic Algorithm
Azure Analysis Services
Ensure that firewall rules are enabled and configured for Analysis services server
Azure role-based access control
Ensure to audit role assignments that have implicit managed identity permissions
Ensure to audit role assignments that have implicit 'Owner' permissions
Ensure to audit role assignments that have implicit role management permissions
Azure Role Definition
Ensure custom role definition doesn't have excessive permissions (Wildcard)
Azure Active Directory
Ensure that Azure Active Directory Admin is configured for SQL Server
Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account
My SQL DB Flexible Server
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Flexible Server
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
My SQL DB Single Server
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Single Server
Auto Provisioning Settings
Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Security Contact
Ensure 'Additional email addresses' is Configured with a Security Contact Email
Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Ensure That 'All users with the following roles' is set to 'Owner'
Defender Plans
Ensure that Microsoft Defender for Servers is set to 'On'
Ensure that Microsoft Defender for App Service is set to 'On'
Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'
Ensure that Microsoft Defender for SQL servers on machines is set to 'On'
Ensure that Microsoft Defender for Storage is set to 'On'
Ensure that Microsoft Defender for Container Registries is set to 'On'
Ensure that Microsoft Defender for Key Vault is set to 'On'
PostgreSQL Flexible Server
Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled
Defender Integrations
Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected
Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected
cft policies
AWS ElasticLoadBalancing LoadBalancer
Ensure that access logging is enabled for the classic ELB
Ensure that ELB has a health check setup
Ensure that ELB Listener protocol is HTTPS or SSL
Ensure that a classic Load balancer is not internet facing
CloudTrail
Ensure that CloudTrail is integrated with CloudWatch
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail logging is enabled
Amazon EC2 Instance
Ensure that EC2 is EBS optimized
Amazon EC2 instance must have an associated tag
Ensure that detailed monitoring for EC2 instances is enabled
Ensure that the root block device has encryption enabled
Ensure that EC2 instance does not have public IP enabled
Ensure that address source/destination check is enabled on the instance
Ensure AWS EC2 Instances use IAM Roles to control access
Ensure that EC2 API termination protection is enabled
AWS ApiGatewayV2 Stage
Ensure API Gateway V2 has Access Logging enabled
Amazon NACL
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
IAM Role
Ensure that there is no wildcard action in an inline IAM role policy
Ensure that IAM Role cannot be assumed by anyone
Ensure that there is no wildcard resource in an inline IAM role policy
Ensure that an inline IAM role policy does not allow full administrative rights
Amazon Elastic Block Storage (EBS)
Ensure that EBS volume has encryption enabled
AWS Security Group
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27017)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to MongoDB (TCP:27018)
Ensure that every security group ingress object has a description
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Kibana (TCP:5601)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379)
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to ElasticSearch (TCP:9300)
Ensure no security group ingress allows traffic from 0.0.0.0/0 to Redis (TCP:6379)
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)
AWS AutoScaling LaunchConfiguration
Ensure all data stored in the Launch configuration EBS is securely encrypted
Simple Storage Service (S3)
Ensure that the S3 bucket has object lock enabled
Ensure that the S3 bucket is not publicly writable
Ensure that the S3 bucket is not publicly readable
S3 bucket should not allow restoring object actions from all principals
Ensure all S3 buckets employ encryption-at-rest
S3 bucket should not allow delete actions from all principals
S3 bucket should not allow list actions from all principals
