This app works best with JavaScript enabled.
Back
Rule knowledge base
Azure AD tenant should have authorization policy that limits the permission to invite guest users
ACM should not have a certificate with a wildcard domain
Azure AD tenant should have authorization policy that enforces strict guest permission restrictions
ACM should not have certificates that are expired or expiring in the next 30 days
Active Directory tenant should have an authorization policy that prevents users from creating new tenants
ACM Certificate Transparency logging should be enabled
Active Directory tenant should have an authorization policy that prevents users from registering apps
Active Directory tenant should have an authorization policy that prevents users from creating security groups
Azure AD Conditional Access policy should include an exclusionary geographic access policy
Azure AD tenant should have Conditional Access policy requiring MFA for all risky sign-ins
Azure AD Conditional Access policy should list Trusted Locations
Azure AD tenant should have security defaults enabled
Azure AD tenant should have Conditional Access policy requiring MFA
(PREVIEW) Unusual read data access on one or more DynamoDB Tables
Azure Active Directory user should have MFA enabled
(PREVIEW) Unusual administrative access on one or more DynamoDB Tables
(PREVIEW) Unusual write data access on one or more DynamoDB Tables
(PREVIEW) Unusual administrative access on one or more ECR Resources
(PREVIEW) Unusual administrative access on one or more IAM Resources
(PREVIEW) Suspicious delete data access detected on one or more DynamoDB Tables
(PREVIEW) Unusual administrative access on one or more EKS Resources
(PREVIEW) Unusual administrative access on one or more ECS Resources
(PREVIEW) Suspicious delete data access detected on one or more S3 Buckets
(PREVIEW) Unusual Unique IP addresses used for failed logins
(PREVIEW) Unusual Unique IP addresses used for successful logins
(PREVIEW) IAM identity used a source IP address for the first time
EC2 instance SSH key should not be shared between instances with different access permissions
(PREVIEW) Unusual administrative access on one or more RDS Resources
(PREVIEW) Unusual reconnaissance attempt on one or more RDS Clusters or Instances
(PREVIEW) Suspicious administrative access detected on one or more EC2 resources
(PREVIEW) Unusual attempt of reconnaissance on one or more S3 Buckets
(PREVIEW) Unusual read data access on one or more S3 Buckets
(PREVIEW) Unusual administrative access on one or more S3 Buckets
API Gateway REST API cache data should be encrypted at rest
API Gateway REST API execution logging should be enabled
API Gateway REST API stages should be configured to use SSL certificates
API Gateway REST API stages should have AWS X-Ray tracing enabled
API Gateway REST API Stages should be protected with WAF
API Gateway REST API should be private
(PREVIEW) Unusual write data access on one or more S3 Buckets
API Gateway HTTP and WebSocket API stage access logging should be enabled
API Gateway WebSocket API stage execution logging should be enabled
Auto Scaling group availability zone should match Elastic Load Balancer availability zone
Auto Scaling group should be configured with health checks
API Gateway REST API stage access logging should be enabled
Athena Workgroup should have publish cloudwatch metrics enabled
Athena query results should be encrypted
Auto Scaling group should be configured with multiple availability zones
Auto Scaling launch configuration should have an associated IAM role
Auto Scaling launch configuration should be configured to use IMDSv2
Auto Scaling launch configuration should restrict public access
Auto Scaling launch configuration should not be associated with an admin IAM role
Auto Scaling launch configuration should not be hosted on a public Amazon Machine Image
CloudFront distribution should use SNI to serve HTTPS requests
Auto Scaling launch configuration should not use public snapshots
CloudWatch log group retention period should be greater than 30 days
Auto Scaling launch configuration should be configured with encrypted EBS volume
Cognito user pool client should have direct user/password authentication flows disabled
Cognito user pool client should not indicate if user is registered
Cognito user pool should have multi-factor authentication enabled
CloudFront distribution should not have default SSL/TLS certificate enabled
Cognito user pool should have advanced security enabled
DocumentDB cluster should not have deletion protection disabled
DocumentDB cluster should have log exports to CloudWatch enabled
AWS Config should be enabled in all regions
DocumentDB cluster backup retention period should be greater than or equal to 30 days
DocumentDB cluster should be encrypted using customer managed key
DocumentDB event notifications subscription should be configured for critical database instance events
DocumentDB cluster should have encryption enabled
Athena query results should be stored in an S3 bucket which has restricted access
DocumentDB event notifications subscription should be configured for critical cluster events
DocumentDB event notifications subscription should be configured for critical database security group events
DocumentDB event notifications subscription should be configured for critical database parameter group events
EC2 instance should have EBS volume optimization enabled
EBS volume should be attached to EC2 instance
DocumentDB cluster should not use a database engine default port
EC2 security group should restrict public access over IPv4 to RPC port (135)
EC2 security group should restrict public access over IPv6 to POP3 port (110)
EC2 security group should restrict public access over IPv6 to RPC port (135)
DocumentDB snapshot should have encryption enabled
EC2 security group should restrict public access over IPv4 to POP3 port (110)
EC2 security group should restrict public access over IPv4 to IMAP port (143)
EC2 security group should restrict public access over IPv6 to MSSQL port (1434)
EC2 security group should restrict public access over IPv4 to Go, Node.js, and Ruby web development frameworks port (3000)
EC2 security group should restrict public access over IPv6 to IMAP port (143)
EC2 security group should restrict public access over IPv4 to MSSQL port (1434)
EC2 security group should restrict public access over IPv6 to Go, Node.js, and Ruby web development frameworks port (3000)
EC2 security group should restrict public access over IPv6 to FCP port (5500)
EC2 security group should restrict public access over IPv6 to Python web development frameworks port (5000)
EC2 security group should restrict public access over IPv4 to FCP port (5500)
EC2 security group should restrict public access over IPv6 to legacy HTTP port (8088)
EC2 security group should restrict public access over IPv4 to Python web development frameworks port (5000)
EC2 security group should restrict public access over IPv6 to alternative HTTP port (8888)
EC2 instances should use a single elastic network interface
EC2 security group should restrict public access over IPv4 to alternative HTTP port (8888)
EC2 Client VPN endpoint connection logging should be enabled
Unused network access control lists should be removed
EC2 VPC endpoint service should require manual approval for connection requests
EC2 security group should restrict public access over IPv4 to legacy HTTP port (8088)
EC2 instance should be managed by SSM agent
EC2 subnets should not automatically assign public IP addresses
EC2 VPC endpoint service should restrict public access
EC2 VPN connection category should be VPN
EC2 VPC Peering Connection should not allow unrestricted access
EC2 VPC Peering should not have cross account connection
ECR Public repository policy should restrict push access to required users
EC2 VPC endpoint should not have unrestricted access
ECS Cluster should have container insights enabled
ECR Public repository policy should restrict access to required users
ECS Cluster execute command logging encryption should be enabled
ECS Service should use a container image hosted on Amazon ECR
ECS Service tasks should not have access to EC2 instance metadata
ECS Services should not have public IP addresses assigned to them
ECS Service should expose only secure protocols on port 443
EFS file system should be encrypted
ECS container in task definition should be limited to read-only access for root filesystems
Restrict EFS traffic to specific IP addresses or provision EFS in private subnet.
