Controls

Enable automatic provisioning of the monitoring agent to collect security data.

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.

Applies to

Microsoft Azure

[**NOTE:** As of August 1, 2023, customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.]

Applies to

Microsoft Azure

Enable `log_connections` on PostgreSQL Database Servers.

Applies to

Microsoft Azure

Enable `log_disconnections` on `PostgreSQL Servers`.

Applies to

Microsoft Azure

**NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.**

Applies to

Microsoft Azure

A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context.

Applies to

Kubernetes

Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.

Applies to

Kubernetes

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user access type you have to determine what type of access they require.

Applies to

AWS

### Overview

Applies to

AWS

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Applies to

AWS

Amazon ECS containers should be limited to read-only access to mounted root filesystems.

Applies to

AWS

Amazon ECS Fargate services should run the latest Fargate platform version.

Applies to

AWS

With the creation of an AWS account, a root user account is created. This root user is the most privileged user in an AWS account and has unrestricted access to and control over all resources in the account. It is highly recommended that the use of this root user to be avoided for everyday tasks.

Applies to

AWS

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.

Applies to

Microsoft Azure

Ensure that RBAC is enabled on all Azure Kubernetes Services Instances.

Applies to

Microsoft Azure

Encrypt traffic to HTTPS load balancers using TLS certificates.

Applies to

Kubernetes

It is recommended to set `3625 (trace flag)` database flag for Cloud SQL SQL Server instance to `on`.

Applies to

Google Cloud

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Applies to

Microsoft Azure

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).

Applies to

Microsoft Azure

The Azure Storage setting `Allow Blob Anonymous Access` (a.k.a. `allowBlobPublicAccess`) controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.

Applies to

Microsoft Azure

Disable access from Azure services to PostgreSQL Flexible Server.

Applies to

Microsoft Azure

**If you use Conditional Access, you can disable/exempt this control**

Applies to

Microsoft Entra ID

Enable auditing on SQL Servers.

Applies to

Microsoft Azure

SQL Server Audit Retention should be configured to be greater than 90 days.

Applies to

Microsoft Azure

Ensure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to `on` to allow for centralized logging

Applies to

Google Cloud

Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures data is not inadvertently replicated across tenant boundaries without explicit authorization.

Applies to

Microsoft Azure

Enable Transparent Data Encryption on every SQL server.

Applies to

Microsoft Azure

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Applies to

Microsoft Azure

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.

Applies to

Google Cloud

Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.

Applies to

Microsoft Azure

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The "Rotation Reminder" is an automatic reminder feature for a manual procedure.

Applies to

Microsoft Azure

The Endpoint protection component enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Enable SSL connection on MariaDB Database Servers.

Applies to

Microsoft Azure

Enable SSL connection on Standard MySQL Database servers.

Applies to

Microsoft Azure

Enable SSL connection on PostgreSQL Database Servers.

Applies to

Microsoft Azure

It is recommended to set `external scripts enabled` database flag for Cloud SQL SQL Server instance to `off`.

Applies to

Google Cloud

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

Applies to

Microsoft Azure

By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services.

Applies to

Microsoft Azure

Restrict invitations to users with specific administrative roles only.

Applies to

Microsoft Entra ID

Limit guest user permissions.

Applies to

Microsoft Entra ID

Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Applies to

Microsoft Azure

The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are:

Applies to

Google Cloud

The `log_min_error_statement` flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels mentioned above. Ensure a value of `ERROR` or stricter is set.

Applies to

Google Cloud

The value of the `log_statement` flag determined the SQL statements that are logged. Valid values are:

Applies to

Google Cloud

In some cases, Azure Storage sets the minimum TLS version to be 1.0 by default. TLS 1.0 is a legacy version with known vulnerabilities. However, this minimum TLS version can be configured to be later protocols, such as TLS 1.2.

Applies to

Microsoft Azure

If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and **can** use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.

Applies to

Microsoft Entra ID

If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and **can** use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.

Applies to

Microsoft Entra ID

Ensure that all Global Administrators are notified if any other administrator resets their password.