Ensure that the S3 bucket has lifecycle configuration enabled
S3 bucket should not allow 'get' actions from all principals
S3 bucket should not allow put actions from all principals
Ensure that S3 server access logging is enabled
S3 bucket should not allow all actions from all principals
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that S3 bucket has versioning enabled
AWS EC2 SecurityGroup
Ensure no security groups allow ingress from 0.0.0.0/0 to ElasticSearch (TCP:9300)
Ensure that every security group ingress rule has a description
Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP:6379)
Ensure no security groups allow ingress from 0.0.0.0/0 to etcd (TCP:2379)
Ensure that every security group egress rule has a description
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27017)
Ensure every security groups rule has a description
Ensure no security groups allow ingress from 0.0.0.0/0 to Kibana (TCP:5601)
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP:27018)
AWS DAX Cluster
Ensure DAX is encrypted at rest (default is unencrypted)
IAM User
Ensure that there is no wildcard resource in an inline IAM user policy
Ensure that password reset is required in IAM login profile
Ensure that there is no wildcard action in an inline IAM user policy
Ensure that an inline IAM user policy does not allow full administrative rights
Ensure that IAM user does not have directly embedded policy
AWS IAM Policy
Ensure that there is no wildcard action in an IAM policy
Ensure that the IAM Policy does not grant full administrative rights
Ensure that IAM policy is not directly attached to a user
IAM Group
Ensure that there is no wildcard resources in an inline IAM group policy
Ensure that an inline IAM group policy does not allow full administrative rights
Ensure that there is no wildcard action in an inline IAM group policy
AWS Managed Policy
Ensure that customer managed IAM policy does not grant full administrative rights
Ensure that there is no wildcard action in a customer managed IAM policy
Ensure that a customer managed IAM policy is not directly attached to a user
Amazon EC2 Instance
Ensure that EC2Fleet of type maintain has ReplaceUnhealthyInstances set to true
AWS DocDB DBCluster
Ensure DocDB has audit logs enabled
Ensure DocDB Logging is enabled
Ensure DocDB is encrypted at rest
AWS ApiGateway Stage
Ensure API Gateway caching is enabled
Ensure API Gateway has X-Ray Tracing enabled
Ensure API Gateway has Access Logging enabled
AWS Key Management Service (KMS)
Ensure that an inline KMS key policy does not allow full administrative rights
Ensure that there is no wildcard action in an inline KMS key policy
Ensure that KMS key policy does not allow access to everyone
Ensure that there is no wildcard principal in an inline KMS key policy
Ensure that KMS key has key rotation enabled
Ensure that the KMS key have key rotation enabled
Amazon RDS
Ensure enhanced monitoring for Amazon RDS instances is enabled
Ensure that RDS IAM authentication is enabled
Ensure RDS instances have backup policy
Ensure RDS instances have Multi-AZ enabled
Ensure AWS RDS database instance is not publicly accessible
Ensure that encryption is enabled for RDS Instances
Elastic Load Balancing (ELB)
Ensure that ELB V2 Listener protocol is not HTTP or TCP
Ensure ELB enforces recommended SSL/TLS protocol version
AWS Key Management Service (KMS)
Ensure that there is no wildcard action in an inline KMS replica key policy
Ensure that there is no wildcard principal in an inline KMS replica key policy
Ensure that an inline KMS replica key policy does not allow full administrative rights
Ensure A Pod Runs Without Privileged Containers
Amazon ElasticSearch service
Ensure that encryption of data at rest is enabled on Elasticsearch domains
Ensure that there is no Wildcard principal in ElasticSearch access policy
Ensure Elasticsearch Domain enforces HTTPS
Ensure that there is no wildcard action in ElasticSearch access policy
Ensure Elasticsearch Domain Logging is enabled
Ensure that node-to-node encryption is enabled for Elasticsearch service
Amazon RDS DBCluster
Ensure RDS cluster has IAM authentication enabled
Ensure that RDS DB cluster has encryption enabled
Amazon API Gateway
Ensure that all authorization Type in API Gateway is not set to None
Ensure that an API Key is required on a Method Request