EFS file system should be encrypted with a customer master key
EKS Node Group IAM role should not have full S3 privileges
EC2 Elastic IP address should be attached
EKS Node Group IAM role should not have Administrator-level access
Elastic Beanstalk environment with Classic Load Balancer should have connection draining enabled
Elastic Beanstalk environment with Classic Load Balancer should have cross-zone load balancing enabled
EKS Cluster secret should be encrypted with a customer master key
ElastiCache automatic backup should be enabled
Elastic Beanstalk environment with Classic Load Balancer should use a secure listening protocol
Elastic Beanstalk environment EC2 instance should enforce IMDSv2
Elastic Beanstalk environment with Elastic Load Balancer should have access logging enabled
Elastic Beanstalk environment with Elastic Load Balancer should use HTTPS listener protocol
Elastic Beanstalk environment should have enhanced health reporting enabled
OpenSearch audit logging should be enabled
Elastic Beanstalk environment with Elastic Load Balancer should be configured with a secure SSL policy
OpenSearch application should have at least three data nodes
OpenSearch domain should be configured with at least three dedicated master nodes
Elastic Load Balancer should not have invalid HTTP headers
OpenSearch domain should be encrypted with TLS-1.2
ELBv2 application load balancer exposed to internet traffic should be attached to WAF
EMR cluster should be launched in a virtual private cloud on the EC2-VPC platform
EMR cluster data should be encrypted at rest
EMR cluster should have EC2 instance metadata service v2 enabled
EMR block public access should be enabled
EMR cluster should have termination protection enabled
EMR cluster should have logging enabled
FSx file system should have automatic backups enabled
FSx for Lustre file system should have logging enabled
FSx for Windows File Server file system should have audit logging enabled
FSx file system should be encrypted with a customer managed key
EMR cluster data should be encrypted in transit
Glue jobs should have job bookmarks enabled
Glue policy should not have unrestricted access
IAM role used by VMware Aria should not have extraneous permissions or limitations in the attached IAM policies
IAM role used by VMware Aria should not have extraneous policy statements in the associated trust policy
IAM user, group, or role should not have access to add users to groups
Glue Data Catalog settings should have metadata encryption and connection passwords enabled
Glue security configuration should have S3 and CloudWatch logs encryption enabled
IAM user, group, or role should not have access to create and configure Lambda functions with IAM roles for cross-account access
IAM user, group, or role should not have access to create an EC2 instance and pass any IAM role
IAM user, group, or role should not have access to edit inline user, group or role policies
IAM user, group, or role should not have access to create Lambda functions with IAM roles and configure the functions as DynamoDB triggers
IAM user or role should not have permission to delete their own permissions boundary
IAM managed policy should not use the NotAction field to grant access
IAM user or role should not have an administrative policy as permissions boundary
IAM user, group, or role should not have permission to pass all roles
IAM customer managed policies should not allow wildcard actions for services
IAM user, group, or role should not have permission to assume all roles
IAM role should not have ReadOnlyAccess access for external AWS accounts
Firehose delivery stream should have destination error logs enabled
Firehose delivery stream destination should use an encrypted S3 bucket
Firehose delivery stream should have server side encryption enabled
KMS key should not be scheduled for deletion
Account should be a member of an Organization
Organization should have all features enabled
Organization service control policy should restrict access to all services when attached to other resources
Aurora MySQL clusters should not have backtracking disabled
RDS DB cluster should be configured to copy tags to snapshot
RDS database cluster should use a custom administrator username
Firehose delivery stream should have IAM roles with restricted permissions
Firehose delivery stream destination associated with S3 bucket should have restricted access
RDS DB cluster should be configured for multiple Availability Zones
RDS DB cluster should not have deletion protection disabled
RDS DB instance should be configured to copy tags to snapshot
RDS DB cluster should not have password authentication enabled
RDS DB instance should not have deletion protection disabled
RDS database instance should use a custom administrator username
RDS DB instance should not have Multi-AZ support disabled
RDS DB instance should not have password authentication enabled
RDS DB instance should not use a database engine default port
RDS DB instance should be deployed in VPC
RDS event notifications subscription should be configured for critical cluster events
RDS event notifications subscription should be configured for critical database instance events
RDS event notifications subscription should be configured for critical database parameter group events
RDS DB cluster should not use a database engine default port
RDS event notifications subscription should be configured for critical database security group events
Redshift cluster should not use the default admin username
S3 bucket should have event notifications enabled
Redshift cluster should have enhanced VPC routing enabled
S3 bucket should have versioning and MFA delete enabled
RDS DB instance should have Cloudwatch enabled
SageMaker Model should have network isolation enabled
S3 bucket should have object lock enabled
SageMaker Notebook instance should have direct internet access disabled
S3 bucket should have block public access enabled
SageMaker Model should be hosted on a VPC
SageMaker Endpoint should be encrypted
SageMaker Notebook instance should be encrypted
EC2 instance backdoor activity detected
EC2 instance compromise detected
EC2 instance malicious domain/IP requests detected
EC2 instance trojan activity detected
EC2 instance recon activity detected
SageMaker Notebook instance should be encrypted with a customer master key
EC2 instance unauthorized access activity detected
IAM identity compromise detected
EKS cluster compromise detected
S3 bucket compromise detected
WAFv2 web ACL should have logging enabled
WorkSpaces workspace should have volume encryption enabled
WAFv2 web ACL should have rules defined
WorkSpaces directory should have IAM roles with restricted permissions
Active Directory group should not have administrator access
Active Directory service principal should not have administrator access
AKS cluster should be private
WAFv2 web ACL should have AWS Managed Core rule set
Active Directory user should not have administrator access
Active Directory application should not have administrator access
AKS cluster should restrict access to specific sources
AKS container monitoring should be enabled
AKS cluster should have network policy enabled
AKS cluster should have private node
WAFv2 web ACL should be associated with a resource
AKS cluster should have pod security policies defined
AKS cluster should use disk encryption with a customer-managed key
AKS cluster should have Azure role-based access control enabled for Kubernetes Authorization
Application Gateway should have diagnostic settings enabled
AKS cluster should have role-based access control enabled
AKS should have diagnostic settings configured
Application Gateway listener should require HTTPS for public endpoint
Application Gateway should be configured with predefined TLS policy
App Service should be configured to accept incoming client certificates
Application Gateway should be configured with a WAF
App Service should restrict cross-origin resource sharing to specific domains
App Service should enforce HTTPS-only traffic
App Service should be configured with a virtual network
AppService remote debugging should be turned off
App Service monitoring should be enabled
App Service should use the latest HTTP version
Custom role should be created to have full resource lock permissions
App Service should use the latest TLS version
App Service should be registered with Azure Active Directory
Resource associated with a Managed Identity should not have role assignments at a resource group level scope
Principal should not have privileges to login as administrator to any VM at the subscription level
Principal should not have VM command execution privileges at the subscription level
Subscription should not have associated custom owner role
Principal should not have VM login privileges at the subscription level
Resource associated with a Managed Identity should not have role assignments at the subscription level
Principal should not have ability to self-assign the Owner role at the subscription level
Automation account should be configured with managed identity
Automation runbook logging should be enabled
Automation account should be configured with diagnostic settings
CDN endpoint should require HTTPS connections
CDN endpoint should be configured with diagnostic settings
CDN profile should be configured with diagnostic settings
Container Instance container group should be encrypted with a CMK
Compute unattached disk should be encrypted with a customer-managed key
Container Instance container group should be enabled with azure monitor logs
Container Instance container group should be restricted from public access
Container Registry should be encrypted with customer-managed key
Container Instance container group image repository should be restricted from public access
Container Registry should be configured with private endpoints
CDN endpoint should be configured with WAF
Container Registry should have SKUs that support Private Links
Container Registry should be configured with diagnostic settings
Container Registry should have restricted access
CosmosDB Database account should be encrypted with customer-managed key
CosmosDB Database account should restrict public access
CosmosDB Database account should have diagnostic settings configured
Event Hub should restrict public access
CosmosDB Database account should not permit access from all sources
Event Hub namespace should not have a shared access policy other than RootManageSharedAccessKey defined
Event Hub encryption at rest should be configured with customer-managed key
Event Hub should be configured with diagnostic settings
Front Door custom domain should be configured with HTTPS protocol
Front Door custom domain should be configured with latest TLS version
Front Door health probe setting should be enabled
Front Door diagnostic settings should be enabled
Event Hub should have shared access policy defined
Firewall should have diagnostic settings configured
Functions should restrict cross-origin resource sharing to specific domains
Front Door WAF should be configured
Functions App should be configured with virtual network
Functions App should be configured with latest TLS version
Functions monitoring should be enabled
HDInsight cluster should be encrypted with customer-managed key