Applies to

Microsoft Entra ID

Ensure that users are notified of their primary and secondary emails on password resets.

Applies to

Microsoft Entra ID

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

Applies to

Microsoft Entra ID

Ensures that two alternate forms of identification are provided before allowing a password reset.

Applies to

Microsoft Entra ID

Restrict security group management to administrators only.

Applies to

Microsoft Entra ID

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.

Applies to

Microsoft Azure

It is recommended to set `remote access` database flag for Cloud SQL SQL Server instance to `off`.

Applies to

Google Cloud

Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.

Applies to

Microsoft Azure

Joining or registering devices to the Microsoft Entra ID should require Multi-factor authentication.

Applies to

Microsoft Entra ID

Restrict access to the Microsoft Entra ID administration portal to administrators only.

Applies to

Microsoft Entra ID

Require administrators or appropriately delegated users to create new tenants.

Applies to

Microsoft Entra ID

Restricts group creation to administrators with permissions only.

Applies to

Microsoft Entra ID

Enable data encryption in transit.

Applies to

Microsoft Azure

It is recommended to set the `skip_show_database` database flag for a Cloud SQL MySQL instance to `on`.

Applies to

Google Cloud

Users who are set as subscription owners can make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.

Applies to

Microsoft Azure

It is recommended to check the `user connections` for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.

Applies to

Google Cloud

Allow users to provide consent for selected permissions when a request is coming from a verified publisher.

Applies to

Microsoft Entra ID

Require administrators to provide consent for applications before use.

Applies to

Microsoft Entra ID

It is recommended that the `user options` database flag for a Cloud SQL SQL Server instance is not configured.

Applies to

Google Cloud

Restrict Microsoft 365 group creation to administrators only.

Applies to

Microsoft Entra ID

Restrict security group creation to administrators only.

Applies to

Microsoft Entra ID

Require administrators or appropriately delegated users to register third-party applications.

Applies to

Microsoft Entra ID

Enable vulnerability assessment for machines on both Azure and hybrid (Arc-enabled) machines.

Applies to

Microsoft Azure

It is recommended to use Instance-specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

Applies to

Google Cloud

Enable Diagnostic settings for exporting activity logs.

Applies to

Microsoft Azure

Microsoft Azure provides a Global Banned Password policy for Azure administrative and normal user accounts. This is not applied to user accounts synced from an on-premise Active Directory unless Azure AD Connect is used, and you enable `EnforceCloudPasswordPolicyForPasswordSyncedUsers`. Please see the list of default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. Organizational-specific terms can be added to the custom banned password list, such as the following examples:

Applies to

Microsoft Entra ID

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Applies to

Microsoft Azure

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.

Applies to

AWS

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.

Applies to

AWS

Designated users will be prompted to use their multi-factor authentication (MFA) process upon login.

Applies to

Microsoft Entra ID

Designated users will be prompted to use their multi-factor authentication (MFA) process upon login.

Applies to

Microsoft Entra ID

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.

Applies to

AWS

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Applies to

AWS

### Overview

Applies to

AWS

The account lockout duration value determines how long an account retains the lockout status and, therefore, how long before a user can continue to attempt to log in after passing the lockout threshold.

Applies to

Microsoft Entra ID

The account lockout threshold determines how many failed login attempts are permitted before the account is locked out and initiated with a variable lockout duration.

Applies to

Microsoft Entra ID

Users with administrative rights are targeted by attackers. Requiring multi-factor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.

Applies to

Alibaba CloudAWSGoogle CloudGoogle WorkspaceMicrosoft AzureMicrosoft Entra IDOkta

Centralized logging helps ensure forensic and audit evidence is retained even if project-level settings change.

Applies to

Google Cloud

### Overview

Amazon S3 provides multiple encryption options to protect data at rest. With default encryption, you can set the behavior for a S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects can be encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS) (SSE-KMS).

Applies to

AWS

Amazon Elastic Container Service (ECS) [task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) are JSON files that describe how a Docker container should be launched within an ECS cluster.