Ensure API gateway methods are not publicly accessible
AWS ElasticLoadBalancingV2 LoadBalancer
Ensure that access logging is enabled for the ELB v2
Ensure that a Load balancer is not internet facing
Ensure that ELB v2 drops invalid headers
Amazon RDS GlobalCluster
Ensure that RDS global cluster has encryption enabled
AWS CloudFront Distribution
CloudFront Distribution should have WAF enabled
Ensure Cloudfront distribution has Access Logging enabled
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
AWS Lambda
Ensure AWS Lambda functions have tracing enabled
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Ensure that AWS Lambda function is configured for a Dead Letter Queue
Lambda Functions must have an associated tag
AWS Lambda
Ensure that there is no wildcard action in Lambda permission
Ensure that there is no wildcard principal in Lambda permission
Amazon Elastic File System (EFS)
Ensure that your Amazon EFS file systems are encrypted
AWS Lambda
Ensure that AWS lambda layer version permissions does not have a wildcard principal
AWS DocDB DBClusterParameterGroup
Ensure DocDB TLS is not disabled
Amazon DynamoDB
Ensure that AWS DynamoDB is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
AWS EC2 SecurityGroupEgress
Ensure that every security group egress object has a description
VPC Subnet
Ensure AWS VPC subnets have automatic public IP assignment disabled
AWS ElasticLoadBalancingV2 TargetGroup
Ensure that ELB target group has a health check enabled
DB Security Group
Ensure that AWS DB Security Group does not allow public access
Amazon Kinesis
Ensure AWS Kinesis streams are encrypted with KMS customer master keys
AWS Backup BackupVault
Ensure Backup Vault is encrypted at rest using KMS CMK
AWS Identity and Access Management (IAM)
Ensure That Access Key Rotation Is Less Than 90 Days
Docker policies
docker
Ensure Using 'ADD' instead of 'COPY' for copying files from filesystem
Ensure Local cache path not used in apk add
Ensure delete installations lists after installation by 'apt'
Ensure Pin version in 'apt-get' install
Ensure no manual input in 'apt install'
Ensure disabling recommended package in apt-get (--no-install-recommends)
Ensure minimal execution of 'chown'
Ensure no manual input in 'yum install'
Ensure 'yum install' has pinned version
Ensure zypper install has pinned version
Ensure not to use in RUN both 'curl' and 'wget'
Ensure not to use the same alias in multiple 'FROM'
Ensure 'RUN' shell command has pipefail flag
Enure not to expose UNIX ports out of range
Ensure 'apk' add has pinned version for package
Ensure pip install has pinned version for package
Ensure no specific platform in FROM command
Ensure no relative workdir path
Ensure to run yum clean command
Ensure not using the current FROM alias as COPY '--from' value
Ensure remove any unused 'FROM' aliases (not used by 'COPY --from')
Ensure in COPY of multiple source the destination always end with '/'
Ensure not expose SSH Port 22
Ensure hardcoded version in gem install
Ensure to hardcoded image version in dockerfile
Ensure not use 'root' in the last 'USER' call in dockerfile
Ensure 'dnf clean' after 'dnf install' for image storage space saving
Ensure no manual input in 'dnf' install
Ensure use 'USER' before 'RUN' your application
Ensure 'HEALTHCHECK' is set
Ensure to pin version specification in 'dnf install'
Ensure use 'Zypper clean' after 'Zypper install'
Ensure no manual input in 'Zypper install'
Ensure 'ENTRYPOINT' and 'CMD' arguments using a valid JSON values
Ensure Pin version in 'npm' install
Ensure use '--no-cache-dir' in pip install
Ensure Using 'WORKDIR' rather than 'RUN cd' command
Ensure not use sudo by 'RUN'
Ensure not more then one 'ENTRYPOINT' in dockerfile
alicloud policies
alicloud
Ensure Alibaba Cloud Action Trail logging across all regions
Ensure Alibaba Cloud OSS Bucket is Not Accessible To Public
Ensure Application Load Balancer (ALB) Listener Should Listen On HTTPS
Ensure Alibaba Cloud API Gateway API Protocol Set To 'HTTPS'
Ensure Alicloud KMS Possess Usable Customer Master Keys (CMK)
Ensure CS Kubernetes Node Pool Management Auto Repair is enabled
Ensure Database Instance is Not Publicly Accessible
Ensure Disk Encryption is Encrypted
Ensure ECS Data Disk KMD Key Id is Defined. The ID of the Key Management Service (KMS) key used by the disk.