HDInsight cluster should be configured with Virtual Network
HDInsight cluster should use encryption at host to encrypt data at rest
HDInsight cluster should be configured with diagnostic settings
Encryption key should have a scheduled expiration
HDInsight cluster should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes
Key Vault secret should have an expiration date
Role based access control should be enabled for Azure Key Vault
HDInsight cluster should be configured with latest TLS version
Machine Learning workspace should be configured with private endpoint
Key Vault should be recoverable
Machine Learning workspace should be configured with user assigned managed identity
Machine Learning workspace should be encrypted with customer-managed key
Key Vault logging should be enabled
Update Network Security Group Rule event should generate an alert
Machine Learning workspace should be configured with diagnostic settings
Create or Update Network Security Group event should generate an alert
Create or Update Security Solution event should generate an alert
Create Policy Assignment event should generate an alert
Create or Update SQL Server Firewall Rule event should generate an alert
Activity log should generate an alert for delete policy assignment events
Delete Network Security Group Rule event should generate an alert
Delete SQL Firewall Rule event should generate an alert
Delete Security Solution event should generate an alert
Delete Network Security Group event should generate an alert
Update Security Policy event should generate an alert
Log Profile should be configured to export from all regions
Activity log is not configured to export all activities
Storage container for activity logs should restrict public access
Storage account for activity logs should be encrypted with customer-managed key
Log profile should have a retention policy of 365 days or more for activity logs
Log profile should be configured for activity logs
MySQL server should have audit log enabled
MySQL Flexible server should have the latest TLS version
MySQL server audit log events should have connection enabled
MySQL server should have diagnostic settings configured
Network resources should not have basic SKUs in production environments
MySQL server should have Enforce SSL connection enabled
Network Watcher should be enabled for Azure subscriptions
Network security group should have diagnostic settings configured
Network security group flow logs should be enabled and the retention period set to 90 days or more
PostgreSQL server access from Azure services should be disabled
PostgreSQL server infrastructure double encryption should be enabled
PostgreSQL server should have Enforce SSL connection enabled
PostgreSQL server should use a secure TLS connection
PostgreSQL server should use a customer-managed key for encryption
PostgreSQL server should be configured with virtual network access rules
PostgreSQL server should have diagnostic settings configured
PostgreSQL server security should have alert policy enabled
Network security group should restrict public access to PostgreSQL server port (5432)
PostgreSQL server should be configured to deny public network access
PostgreSQL server should have connection throttling enabled
PostgreSQL server should have connection logs enabled
PostgreSQL server should have disconnection logs enabled
PostgreSQL server should have checkpoint logs enabled
PostgreSQL server firewall should not allow access from all IP addresses
PostgreSQL server administrator should be configured with Azure Active Directory
Virtual machine should restrict public access to POP3 data port (110)
PostgreSQL server should have duration logs enabled
PostgreSQL server should retain logs for more than 3 days
Virtual machine should restrict public access to IMAP data port (143)
Virtual machine should restrict public access to RPC data port (135)
Virtual machine should restrict public access to FTP data port (20)
Virtual machine should restrict public access to SQLServer port (1433)
Virtual machine should restrict public access to websites data port (3000)
Virtual machine should restrict public access to SMTP Relay port (25)
Virtual machine should restrict public access to Python web development data port (5000)
Virtual machine should restrict public access to Remote Desktop port (3389)
Virtual machine should restrict public access to SMB port (445/139)
Virtual machine should restrict public access to Oracle Database Enterprise Manager data port (5500)
Virtual machine should restrict public access to WinRM port (5985/5986)
Virtual machine should restrict public access to alternative HTTP port (8888)
Virtual machine should restrict public access to Resource Manager web UI port (8088)
Virtual machine should restrict public access to custom Python port (8000)
Cache for Redis patch schedule should be enabled
Cache for Redis should have SSL port enabled
Cache for Redis should not use outdated TLS protocol
Cache for Redis should restrict public access
Adaptive Application Controls should be enabled
Resource Manager deployment mode should be set to incremental
Network security group should restrict public access to alternative HTTP port (8888)
ASC default policy setting should be enabled
Kubernetes resources should have Microsoft Defender for Cloud enabled
DDoS Protection Standard should be enabled
Virtual machine network interface should have IP forwarding disabled
Resource Manager should have Microsoft Defender for Cloud enabled
DNS should have Microsoft Defender for Cloud enabled
Key Vault resources should have Microsoft Defender for Cloud enabled
Subnet should be associated with a Network Security Group
Network security group should restrict public access to custom Python web development port (8000)
Virtual machine data disk should be encrypted
Disk encryption recommendations should be enabled
Storage resources should have Microsoft Defender for Cloud enabled
Endpoint protection recommendations should be enabled
Network security group should restrict public access to IMAP port (143)
Microsoft Cloud App Security should be enabled
Microsoft Defender Advanced Threat Protection should be enabled
Network security group recommendations should be enabled
Next generation firewall recommendations should be enabled
Microsoft Monitoring Agent auto provisioning should be enabled
Network security group should restrict public access to Oracle Database Enterprise Manager data port (5500)
Virtual machine OS disk should be encrypted
Network security group should restrict public access to POP3 port (110)
Network security group should restrict public access to Python web development port (5000)
Resource lock should be configured for critical resources
Network security group should restrict public access to Resource Manager Web UI port (8088)
Network security group should restrict public access to RPC port (135)
Security Configurations security policy should be enabled
Security contact phone numbers should be set
Security contact email addresses should be set
Security alert emails should be enabled for security policy subscribers
Network security group should restrict public access to SMB port (445 and 139)
SQL auditing and threat detection recommendations should be enabled
Security alert emails should be enabled
SQL server encryption recommendations should be enabled
Standard pricing tier should be selected
Storage encryption should be enabled
Virtual machine system update recommendations should be enabled
Network security group should restrict public access to UDP ports
Network security group should restrict public access to TCP port (8080)
Virtual Machine should have Azure VM Agent installed
Vulnerability assessment recommendations should be enabled
Network security group should restrict public access to websites port (3000)
Network security group should restrict public access to Telnet port (23)
Web application firewall recommendations should be enabled
Network security group should restrict public access to WinRM port (5985 and 5986)
SQL database should retain audit logs for 90 days or more
SQL server auditing should be enabled
SQL Server should have Active Directory Admin configured
SQL server should have Advanced Threat Protection configured to send email notification to admins and subscription owners
SQL database auditing should be enabled
SQL database should have Advanced Threat Protections configured to send email notifications to admins and subscription owners
SQL data encryption should be enabled
SQL server should retrain audit logs for 90 days or more
SQL Server should be configured with restricted access from other azure services and resources
SQL Server should be configured with firewall and virtual network rule
SQL server should have Advanced Threat Protection configured with an email destination for alerts
SQL database should have Advanced Threat Protection configured with an email destination for alerts
SQL server should have vulnerability assessment settings configured for Azure Defender
Network security group should restrict public access to SQL server port (1433)
SQL server should have recurring scans enabled in Azure Defender vulnerability assessments
SQL server should have Azure Defender vulnerability assessments configured to send email notification to admins and subscription owners
SQL server should have Azure Defender vulnerability assessments configured with an email destination for scan reports
SQL database should retain Advanced Threat Protection logs for more than 90 days
Storage account access keys should be periodically regenerated
SQL database should have Azure Defender for SQL enabled
SQL server should have TDE protector encrypted with customer-managed key
SQL server should have Advanced Threat Protection types set to all
Private endpoints should be used to access storage account
SQL server should retain Advanced Threat Protection logs for more than 90 days
Storage account encryption at rest should be configured with a customer-managed key
SQL server should have Microsoft Defender for SQL enabled
Storage account should restrict public access
Storage account blob service should be configured with soft delete
Storage account should be configured to allow HTTPS-only traffic
Azure Storage account should be set with the latest TLS version
Blob container should not have public read access enabled
Traffic Manager profile should be configured with endpoint
Virtual machine should have IaaSAntimalware security extension enabled
Traffic Manager endpoint status should be enabled
Traffic Manager profile should be configured with diagnostic settings
Storage account should be configured for access from trusted Microsoft services
Virtual machine should have monitoring extension enabled
Virtual Machine should have extensions that are provisioned successfully
Virtual machine should be configured with managed disks
Virtual machine scale set boot diagnostics should be enabled
Virtual machine scale set should be configured with managed identity
Virtual machine should have system identity assigned
Virtual Machine should have endpoint protection installed
Virtual machine OS and data disk should be encrypted with a customer-managed key
Virtual machine scale set VM should restrict public access to SSH port (22)
WAF Application Gateway should have prevention mode enabled