Applies to

AWS

### Overview

Applies to

AWS

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. It provides this access using TLS over 443/TCP and subscribes to hardened configurations within an organization's Azure Active Directory service.

Applies to

Microsoft Azure

Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users who regularly perform duties that explicitly require using Device Code to authenticate, such as utilizing Azure with PowerShell.

Applies to

Microsoft Entra ID

Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.

Applies to

Microsoft Entra ID

This control checks that Anti-DDoS access and security log service is enabled.

Applies to

Alibaba Cloud

### Overview

### Description:

Applies to

Google Cloud

### Description:

Applies to

Google Cloud

### Description:

Applies to

Google Cloud

In order to maintain the highest level of security all connections to an application should be secure by default.

Applies to

Google Cloud

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

Applies to

Microsoft Azure

You can grant users access to applications directly or through groups. The latter is preferred because it greatly simplifies access management.

Applies to

Okta

Detection-only mode provides visibility but does not block attacks. Prevention mode is required for stronger protection on internet-facing workloads.

Applies to

Microsoft Azure

Application Insights within Azure act as an Application Performance Monitoring solution, providing valuable data into how well an application performs and additional information when responding to incidents. The types of log data collected include application metrics, telemetry data, and application trace logging data, which provide organizations with detailed information about application activity and transactions. Both data sets help organizations adopt proactive and retroactive means to handle security and performance-related metrics within their modern applications.

Applies to

Microsoft Azure

### Overview

Applies to

AWS

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

While having too many administrators constitutes a security risk, having only one is also a risk especially when MFA is enforced. You should assign at least two Google Workspace super administrators for access redundancy.

Applies to

Google Workspace

While having too many administrators constitutes a security risk, having only one is also a risk especially when MFA is enforced. You should assign at least two Okta administrators for access redundancy.

Applies to

Okta

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts, which allow access to keys within Key Vault. The number of supported applications will incrementally increase.

Applies to

Microsoft Azure

Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair.

Applies to

Google Cloud

Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades.

Applies to

Google Cloud

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions.

Applies to

AWS

AWS Config is foundational for compliance monitoring. If recording is disabled or incomplete, many controls become blind.

Applies to

AWS

### Overview

Applies to

AWS

Redis often stores sensitive session and cache data. Non-SSL access and weak TLS versions increase interception risk.

Applies to

Microsoft Azure

ACR admin user provides shared username/password access and should be disabled in favor of Entra ID and RBAC.

Applies to

Microsoft Azure

Container registries should use private endpoints where possible to minimize internet exposure.

Applies to

Microsoft Azure

Azure Key Vault will store multiple types of sensitive information, such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these secrets can be controlled through granular permissions.

Applies to

Microsoft Azure

Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication.

Applies to

Google Cloud

Basic Authentication provides the ability to create identities and authentication for an App Service without a centralized Identity Provider. For a more effective, capable, and secure solution for Identity, Authentication, Authorization, and Accountability, a centralized Identity Provider such as Entra ID is strongly advised.

Applies to

Microsoft Azure

### Overview

Applies to

Google Cloud

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

Applies to

Google Cloud

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Buckets should almost never be publicly accessible (excepting when using them to host public static websites). When configured to allow public access, anyone can read the data (objects) without having to perform any authentication or authorization. This can lead to data leaks and can potentially generate considerable costs.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Publicly writable buckets allow anyone to upload, modify, and/or delete data from your buckets. This can lead to data loss, malware spread, and increased costs.

Applies to

Alibaba CloudAWSGoogle Cloud

### Overview

Applies to

AWSGoogle Cloud

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

GCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.

Applies to

Google Cloud

It is recommended that Cloud Audit Logging is configured to track all Admin activities and read, write access to user data.

Applies to

Google Cloud

CMEK on Bigtable helps organizations meet key custody and compliance requirements.

Applies to

Google Cloud

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

Applies to

Google Cloud

It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.

Applies to

Google Cloud

Customer-managed encryption keys (CMEK) provide stronger governance and key lifecycle control for regulated workloads.