Ensure KMS Key Has Low Rotation Period
Ensure Kubernetes Cluster is with Terway as CNI Network Plugin
Ensure Launch Template is Encrypted
Ensure Log Retention is High Than 90 Days
Ensure NAS File System is Encrypted
Ensure NAS File System is with KMS
Ensure ROS Stack Policy
Ensure OSS Bucket Encryption Using CMK is enabled
Ensure OSS Bucket Does Not Have Static Website
Ensure OSS Bucket Lifecycle Rule is enabled
Ensure OSS Bucket Logging is enabled
Ensure OSS Bucket Public Access is Disabled
Ensure OSS Bucket Transfer Acceleration is enabled
Ensure OSS Bucket Versioning is enabled
Ensure Public Security Group Rule is Not Set To All Ports or Protocols
Ensure Public Security Group Rule is Not Use Sensitive Port
Ensure Ram Account Password Policy Max Login Attempts is Low
Ensure Ram Account Password Policy Max Password Age is Recommended
Ensure Ram Account Password Policy is Required Minimum Length
Ensure Ram Account Password Policy is Required Numbers
Ensure RAM Account Password Policy is Required Symbols
Ensure RAM Account Password Policy is with Reuse Prevention
Ensure Ram Account Password Policy is Require At Least one Lowercase Character
Ensure RAM Account Password Policy is Require at Least one Uppercase Character
Ensure Ram Policy is Not Attached to a User
Ensure ROS Stack Notifications is enabled
Ensure ROS Stack Retention is Ensabled
Ensure ROS Stack is with Template
Ensure SLB Policy with Secure TLS Version In Use
Ensure Public Security Group Rule is Known Port
Ensure VPC Flow Logs Enabled
Ensure RDS Instance Log Connections is enabled
Ensure RDS Instance Log Disconnections is enabled
Ensure RDS Instance Log Duration is enabled
Ensure RDS Instance Publicly is Not Accessible
Ensure RDS Instance Retention Period is Recommended
Ensure RDS Instance SSL Action is enabled
Ensure RDS Instance TDE Status is enabled
Ensure RDS Instance Events is Logged
Ensure OSS Bucket is Not Allow All Actions From All Principals
Ensure OSS Bucket is Not Allow Delete Action From All Principal
Ensure OSS Bucket is Not Allow Delete Action From All Principals
Ensure OSS Bucket is Not Allow Put Action From All Principals
Ensure OSS Bucket Ip Restriction Enabled
Ensure OSS Buckets Secure Transport Enabled
Ensure RAM Security Preference is Enforce MFA Login
SCM Policies
Gitlab Settings API
Ensure to reset approvals on push
Ensure disabling self approving merge requests by the author
Ensure to prevent approvals by users who add commits
Ensure requiring user password to approve
Ensure use 'HTTPS' in all hooks
Ensure Enable SSL verification is enabled
Ensure require of minimum approvals before merge
Ensure require all discussions will be resolved before marge
Ensure the 'allow force push' setting is disabled.
Gitlab Pipelines
Ensure not to use the 'latest' tag for any GitLab pipelines images
Ensure to review suspicious use of 'curl' / 'wget' with CI environment CI_JOB_TOKEN or CI_REGISTRY_PASSWORD variable
Ensure to review suspicious use of 'netcat' in GitLab pipeline script
Ensure not directly use 'kubectl apply' in scripts
GitHub Settings API
Ensure packages' organization has no public visibility
Ensure no branch has 'force push' enabled
Ensure Vulnerability alerts are enabled
Ensure open Git branches are up to date before you can merge them into the code base
Ensure branch deletions are disabled
Ensure two administrators are set for each repository
Ensure inactive repositories are reviewed and archived periodically
Ensure webhooks of the package registry are secured
Verify that the organization has an SSH Certificate Authority server
Ensure an organization's identity is confirmed with a "Verified" badge
Ensure repository creation is limited to specific members
Ensure the organization requires members to use Multi-Factor Authentication (MFA)
Ensure inactive branches are periodically reviewed and removed
Ensure strict base permissions are set for repositories
Ensure inactive users are reviewed and removed periodically
Ensure the branch has Branch Protection
Ensure the maximum number of admins per repo is not exceeded
Ensure the maximum number of deploy keys per repo is not exceeded
Ensure the maximum number of webhooks per repo is not exceeded
Ensure branch has branch protection
Ensure the branch require code owner reviews
Ensure the branch require minimum code owner reviews
Ensure verification of signed commits for new changes before merging
Ensure the maximum number of users allowed to dismiss review is not exceeded