WAF Application Gateway policy should use OWASP 3.1 rule set
WAF CDN policy should be active
WAF CDN policy should have prevention mode enabled
WAF CDN policy should use default rule set
WAF Application Gateway policy should be active
CloudFormation stack should not allow unrestricted access
WAF Front Door policy should be active
WAF Front Door policy should use default rule set
CloudFormation stack should not be configured with admin privileges
CloudFront distribution should be configured to use HTTPS for communication with origin
CloudFormation stack should not be in a drifted state
CloudFront distribution access logging should be enabled
CloudFront distribution should be attached to WAF
CloudFront distribution should use security policy with secure SSL protocol
CloudFront distribution should use secure SSL protocols for HTTPS communication between CloudFront edge locations and origins
CloudFront distribution origin S3 bucket should not be deleted
WAF Front Door policy should have prevention mode enabled
CloudFront distribution should use HTTPS to communicate with application viewers
CloudFront distribution field-level encryption should be enabled
CloudTrail log file should be encrypted
CloudTrail log file validation should be enabled
CloudTrail should log calls to global services
CloudTrail log file should be integrated with CloudWatch
CloudTrail should be enabled in all regions
Firewall should restrict public access to App Engines like Go, Node.js, Java and Ruby Web Development control port (3000)
CloudTrail should be enabled
Disk should be encrypted with a customer-supplied encryption key
Firewall should restrict public access to IMAP control port (143)
Firewall should restrict public access to Load Balancer control port (8088)
Firewall should restrict public access to MSSQL control port (1434)
Firewall should restrict public access to Python App Engine control port (5000)
Firewall should restrict public access to RPC control port (135)
Firewall should restrict public access to POP3 control port (110)
Firewall rule for instance behind an Identity Aware Proxy (IAP) should only allow traffic from health check and proxy addresses
Compute Instance confidential computing should be enabled for N2D machine types
VM instance should block project-wide SSH keys
VM instance should be configured with Shielded VM
VM instance should have OS Login enabled
VM instance IP forwarding should be disabled
VM instance should have serial port access disabled
VM instance should not be configured with an external IP address
VPC Flow Logs should be enabled for VPC network subnets
VM instance should not use the default service account
VM instance should not use a default service account with unrestricted Cloud API access
DynamoDB table should have auto scaling enabled for provisioned capacity mode
Project should not have a legacy network
DynamoDB table should enable encryption with a customer master key
EC2 security group should restrict public access over IPv6 to SQL Server port (1433)
DynamoDB table should have continuous backups enabled through point-in-time recovery
Project should not have a default network
EC2 security group should restrict public access over IPv6 to Oracle SQL port (1521)
EC2 security group should restrict public access to FTP data port (20)
EC2 security group should restrict public access over IPv6 to SSH port (22)
EC2 security group should restrict public access over IPv6 to SMTP Relay port (25)
EC2 security group should restrict public access over IPv6 to MongoDB server port (27017)
EC2 security group should restrict public access over IPv6 to MySQL Server port (3306)
EC2 security group should restrict public access over IPv6 to Remote Desktop port (3389)
EC2 security group should restrict public access over IPv6 to Redshift port (5439)
EC2 security group should restrict public access over IPv6 to Kibana port (5601)
EC2 security group should restrict public access over IPv6 to PostgreSQL Server port (5432)
EC2 security group should restrict public access over IPv6 to Redis Cache port (6379)
EC2 security group should restrict public access over IPv6 to TCP port (8080)
EC2 security group should restrict public access over IPv4 to TCP port (8080)
EC2 security group should restrict public access to Memcached UDP port (11211)
EBS volume snapshots should be encrypted
EC2 VPC default security group should restrict all access
EBS volume snapshot should be private
EBS volume should be encrypted with a customer master key
EBS volume should be encrypted
EC2 security group should be attached to at least one instance or group
EC2 instance should be configured to use IMDSv2
EC2 security group should not contain instance host IP addresses
EC2 instance should not use default VPC
EC2 security group should restrict public access
EC2 security group should not define a port range
ECR repository policy should restrict access to required users
ECR repository contents should be encrypted with a customer master key
VPC flow logs should be enabled
ECR repository should have scan image on push configuration enabled
ECS container definition should not have root user
ECS task definition should not share IAM roles with other task definitions
ECS container definition should not have elevated privileges
ECS IAM role should not have administrator permissions
EKS control plane should have audit logging enabled
EKS control plane should have authenticator logging enabled
EKS control plane should have API logging enabled
EKS Network Service should not be exposed on NodePort
EKS control plane should have controller manager logging enabled
EKS Cluster Service should expose only secure protocols on port 443
EKS control plane should have scheduler logging enabled
EKS CronJob Workload should use a container image hosted on Amazon ECR
EKS Deployment Workload should use a container image hosted on Amazon ECR
EKS DaemonSet Workload should use a container image hosted on Amazon ECR
EKS Job Workload should use a container image hosted on Amazon ECR
EKS naked Pod should use a container image hosted on Amazon ECR
EKS StatefulSet Workload should use a container image hosted on Amazon ECR
EKS ReplicaSet Workload should use a container image hosted on Amazon ECR
EKS security group should restrict incoming traffic from ports other than TCP port 443
EKS node group should not be configured with an IAM role that provides administrator permissions
EKS node group should use matching Amazon Machine Image and Kubernetes release versions
ElastiCache cluster data is not encrypted at rest
ElastiCache cluster should not have authentication disabled
ElastiCache cluster is using a default VPC
ElastiCache cluster is accessible from the public internet for any source address
ElastiCache cluster in-transit encryption should be enabled
ElastiCache cluster has pending security updates
ElastiCache cluster in a replication group is attached to default VPC
OpenSearch application logging should be enabled
OpenSearch index slow logging should be enabled
OpenSearch data at rest should be encrypted
OpenSearch search slow logging should be enabled
OpenSearch policy should not allow unrestricted access for all users
OpenSearch node to node encryption should be enabled
OpenSearch service domain should restrict public access
OpenSearch zone awareness should be enabled
OpenSearch domain should require HTTPS requests
Classic Load Balancer should have cross-zone load balancing enabled
OpenSearch policy should not allow unrestricted traffic from all IP addresses
Classic Load Balancer should have connection draining enabled
Classic Load Balancer should have access logs enabled
Classic Load Balancer should be attached to one or more instances
Classic Load Balancer should not use default security group
Classic Load Balancer should use a secure listening protocol
Classic Load Balancer should not use a default VPC
Elastic Load Balancer should have cross-zone load balancing enabled
Elastic Load Balancer should have access logs enabled
Elastic Load Balancer should not use a default VPC
Elastic Load Balancer should have delete protection enabled
Classic Load Balancer should use a current SSL policy
Elastic Load Balancer should use HTTPS listener protocol
Elastic Load Balancer listener security policy should have TLS enabled
API key should be rotated every 90 days
Elastic Load Balancer should not use default security group
API key usage should be restricted to APIs the application needs to access
API key usage should be restricted to specific hosts and applications
API key should be used only on active service
Cloud App Engine application custom domain SSL certificate expiration should be renewed before it expires
Elastic Load Balancer should be configured with a secure SSL policy
Elastic Load Balancer should have one or more listeners configured
BigQuery data set should be encrypted with customer managed encryption key
Cloud App Engine service should not allow cross-origin resource sharing for all domains
Cloud App Engine application firewall should restrict public access
Cloud AppEngine service should require HTTPS connections
BigQuery dataset should restrict public access
Cloud Bigtable backup expiration time should be 30 days or more
BigQuery Table should be encrypted with customer managed encryption key
Cloud Functions function should restrict public access
Cloud Functions function should not be configured with privileged service accounts
Cloud Functions function should not be configured with the allow all traffic ingress setting
Cloud Functions function should be configured with a VPC connector
Cloud Functions function should not be configured with default service account
Cloud Run revision should not be configured with privileged service accounts
Cloud Run revision should not be configured with default service account
Cloud Run revision should be configured with a VPC connector
Cloud Run service should not be configured with the allow all traffic ingress setting
Cloud Run service should not be configured with privileged service accounts
Load balancer backend service exposed to internet traffic should be attached to Google Cloud Armor
Cloud Run service should restrict public access
Cloud Run service should not allow unauthenticated access
Firewall should not allow unrestricted access from all IP addresses and for all protocols
Load balancer backend service should have logging enabled
Firewall logging should be enabled
Network should be configured with default deny egress rule in firewall
VM instance should restrict public access
Image should be encrypted with a customer-supplied encryption key
Image should restrict public access
VM instance should restrict public access to App Engines like Go, Node.js, Java and Ruby Web Development control port (3000)
VM instance should not be configured with default network
VM instance should restrict public access to Elasticsearch ports (9200 and 9300)
VM instance should restrict public access to IMAP port (143)
VM instance should restrict public access to FTP port (20)
VM instance should restrict public access to Load Balancer port (8088)
VM instance should restrict public access to Memcached port (11211)
VM instance should restrict public access to MSSQL port (1434)
VM instance should restrict public access to POP3 port (110)
VM instance should restrict public access to RPC port (135)