Applies to

Google Cloud

It is recommended to have all SQL database instances set to enable automated backups.

Applies to

Google Cloud

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Applies to

Google Cloud

Database Server should accept connections only from trusted network(s)/IP(s) and restrict access from public IP addresses.

Applies to

Google Cloud

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

Applies to

Google Cloud

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Applies to

AWS

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Applies to

AWS

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Applies to

AWS

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Applies to

AWS

Disable access to the Kubernetes API from outside the node network if it is not required.

Applies to

AWS

Disable public IP addresses for cluster nodes, so that they only have private IP

Applies to

AWS

To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.

Applies to

Google Cloud

Compute instances should not be configured to have external IP addresses.

Applies to

Google Cloud

Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely.

Applies to

Google Cloud

### Overview

Applies to

AWS

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

Applies to

AWS

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Managed databases with public exposure can be reached directly from the internet, which significantly increases the risk of brute-force attempts, credential stuffing, exploitation of unpatched engines, and data exfiltration.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Cyscale looks for managed database instances that have TLS enabled and its versions are no older than 1.2. TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 for the integrity of exchanged messages.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Restricting default network access helps to provide a new layer of security since storage accounts accept connections from clients on any network. The default action must be changed to limit access to selected networks.

Applies to

Microsoft Azure

A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster.

Applies to

Google Cloud

Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available.

Applies to

Microsoft Azure

Cyscale looks for disks/volumes attached to virtual machines/instances reachable from the internet on administration ports (22, 3389). To reduce the risk of data breaches, configure the security groups/firewalls to allow access only from specific sources or re-consider whether you really need SSH/RDP access.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.

Applies to

Google Cloud

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store(EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Applies to

AWS

If you created your AWS account before December 4, 2013, you might have support for EC2-Classic in some AWS Regions. Some Amazon EC2 resources and features, such as enhanced networking and newer instance types, require a virtual private cloud (VPC).

Applies to

AWS

Container images should be protected from tag overwrite and scanned for vulnerabilities.

Applies to

AWS

Container Insights collects metrics at the cluster, task, and service levels.

Applies to

AWS

ECS containers should run as non-privileged. . The control fails if the `privileged` parameter in the container definition of Amazon ECS Task Definitions is set to true.

Applies to

AWS

This control checks whether Amazon ECS services are configured to automatically assign public IP addresses.

Applies to

AWS

A process ID (PID) namespace provides separation between processes. It prevents system processes from being visible, and allows PIDs to be reused, including PID 1. If the host's PID namespace is shared with containers, it would allow containers to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. These circumstances could lead to unauthorized access to processes on the host itself, including the ability to manipulate and terminate them. Customers shouldn't share the host's process namespace with containers running on it. This control only evaluates the in-use (RUNNING Task) revision of an Amazon ECS task definition.

Applies to

AWS

If you have to or choose to host the database on a virtual machine, encrypting the volumes is highly recommended.

Applies to

AWS

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

### Overview

Applies to

AWSGoogle Cloud

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

### Overview

Applies to

AWSGoogle Cloud

### Description:

Applies to

Google Cloud

This recommendation aims to balance security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy while limiting the number to four reduces the risk of excessive privileged access.

Applies to

Microsoft Entra ID

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

Firewalls/security groups allowing all traffic from the internet increase the **attack surface** of your cloud estate. When these are used to control the traffic to compute resources (most commonly VMs), attackers might be able to take advantage of various vulnerabilities present on these resources to infiltrate into the cloud environment. Then, if the compute resource has permissions to access data stores or other resources, the attacker might **move laterally** through the environment or **access potentially sensitive data**.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Cyscale looks for functions directly reachable over the internet from any sources - i.e. functions with HTTP triggers/URLs.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to invite people outside your organization to be guest users in your cloud account and sign in with their work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization while maintaining control over your corporate data.

Applies to

Microsoft Entra ID

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA.

Applies to

AWS

Detection without alerting delays incident response. High-risk events should always trigger notifications.

Applies to

Google Cloud

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.

Applies to

Microsoft Azure

IAM Access Analyzer helps identify unintended external access paths to resources.