VM instance should restrict public access to web service port (8080)
VM instance should restrict public access to SMB ports (445/139)
VM instance should restrict public access to RDP port (3389)
Instance template should not have IP forwarding enabled
Instance template should restrict project-wide SSH keys
VM instance should restrict public access to WinRM ports (5985 and 5986)
Instance template should be configured with Shielded VM
Instance template should not be configured with external IP addresses
Instance template should have interactive serial console access disabled
Instance template should have OS Login enabled
Load balancer backend service should have a secure protocol
Instance template should not use a service account with unrestricted Cloud API access
Instance template should not use default service account
Cloud Armor Security Policy should be associated with a resource
VM instance with public IP address should not have access to private instances within the subnet
Cloud Armor Security Policy should have non-default rules defined
VM instance with public IP address should not have access to GCS buckets
Cloud Armor Security Policy should have Adaptive Protection enabled
Dataproc cluster should be encrypted using customer-managed encryption key
Cloud DNS policy should log for all VPC networks
Load balancer SSL policy should use latest TLS version
Load balancer SSL policy should use restricted profile
GKE alpha clusters should be disabled
Cloud DNS managed zone should enable Domain Name System Security Extensions
GKE cluster should have binary authorization enabled
GKE basic authentication using static password should be disabled
Cloud DNS managed zone should contain TXT type record
GKE client certificate authentication should be disabled
GKE legacy authorization should be disabled
GKE legacy compute engine instance metadata APIs should be disabled
GKE logging and monitoring should be enabled
GKE master authorized networks should be enabled
GKE cluster nodes should have auto-repair enabled
GKE cluster should not use default service account for compute engine
GKE cluster node should use a Container-Optimized OS image
GKE should use VPC-native clusters
GKE cluster nodes should have auto-upgrade enabled
GKE cluster nodes should restrict public access
GCR user access should be restricted
GKE cluster should have private endpoint enabled and public access disabled
GCR storage bucket user access should be restricted
GKE secrets should be encrypted with a Cloud KMS key
IAM audit logs should be configured for all services and users
IAM user should not have permission to get access tokens for a service account
IAM user should not have the Cloud KMS Admin role assigned together with the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, or Cloud KMS CryptoKey Decrypter roles
IAM service account should not have administrator privileges
IAM user should not have Service Account Admin and Service Account User roles assigned together
IAM service account key should be rotated after 90 days
IAM user-managed service account should use GCP managed key
IAM user should not be a member of a basic role
IAM should not use personal gmail account
IAM user should not have a service account user or a service account token creator role
KMS cryptographic key should be rotated in 90 days
KMS cryptographic key should restrict public access
Logging storage bucket retention policy should be configured with bucket lock
Project should contain log metric and alert policy for audit configuration changes
Project should contain log metric and alert policy for custom role changes
Project should contain log metric and alert policy for storage IAM permission changes
Project should contain log metric and alert policy for SQL instance configuration changes
Project should contain log metric and alert policy for VPC network changes
Project should contain log metric and alert policy for VPC network firewall rule changes
Project should contain sink to export all log entries
Cloud asset inventory should be enabled
Project should contain log metric and alert policy for VPC network route changes
Container scanning should be enabled
Cloud Spanner backup expiration time should be 30 days or more
Secret Manager secret should be encrypted with customer managed encryption key
Cloud Spanner database should not be configured with privileged service account
Cloud Spanner instance should not be configured with privileged service accounts
Cloud SQL database instance should be configured with automatic backups
Cloud SQL database instance data encryption should be set to customer managed encryption key
Cloud SQL for MySQL database instance flag local_infile should be disabled
Cloud SQL database instance should have SSL enabled
Cloud SQL for PostgreSQL database instance flag log_checkpoints should be enabled
Cloud SQL for PostgreSQL database instance flag log_connections should be enabled
Cloud SQL for PostgreSQL database instance flag log_disconnections should be enabled
Cloud SQL for PostgreSQL database instance should have the log_error_verbosity flag set to default or stricter
Cloud SQL for PostgreSQL database instance should have the log_executor_stats flag disabled
Cloud SQL for PostgreSQL database instance should have the log_hostname flag disabled
Cloud SQL for PostgreSQL database instance flag log_lock_waits should be enabled
Cloud SQL for PostgresSQL database instance flag log_min_duration_statement should be disabled
Cloud SQL for PostgreSQL database instance should have the log_min_error_statement flag set to error or stricter
Cloud SQL for PostgreSQL database instance should have the log_planner_stats disabled
Cloud SQL for PostgreSQL database instance should have the log_parser_stats flag disabled
Cloud SQL for PostgreSQL database instance should have the log_statement flag set to ddl
Cloud SQL for PostgreSQL database instance should have the log_statement_stats flag disabled
Cloud SQL for PostgresSQL database instance flag log_temp_files should be set to 0
Cloud SQL for PostgreSQL database instance should have the log_duration flag enabled
Cloud SQL database instance should have a private IP address
Cloud SQL for SQL Server database instance external scripts should be disabled
Cloud SQL for SQL Server database instance 3625 trace log should be disabled
Cloud SQL for SQL Server database instance contained database authentication should be disabled
Cloud SQL for SQL Server database instance remote access should be disabled
Cloud SQL for SQL Server database instance cross db ownership chaining should be disabled
Cloud SQL for SQL Server database instance user connections should be configured for a valid number of users
Cloud SQL for SQL Server database instance user options should not be configured
Cloud SQL database instance firewall should restrict public access
Cloud Storage bucket should be encrypted with customer-managed key
Cloud Storage bucket should have logging enabled
GKE Network Service should not be exposed on NodePort
GKE Service should be exposed on port 443
GKE CronJob Workload should use a container image hosted on Container Registry
GKE DaemonSet Workload should use a container image hosted on Container Registry
GKE Deployment Workload should use a container image hosted on Container Registry
GKE Job Workload should use a container image hosted on Container Registry
GKE Workload naked Pod should use a container image hosted on Container Registry
GKE Workload Pod should restrict public access to SSH port (22)
GKE Workload Pod should restrict public access to RDP port (3389)
GKE ReplicaSet Workload should use a container image hosted on Container Registry
GKE StatefulSet Workload should use a container image hosted on Container Registry
GuardDuty Detector S3 data source is disabled
GuardDuty Detector is suspended
GuardDuty publishing destination is not configured
GuardDuty is not configured for all the enabled regions
IAM root user access key should not exist
IAM user access key should be rotated every 90 days
IAM user, group, or role should require SSL/TLS when managing or viewing IAM access keys
IAM Access Analyzer should be enabled
IAM inactive key should be deleted
IAM password should be changed after CloudBleed exploit
IAM password should be configured to expire after 90 days
EC2 instance should not have administrator permissions
IAM access key creation for new accounts should be disabled
IAM should have MFA enabled
IAM password policy should be active
IAM user account should not have multiple access keys
IAM root user account should be configured with hardware MFA
IAM policy should not have unlimited administrative privileges
IAM password policy should have password expiration enabled
IAM password policy should require lowercase characters
IAM password policy should set a minimum length
IAM password policy should require numbers
IAM password policy should require symbols
IAM password policy should require uppercase characters
IAM password policy should prevent password reuse
IAM user, group, or role should restrict permissions to bypass S3 Object Lock
IAM user, group, or role should restrict IAM access key permissions
IAM user, group, or role should have MFA permissions restricted
IAM root user account should require multi-factor authentication
IAM root user account should not have any active access keys
IAM active server certificate should be renewed before it expires
IAM root user account should be used rarely
IAM role for customer support should be created
IAM server certificates that are expired should be removed
IAM account should not be inactive for 45 days or longer
IAM account should not be inactive for 90 days or longer
IAM groups should have one or more users defined
IAM users should not have policies attached
EC2 instance should not have elevated S3 privileges when configured for public access
IAM user account should not have administrator privileges
IAM user credentials should be removed if inactive for 30 days of more
Kinesis data stream should be encrypted
Kinesis data stream should be encrypted with a customer master key
KMS should have automated key rotation enabled
KMS service should be enabled
Cluster role rule should not grant bind, impersonate, or escalate permissions to subjects
Cluster role rule should not allow users to run commands in a container
User-defined cluster role binding should not include system:masters group as a subject
Cluster Networking Service should not be exposed on NodePort
Cluster Networking Service should not use an external IP
Role rule should not grant bind, impersonate, or escalate permissions to subjects
Role rule should not allow users to run commands in a container
User-defined role binding should not include system:masters group as a subject
Workload container image should not run suspicious tools
Workload container image should not run offensive Linux distributions
Workload container image should not run offensive network tools
Workload container image should not unintentionally run security scanners
Workload CronJob should not configure secrets as environment variables
Workload DaemonSet should not configure secrets as environment variables
Workload Deployment should not configure secrets as environment variables
Workload naked Pod container should not configure secrets as environment variables
Workload Job should not configure secrets as environment variables
Workload naked Pod container should not override default AppArmor profile
Workload naked Pod container should require read-only root filesystem
Workload naked Pod container should set the seccomp profile to RuntimeDefault or Localhost value
Workload naked Pod should not use hostpath volumes
Workload naked Pod container should not run as a root group
Workload naked Pod container should not use host port
Workload naked Pod should not use non-core volumes
Workload naked Pod container should not allow unsafe sysctls
Workload naked Pod container should not add capabilities beyond the default set
Workload naked Pod container procmount should not be changed
Workload Pod container managed by a CronJob should not override default AppArmor profile
Workload Pod container managed by a CronJob should not run as a root group
Workload Pod container managed by a CronJob should require read-only root filesystem
Workload Pod container managed by a CronJob should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a CronJob should not use non-core volumes
Workload Pod container managed by a CronJob should not use host port
Workload Pod container managed by a CronJob should not add capabilities beyond the default set
Workload Pod container managed by a CronJob should have procmount set to default
Workload Pod container managed by a CronJob should not run with NET_RAW capability
Workload Pod container managed by a DaemonSet should not override default AppArmor profile
Workload Pod container managed by a CronJob should not allow unsafe sysctls
Workload Pod container managed by a DaemonSet should require read-only root filesystem
Workload Pod container managed by a DaemonSet should not allow container privilege escalation
Workload Pod container managed by a DaemonSet should not run as a root group
Workload Pod container managed by a DaemonSet should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a DaemonSet should not share host network namespace
Workload Pod container managed by a DaemonSet should not share host IPC namespace
Workload Pod container managed by a DaemonSet should not share host process id namespace
Workload Pod container managed by a DaemonSet should not use host port
Workload Pod container managed by a DaemonSet should not use non-core volumes
Workload Pod container managed by a DaemonSet should not allow unsafe sysctls
Workload Pod container managed by a DaemonSet should have procmount set to default
Workload Pod container managed by a DaemonSet should not add capabilities beyond the default set
Workload Pod container managed by a Deployment should not override default AppArmor profile
Workload Pod container managed by a Deployment should not allow container privilege escalation
Workload Pod container managed by a Deployment should require read-only root filesystem
Workload Pod container managed by a Deployment should not run as a root group
Workload Pod container managed by a Deployment should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a Deployment should not use host port
Workload Pod container managed by a Deployment should not use non-core volumes
Workload Pod container managed by a Deployment not be changed procmount
Workload Pod container managed by a Deployment should not allow unsafe sysctls
Workload Pod container managed by a Deployment should not add capabilities beyond the default set
Workload Pod container managed by a Job should not override default AppArmor profile
Workload Pod container managed by a Job should require read-only root filesystem
Workload Pod container managed by a Job should not run as a root group
Workload Pod container managed by a Job should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a Job should not permit the SELinux type, user, or role option to be defined beyond the allowed set
Workload Pod container managed by a Job should not use non-core volumes
Workload Pod container managed by a Job should not use host port
Workload Pod container managed by a Job should have procmount set to default
Workload Pod container managed by a Job should not allow unsafe sysctls
Workload Pod container managed by a Job should not add capabilities beyond the default set
Workload Pod container managed by a ReplicaSet should not override default AppArmor profile
Workload Pod container managed by a ReplicaSet should not run as a root group
Workload Pod container managed by a ReplicaSet should require read-only root filesystem
Workload Pod container managed by a ReplicaSet should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a ReplicaSet should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload Pod container managed by a ReplicaSet should not use host port
Workload Pod container managed by a ReplicaSet should have procMount set to default
Workload Pod container managed by a ReplicaSet should not use non-core volumes
Workload Pod container managed by a ReplicaSet should not allow unsafe sysctls
Workload Pod container managed by a ReplicaSet should not add capabilities beyond the default set
Workload Pod container managed by a StatefulSet should require read-only root filesystem
Workload Pod container managed by a StatefulSet should not override default AppArmor profile
Workload Pod container managed by a StatefulSet should not run as a root group
Workload Pod container managed by a StatefulSet should set the seccomp profile to RuntimeDefault or Localhost value
Workload Pod container managed by a StatefulSet should not use host port
Workload Pod container managed by a StatefulSet should not be changed procmount
Workload Pod container managed by a StatefulSet should not add capabilities beyond the default set
Workload Pod container managed by a StatefulSet should not allow unsafe sysctls
Workload Pod container managed by a StatefulSet should not use non-core volumes
Workload statefulset should not configure secrets as environment variables
Workload replicaset should not configure secrets as environment variables
Lambda function environment variables should be encrypted with a customer master key
Lambda function should restrict general access from services
Lambda function should not have administrator access
CloudWatch monitoring should be configured for any changes in AWS Config settings
CloudWatch monitoring should be configured for any changes in AWS organizations
CloudTrail event for CloudTrail configuration changes should have alarm configured
CloudTrail event for customer master key deletion events should have alarm configured
CloudTrail event for failed AWS Console login attempts should have alarm configured
CloudTrail event for IAM policy changes should have alarm configured
CloudTrail event for network gateway configuration changes should have alarm configured
CloudTrail event for AWS Console logins without MFA should have alarm configured
CloudTrail event for AWS Console root login attempts should have alarm configured
Node should have AppArmor enabled
CloudTrail event for security group configuration changes should have alarm configured
EC2 instance should not be created from a public Amazon Machine Image
EC2 instance should not have administrator permissions when configured for public access
EC2 instance should not allow unrestricted inbound access
EC2 instance should restrict public access to RPC data port (135)
EC2 instance should restrict public access to POP3 data port (110)
EC2 instance should restrict public access to MSSQL data port (1434)
EC2 instance should restrict public access to IMAP data port (143)
EC2 instance should restrict public access to Go, Node.js, and Ruby web development frameworks port data port (3000)
EC2 instance should restrict public access to Python web development frameworks port (5000)
EC2 instance should restrict public access to FCP port (5500)
EC2 instance should restrict public access to legacy HTTP port (8088)
EC2 instance should restrict public access to alternative HTTP port (8888)
EC2 instance should restrict public access to MongoDB server port (27017)
EC2 instance should restrict public access to Elasticsearch ports (9200 and 9300)
EC2 instance should not have a public IP address
RDS DB cluster should have automatic minor version upgrades enabled
EC2 instance should restrict public access to Memcache UDP port (11211)
RDS DB cluster backup retention period should be greater than 30 days
RDS DB cluster should have encryption enabled
RDS DB instance should have encryption enabled
RDS DB instance should have automatic minor version upgrades enabled
RDS DB snapshot should have encryption enabled
RDS DB instance backup retention period should be greater than 30 days
Redshift cluster should require SSL connections
Redshift cluster encryption should be enabled
Redshift cluster should have audit logging enabled
Redshift cluster should have user activity logging enabled
Redshift engine automatic upgrades should be enabled
Redshift snapshot should have a retention period of 30 days or more
Redshift cluster should restrict public access
Route53 domain should have automatic renewal enabled
Route53 domain should have privacy protection enabled
Route53 domain should be renewed before it expires
Route53 domain should have transfer lock enabled
Route53 health check should be configured for monitoring
Route53 hosted zone should contain a TXT record
Route53 hosted zone should be configured with query logging
Route53 hosted zone records should be configured with health check
S3 bucket should restrict full public access
S3 bucket should restrict public read ACL access
S3 bucket should restrict public read access
S3 bucket should restrict public write access
S3 bucket should restrict public write ACL access
S3 bucket should not give full access to all authenticated users
S3 bucket should not give read ACL access to all authenticated users
S3 bucket should not give read access to all authenticated users
S3 bucket should not give write ACL access to all authenticated users
S3 bucket should not give write access to all authenticated users
S3 bucket default encryption should be enabled
S3 bucket should allow only HTTPS requests
S3 bucket should allow only HTTPS requests (Legacy)
CloudTrail S3 bucket should have access logging enabled
CloudTrail S3 bucket should restrict access to required users
S3 bucket should have object level logging enabled for write events
S3 bucket should be encrypted with customer-provided KMS key
S3 bucket should have object level logging enabled for read events
S3 access logging should be enabled
S3 bucket access is restricted only by IP address
S3 bucket policy should restrict full public access
S3 bucket policy should restrict public get access
S3 bucket policy should restrict public list access
S3 bucket policy should restrict public delete access
Secrets Manager secret should restrict access to required users
S3 bucket policy should restrict public put access
Secrets Manager secret should be rotated within a specified number of days
Secrets Manager secret should be encrypted with a customer master key
Secrets Manager secret should have automatic rotation enabled
Secrets Manager secret which is not accessed for more than 90 days should be removed
SNS topic should be configured to log delivery failure notification status