Applies to

AWS

AWS access from AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. *AWS Access* means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less.

Applies to

AWS

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Applies to

AWS

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is recommended that the password policy require a minimum password length of 14.

Applies to

AWS

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.

Applies to

AWS

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number.

Applies to

AWS

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol.

Applies to

AWS

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.

Applies to

AWS

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security practice to grant least privilege that is, granting only the permissions required to perform a task. Determine what users need to do what and then accordingly create policies for them instead of allowing full administrative privileges.

Applies to

AWS

The list of principals able to assume a role should be limited as much as possible, and should not include "*", meaning that any authenticated identity across all of AWS can assume the role.

Applies to

AWS

In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.

It is recommended to assign the `Service Account User` (iam.serviceAccountUser) and `Service Account Token Creator` (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

Applies to

Google Cloud

IAM users are granted access to services, functions, and data through IAM policies. There are multiple ways to define policies for an user, such as:

Applies to

AWS

IAM users who have not logged into AWS and have no API activity for 30 days should be considered inactive.

Applies to

AWS

Scan images being deployed to Amazon EKS for vulnerabilities.

Applies to

AWS

Cyscale looks for encryption keys scheduled for deletion that are currently in-use.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).

Applies to

Google Cloud

It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.

Applies to

Google Cloud

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.

Applies to

Microsoft Azure

With server-side encryption, your Kinesis stream producers and consumers don't need to manage master keys or cryptographic operations. Your data is automatically encrypted as it enters and leaves the Kinesis Data Streams service, so your data at rest is encrypted.

Applies to

AWS

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.

Applies to

Google Cloud

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address.

Applies to

Google Cloud

A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint.

Applies to

Google Cloud

A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering.

Applies to

Google Cloud

A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label.

Applies to

Google Cloud

Access scopes are the legacy method of specifying permissions for your instance. Before the existence of IAM roles, access scopes were the only mechanism for granting permissions to service accounts. By default, your node service account has access scopes.

Applies to

Google Cloud

HTTP/HTTPS load balancing provides global load balancing for HTTP/HTTPS requests destined for your cluster. Enabling HTTP/HTTPS load balancers will let the Kubernetes Engine to terminate unauthorized HTTP/HTTPS requests and make better context-aware load balancing decisions.

Applies to

Google Cloud

Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature during

Applies to

AWS

Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.

Applies to

Google Cloud

In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.

Applies to

Google Cloud

**Description: **

Applies to

Google Cloud

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, "who did what, where, and when?" within GCP projects.

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.

Applies to

Google Cloud

In order to prevent unnecessary project ownership assignments to users/service accounts and further misuses of projects and resources, all `roles/Owner` assignments should be monitored

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for SQL Instance configuration changes.

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for VPC network changes.

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.

Applies to

Google Cloud

It is recommended that a metric filter and alarm be established for VPC network route changes.

Applies to

Google Cloud

Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all HTTP requests are captured and centrally logged.

Applies to

Microsoft Azure

Enable `AuditEvent` logging for key vault instances to ensure interactions with key vaults are logged and available.

Applies to

Microsoft Azure

Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.

Applies to

Google Cloud

Inline policies are policies that are embedded directly into a single user, group, or role.

Applies to

AWS

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without usernames and passwords.

Applies to

Microsoft Azure

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network.

Applies to

Google Cloud

### Overview

Applies to

AWS

While adopting MFA is a great step forward, some factors are safer than others. As you might imagine a code (OTP) sent through SMS or email, which is still prone to phishing attacks, is considerably less secure than a biometric factor for example.

Applies to

Okta

The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.

Applies to

AWS

Turning on Microsoft Defender for App Services enables threat detection for App Services, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.

Applies to

Microsoft Azure

Turning on Microsoft Defender for Azure SQL databases enables threat detection for Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Turning on Microsoft Defender for Containers enables threat detection for Container Registries, including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. The following services will be enabled for container instances:

Applies to

Microsoft Azure

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.