SNS topic policy should restrict access to required users
SNS topic should be encrypted with a customer master key
SNS topic policy should require encrypted communications
SNS topic should have encryption enabled
SQS queue should be encrypted with a customer master key
SQS queue policy should restrict access to required users
SQS queue should have encryption enabled
Systems Manager managed instance association should be in compliant status
Systems Manager managed instance patch should be in compliant status
Cloud Storage bucket should have uniform bucket-level access enabled
Cloud Storage bucket should restrict anonymous or public access
The Distributed virtual port group must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required
The Distributed virtual port group must not be configured to VLAN values reserved by upstream physical switches
The Distributed virtual port group forged transmits policy must be set to reject
The Port-level configuration must not override port group settings at the port level on distributed switches
The Distributed virtual port group Promiscuous Mode policy should be set to reject
The Distributed virtual port group MAC Address Change policy should be set to reject
The distributed virtual switch health check should be disabled
ESXi host should limit the maximum number of failed login attempts to three
ESXi host should enforce an unlock timeout of 15 minutes after a user account is locked out
ESXi host should prohibit the reuse of passwords within five iterations
ESXi host should establish a policy for password complexity
ESXi host should use an authentication proxy when using Active Directory for user authentication
ESXi host should use Active Directory for user authentication
ESXi host potential hyperthreading security vulnerability warning is suppressed
ESXi host should automatically terminate idle DCUI sessions after 10 minutes
ESXi host should have SFCB deactivated
ESXi host should have managed object browser (MOB) disabled
ESXi host should have SNMP deactivated
ESXi host should have SLP deactivated
ESXi host should deactivate ESXi Shell
ESXi host should allow trusted users to override lockdown mode
ESXi host access should have lockdown mode enabled
ESXi host should have default value set for host agent log level
ESXi host should enable a persistent log location for all locally stored logs
ESXi host should have BPDU filter enabled
ESXi host should configure remote logging
ESXi host should have MAC address change policy set to reject on both the virtual switch and on its port groups
ESXi host should have forged transmits policy set to reject on both the virtual switch and on its port group
ESXi host should have ESXi Shell deactivated
ESXi host should terminate shell services after 10 minutes
ESXi host should be configured to automatically terminate idle ESXi Shell and SSH sessions
ESXi host should not suppress warnings that the local or remote shell sessions are enabled
ESXi host version has reached End of General Support status
ESXi host should have NTP time synchronization configured
ESXi host should have deprecated SSL/TLS protocols deactivated
ESXi host should deactivate Inter-VM transparent page sharing
vCenter server firewall inbound rules should be configured for additional defense-in-depth
vCenter server should be configured for remote logging
vCenter server backup and recovery should be configured
vCenter server should have SSL for Network File Copy (NFC) enabled
vCenter server interval for counting failed login attempts should be at least 15 minutes
vCenter server should limit the maximum number of failed login attempts to three
Virtual machine should have auto lock enabled for guest OS
Virtual machine copy operation should not be enabled
Virtual machine disk shrinking operation should not be enabled
Virtual machine diagnostic log retention limit should be set to 10 or less
Virtual machine messages to the VMX file should be 1MB or less in size
Virtual machine console should be limited to one connection at a time
Virtual machine diagnostic log size should be limited to 2MB or less.
Virtual machine should be prohibited from accessing host information
Virtual machine paste operation should not be enabled
Virtual machine 3D features should not be enabled unless necessary
Virtual machine disk wiping operation should not be enabled
Virtual machine should have vMotion encryption enabled
ECS Service should not have tasks with privileged IAM access to an EC2 instance
ECS Service task role with admin privileges should not have public IP addresses assigned to them
ECS task definitions should have secure networking modes and user definitions
EKS Node Group IAM role should not have full EC2 privileges
IAM user, group, or role should not have access to create CloudFormation stacks with IAM roles
IAM user, group, or role should not have access to create and configure AWS Data Pipelines with IAM roles
IAM user, group, or role should not have access to create and share AWS SageMaker Notebooks with IAM roles
IAM user, group, or role should not have access to update Glue Development endpoints
IAM user, group, or role should not have access to create, and invoke Lambda functions and pass any IAM role
IAM user, group, or role should not have access to create Glue Development endpoints with IAM roles
IAM user, group, or role should generally not have access to update Lambda function versions
IAM user, group, or role should generally not have access to update Lambda function configuration (and layers)
IAM user, group, or role should not have access to attach policy versions
IAM user, group, or role should not have access to create or update login profiles (passwords) for IAM users
IAM user, group, or role should not have access to set default policy versions
IAM user, group, or role should not have access to both edit assume role policies and assume IAM roles
IAM user, group, or role should not have access to create policy versions
RDS DB cluster should not have IAM authentication disabled
SageMaker Notebook instance should have root access disabled
App Service Authentication should be enabled
App Service FTP state should be Disabled or FTPS only
Custom role should not grant permissions equal to owner role
Resource associated with a Managed Identity should not be assigned the Owner role
Principal should not have indirect Owner access at the subscription level
CosmosDB Database account should not have an unrestricted network security group
Functions App FTP state should be Disabled or FTPS only
Virtual machine should restrict public access to Memcache UDP port (11211)
Virtual machine should restrict public access to FTP control port (21)
Virtual machine should restrict public access to Telnet port (23)
Virtual machine should restrict public access to Oracle SQL port (1521)
Virtual machine should restrict public access to MongoDB server port (27017)
Virtual machine should restrict public access to SSH port (22)
Virtual machine should restrict public access to MySQL server port (3306)
Virtual machine should restrict public access to Kibana port (5601)
Virtual machine should restrict public access to PostgreSQL Server port (5432)
Virtual machine should restrict public access to Redis Cache port (6379)
Virtual machine should restrict public access to TCP port (8080)
Virtual machine should restrict public access to Elasticsearch port (9200/9300)
App Service resources should have Microsoft Defender for Cloud enabled
Container registries should have Microsoft Defender for Cloud enabled
Open-source relational databases should have Microsoft Defender for Cloud enabled
Server resources should have Microsoft Defender for Cloud enabled
SQL server should have Advanced Data Security (ADS) and Advanced Threat Protection (ATP) enabled
SQL servers on machines should have Microsoft Defender for Cloud enabled
Network security group should restrict public access to Elasticsearch port (9200 and 9300)
Network security group should restrict public access to FTP data port (20)
Just-in-time Network Access should be enabled
Network security group should restrict public access to Kibana data port (5601)
Network security group should restrict public access to FTP control port (21)
Network security group should restrict public access to Memcached port (11211)
Network security group should restrict public access to MongoDB server port (27017)
Network security group should restrict public access to MySQL server port (3306)
Network security group should restrict public access to Oracle SQL server port (1521)
Network security group should restrict public access to Redis Cache port (6379)
Network security group should restrict public access to Remote Desktop port (3389)
Network security group should restrict public access to SMTP Relay port (25)
Network security group should restrict public access to SSH port (22)
Virtual network should have diagnostic settings configured
Firewall should restrict public access to FTP control port (21)
Firewall should restrict public access to FTP data port (20)
Firewall should restrict public access to Elastic Search port (9200 or 9300)
Firewall should restrict public access to Kibana port (5601)
Firewall should restrict public access to MongoDB port (27017)
Firewall should restrict public access to Memcached port (11211)
Firewall should restrict public access to Oracle SQL port (1521)
Firewall should restrict public access to MySQL port (3306)
Firewall should restrict public access to Postgre port (5432)
Firewall should restrict public access to SMTP Relay port (25)
Firewall should restrict public access to Redis Cache port (6379)
Firewall should restrict public access to RDP port (3389)
Firewall should restrict public access to Server Message Block (SMB) port (445 or 139)
Firewall should restrict public access to SQL Server port (1433)
Firewall should restrict public access to SSH port (22)
Firewall should restrict public access to TCP port (8080)
Firewall should restrict public access to WinRM port (5985 or 5986)
Firewall should restrict public access to Telnet port (23)
VM instance should not use the default app engine service account
EC2 security group should restrict public access over IPv4 to SQL Server port (1433)
EC2 security group should restrict public access over IPv4 to Oracle SQL port (1521)
EC2 security group should restrict public access over IPv4 to SMTP Relay port (25)
EC2 security group should restrict public access to Telnet port (23)
EC2 security group should restrict public access to FTP control port (21)
EC2 security group should restrict public access over IPv4 to SSH port (22)
EC2 security group should restrict public access over IPv4 to MySQL Server port (3306)
EC2 security group should restrict public access over IPv4 to PostgreSQL Server port (5432)
EC2 security group should restrict public access over IPv4 to MongoDB server port (27017)
EC2 security group should restrict public access over IPv4 to Remote Desktop port (3389)
EC2 security group should restrict public access to SMB ports (445/139)
EC2 security group should restrict public access over IPv4 to Redshift port (5439)
EC2 security group should restrict public access over IPv4 to Kibana port (5601)
EC2 security group should restrict public access to WinRM ports (5985/5986)