Applies to

Microsoft Azure

Turning on Microsoft Defender for Servers enables threat detection, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Turning on Microsoft Defender for SQL Servers on machines enables threat detection for SQL Servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Turning on Microsoft Defender for Storage enables threat detection, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Applies to

Microsoft Azure

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Applies to

Microsoft Azure

Designated users will be prompted to use their multi-factor authentication (MFA) process upon login.

Applies to

Microsoft Entra ID

This recommendation ensures that users accessing the Windows Azure Service Management API (i.e., Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) must use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.

Applies to

Microsoft Entra ID

This recommendation ensures that users accessing the Microsoft Admin Portals (i.e., Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) must use multifactor authentication (MFA) credentials when logging into an Admin Portal.

Applies to

Microsoft Entra ID

Checks that every namespace enabled restricted pod security admission, or if there are external policies applied for namespaced resources (validating/mutating webhooks) - returns them to be reviewed.

Applies to

Kubernetes

Use secure listeners to support encrypted communication between clients and your load balancers. You can use AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) to manage the server certificates installed on your load balancer.

Applies to

AWS

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.

Applies to

Google Cloud

Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.

Applies to

Microsoft Azure

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Applies to

Microsoft Azure

Enable Network Watcher for Azure subscriptions.

Applies to

Microsoft Azure

The "root" account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the "root" account be removed.

Applies to

AWS

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Applies to

Microsoft Azure

The principle of least privilege should be followed, and only necessary privileges should be assigned instead of allowing full administrative access.

Applies to

Microsoft Azure

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features:

Applies to

Google Cloud

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TCP (6), UDP (17) or ALL (-1) protocols.

Applies to

AWS

SSL/TLS server certificate is required to enable HTTPS connections to your website or application.

Applies to

AWSGoogle Cloud

Only install organization-approved extensions on VMs.

Applies to

Microsoft Azure

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Ensure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principle.

Applies to

Microsoft Azure

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Applies to

Google Cloud

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Applies to

Microsoft Azure

Private endpoints limit network traffic to approved sources.

Applies to

Microsoft Azure

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. The private endpoint uses an IP address from the VNet for each service to do this. Network traffic between disparate services securely traverses and is encrypted over the VNet. This VNet can also link addressing space, extend your network, and access resources. Similarly, it can be a tunnel through public networks to connect remote infrastructures. This creates further security by segmenting network traffic and preventing outside sources from accessing it.

Applies to

Microsoft Azure

Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

Applies to

Google Cloud

Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. A public IP address may be created during the creation of certain resources in Azure. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.

Applies to

Microsoft Azure

Disabling public network access restricts the service from accessing public networks.

Applies to

Microsoft Azure

### Overview

Applies to

AWSGoogle Cloud

RAM password policies can be used to ensure password complexity. It is recommended that the password policy require a minimum of 14 or greater characters for any password.

Applies to

Alibaba Cloud

RAM password policies can be used to ensure password complexity. It is recommended that the password policy requires at least one lowercase letter.

Applies to

Alibaba Cloud

RAM password policies can be used to ensure password complexity. It is recommended that the password policy requires at least one number.

Applies to

Alibaba Cloud

RAM password policies can be used to ensure password complexity. It is recommended that the password policy requires at least one symbol.

Applies to

Alibaba Cloud

RAM password policies can be used to ensure password complexity. It is recommended that the password policy requires at least one uppercase letter.

Applies to

Alibaba Cloud

### Description

Applies to

Alibaba Cloud

### Overview

Applies to

AWS

RDS instances should be accessible only through well-defined paths and only from networks you manage. We recommend to disable 'Public access' if possible which removes the public IP address assigned to the database instance.

Applies to

AWS

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Applies to

Alibaba Cloud

### Overview

Applies to

AWS

Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.

Applies to

Google Cloud

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.

Applies to

AWS

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.

Applies to

Google Cloud

NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.

Applies to

Google Cloud

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Applies to

AWS

In AWS the prefered way to grant access to a bucket is by using Bucket Policies, but you can also grant access via Access Control Lists.