EC2 security group should restrict public access over IPv4 to Redis Cache port (6379)
EC2 security group should restrict public access to Elasticsearch port (9200 and 9300)
EKS Node should not have Pods with privileged IAM access to an EC2 instance
Network ACL should restrict administration ports (3389 and 22) from public access
EKS Pod should not have access to EC2 instance profile
EKS ServiceAccount should not have a privileged IAM role
ElastiCache cluster in a replication group is accessible from the public internet for any source address
EKS node group should restrict public access
EKS cluster should restrict public access
Cloud Bigtable table should not be configured with privileged service accounts
Cloud Bigtable instance should not be configured with privileged service accounts
VM instance should restrict public access to FTP control port (21)
Cloud Functions function should not allow unauthenticated invocation
VM instance should restrict public access to Kibana port (5601)
VM instance should restrict public access to MongoDB port (27017)
VM instance should restrict public access to PostgreSQL port (5432)
VM instance should restrict public access to Oracle port (1521)
VM instance should restrict public access to MySQL port (3306)
VM instance should restrict public access to Redis Cache port (6379)
VM instance should restrict public access to SSH port (22)
VM instance should restrict public access to SMTP Relay port (25)
VM instance should restrict public access to SQL port (1433)
VM instance should restrict public access to Telnet port (23)
IAM user should not have permission to act as or assume control of a service account through cloud functions
Cloud Armor Security Policy should have deny as default action
IAM user should not have permission to act as or assume control of a service account through a cloud scheduler job
IAM user should not have permission to act as or assume control of a service account through a compute instance
IAM user should not have permission to act as or assume control of a service account through a cloud run service
IAM user should not have permission to modify IAM roles
IAM user should not have permission to create a cloud build
IAM user should not have permission to create deployments
IAM user should not have permission to create user-managed keys for a service account
IAM user should not have permission to sign arbitrary Blob/JSON Web Token payloads on behalf of a service account
Project should contain log metric and alert policy for project ownership assignments
GKE Pod should not have access to VM metadata
Cloud SQL for MySQL database instance should have the skip_show_database flag enabled
Cloud Spanner backup should not be configured with privileged service account
GKE Cluster Workload CronJob should not configure ServiceAccount with privileged IAM role
GKE Cluster Workload DaemonSet should not configure ServiceAccount with privileged IAM role
GKE Workload naked Pod should not use ServiceAccount with privileged IAM role
GKE Workload Deployment should not configure ServiceAccount with privileged IAM role
GKE Workload Job should not configure ServiceAccount with privileged IAM role
GKE Workload ReplicaSet should not configure ServiceAccount with privileged IAM role
GKE Workload StatefulSet should not configure ServiceAccount with privileged IAM role
IAM group should not have administrator privileges
IAM role should not have administrator privileges
Cluster role rule should not grant unrestricted access to resources
Cluster role rule should not grant unrestricted access to API groups
Cluster role rule should not grant unrestricted access to verbs
System:node cluster role should not allow access to secrets on all API groups
System:node cluster role should not allow access to the core API with unrestricted resource and verb permissions
System:node cluster role should not allow get access to all API groups and resources
System:node cluster role should not allow full access to API groups and resources
User-defined cluster role binding should not grant access to create pods
Cluster should not use the default namespace
User-defined cluster role binding should not provide access to cluster-admin
Namespace should have a network policy
Default service account should not automount API credentials
Role rule should not grant unrestricted access to API groups
Role rule should not grant unrestricted access to resources
Role rule should not grant unrestricted access to verbs
User-defined role binding should not provide access to cluster-admin (cluster role)
Workload naked Pod container should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload naked Pod container should not share host IPC namespace
Workload naked Pod container should not share host network namespace
Workload naked Pod container should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload naked Pod container should not run with NET_RAW capability
Workload naked Pod container should not share host process id namespace
Workload Pod container managed by a CronJob should not allow container privilege escalation
Workload Pod container managed by a CronJob should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload Pod container managed by a CronJob should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a CronJob should not share host network namespace
Workload Pod container managed by a CronJob should not share host IPC namespace
Workload Pod container managed by a CronJob should not use hostpath volumes
Workload Pod container managed by a CronJob should not share host process id namespace
Workload Pod container managed by a DaemonSet should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a DaemonSet should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload Pod container managed by a DaemonSet should not use hostpath volumes
Workload Pod container managed by a DaemonSet should not run with NET_RAW capability
Workload Pod container managed by a Deployment should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a Deployment should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload Pod container managed by a Deployment should not share host network namespace
Workload Pod container managed by a Deployment should not share host IPC namespace
Workload Pod container managed by a Deployment should not share host process id namespace
Workload Pod container managed by a Deployment should not use hostpath volumes
Workload Pod container managed by a Deployment should not run with NET_RAW capability
Workload Pod container managed by a Job should not allow container privilege escalation
Workload Pod container managed by a Job should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a Job should not share host process id namespace
Workload Pod container managed by a Job should not share host IPC namespace
Workload Pod container managed by a Job should not share host network namespace
Workload Pod container managed by a Job should not use hostpath volumes
Workload Pod container managed by a Job should not run with NET_RAW capability
Workload Pod container managed by a ReplicaSet should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a ReplicaSet should not share host network namespace
Workload Pod container managed by a ReplicaSet should not share host process id namespace
Workload Pod container managed by a StatefulSet should not allow to set the SELinux type, user, or role option beyond the allowed set
Workload Pod container managed by a ReplicaSet should not run with NET_RAW capability
Workload Pod container managed by a ReplicaSet should not share host IPC namespace
Workload Pod container managed by a StatefulSet should not share host IPC namespace
Workload Pod container managed by a ReplicaSet should not use hostpath volumes
Workload Pod container managed by a StatefulSet should not enable AutomountServiceAccountToken setting and should not use a default service account
Workload Pod container managed by a StatefulSet should not share host network namespace
Workload Pod container managed by a StatefulSet should not share host process id namespace
Workload Pod container managed by a StatefulSet should not use hostpath volumes
Workload Pod container managed by a StatefulSet should not run with NET_RAW capability
CloudTrail event for network access control list changes should have alarm configured
CloudTrail event for S3 bucket policy changes should have alarm configured
CloudTrail event for routing table configuration changes should have alarm configured
CloudTrail event for VPC configuration changes should have alarm configured
CloudTrail event for unauthorized API access attempts should have alarm configured
EC2 instance should restrict public access to FTP data port (20)
EC2 instance should restrict public access to FTP control port (21)
EC2 instance should restrict public access to TCP port (8080)
EC2 instance should restrict public access to Telnet port (23)
EC2 instance should restrict public access to SQL Server port (1433)
EC2 instance should restrict public access to SSH port (22)
EC2 instance should restrict public access to Oracle SQL port (1521)
EC2 instance should restrict public access to SMTP Relay (25)
EC2 instance should restrict public access to MySQL server port (3306)
EC2 instance should restrict public access to SMB ports (445 and 139)
EC2 instance should restrict public access to Remote Desktop port (3389)
EC2 instance should restrict public access to PostgreSQL server port (5432)
EC2 instance should restrict public access to Redshift port (5439)
EC2 instance should restrict public access to Kibana port (5601)
EC2 instance should restrict public access to WinRM ports (5985 and 5986)
EC2 instance should restrict public access to Redis Cache port (6379)
RDS DB snapshot should restrict public access
RDS DB instance should restrict public access
System:node role should not allow access to the core API with unrestricted resource and verb permissions
User-defined role binding should not provide access to cluster-admin (role)
Workload naked Pod container should not allow privilege escalation
Workload naked Pod container should not run with privileged mode
Workload naked Pod container should not run as a root user
Workload Pod container managed by a CronJob should not run with privileged mode
Workload Pod container managed by a CronJob should not run as a root user
Workload Pod container managed by a DaemonSet should not run as a root user
Workload Pod container managed by a Deployment should not run with privileged mode
Workload Pod container managed by a DaemonSet should not run with privileged mode
Workload Pod container managed by a Job should not run with privileged mode
Workload Pod container managed by a Deployment should not run as a root user
Workload Pod container managed by a ReplicaSet should not allow container privilege escalation
Workload Pod container managed by a Job should not run as a root user
Workload Pod container managed by a StatefulSet should not run with privileged mode
Workload Pod container managed by a ReplicaSet should not run as a root user
Workload Pod container managed by a ReplicaSet should not run with privileged mode
Workload Pod container managed by a StatefulSet should not allow container privilege escalation
Workload Pod container managed by a StatefulSet should not run as a root user