Applies to

AWS

### Overview

Applies to

AWS

### Overview

Applies to

AWS

### Overview

Applies to

AWS

Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without requiring the management of a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that need to remain confidential.

Applies to

Google Cloud

Enable security alert emails to subscription owners.

Applies to

Microsoft Azure

### Overview

> If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.

Applies to

Microsoft Entra ID

### Overview

It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.

Applies to

Google Cloud

Enable `audit_log_enabled` on `MySQL flexible servers`.

Applies to

Microsoft Azure

Set `audit_log_events` to include `CONNECTION` on `MySQL flexible servers`.

Applies to

Microsoft Azure

Enable connection throttling on PostgreSQL flexible servers.

Applies to

Microsoft Azure

Enable `connection_throttling` on PostgreSQL Database Servers.

Applies to

Microsoft Azure

Enable `log_checkpoints` on PostgreSQL Database Servers.

Applies to

Microsoft Azure

Enable `log_checkpoints` on `PostgreSQL flexible servers`.

Applies to

Microsoft Azure

Enable `log_retention_days` on PostgreSQL Database Servers.

Applies to

Microsoft Azure

Ensure `logfiles.retention_days` on `PostgreSQL flexible servers` is set to an appropriate value.

Applies to

Microsoft Azure

Enable `require_secure_transport` on `MySQL flexible servers`.

Applies to

Microsoft Azure

Enable `require_secure_transport` on `PostgreSQL flexible servers`.

Applies to

Microsoft Azure

Ensure `tls_version` on `MySQL flexible servers` is set to use TLS version 1.2 or higher.

Applies to

Microsoft Azure

### Description

Applies to

Alibaba Cloud

### Description

Applies to

Alibaba Cloud

A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. It's recommended not to use admin access for Service Account.

Applies to

Google Cloud

Service Bus should not be directly reachable from public networks when private connectivity can be used.

Applies to

Microsoft Azure

> In its original form, this control cannot be audited since SAS tokens are not stored in Azure. Cyscale checks the [SAS expiration policy](https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#about-sas-expiration-policies) for each storage account.

Applies to

Microsoft Azure

It is recommended to create a sink that will export copies of all the log entries. This can

Applies to

Google Cloud

The Azure Storage blobs contain data like ePHI and financial information, which can be secret or personal. Data that is erroneously modified or deleted accidentally by an application or other storage account user can cause data loss or unavailability.

Applies to

Microsoft Azure

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.

Applies to

Microsoft Azure

Weak TLS versions expose workloads to known cryptographic downgrade and interception risks.

Applies to

Google Cloud

**Description: **

Applies to

Google Cloud

Stackdriver Monitoring to monitor signals and build operations in your Kubernetes Engine clusters. Stackdriver Monitoring can access metrics about CPU utilization, some disk traffic metrics, network traffic, and uptime information. Stackdriver Monitoring uses the Monitoring agent to access additional system resources and application services in virtual machine instances.

Applies to

Google Cloud

For increased security, regenerate storage account access keys periodically.

Applies to

Microsoft Azure

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed Keys.

Applies to

Microsoft Azure

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Applies to

Microsoft Azure

The Storage Queue service stores messages that any client accessing the storage account may read. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Applies to

Microsoft Azure

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Applies to

Microsoft Azure

Subnetwork-level hardening should include private service access and network telemetry for monitoring and forensic use.

Applies to

Google Cloud

Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.

Applies to

Microsoft Azure

Older versions of Java may periodically be deprecated and no longer supported. To avoid potential unpatched vulnerabilities, it is recommended that you use a supported version of Java for app services.

Applies to

Microsoft Azure

Enables emailing security alerts to the subscription owner or other designated security contact.

Applies to

Microsoft Azure

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed Keys can be used with either ADE (Azure Disk Encryption) or SSE (Server Side Encryption).

Applies to

Microsoft Azure

Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for app services is recommended to avoid potential unpatched vulnerabilities.

Applies to

Microsoft Azure

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Applies to

Microsoft Azure

### Description

Applies to

Alibaba Cloud

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Applies to

Microsoft Azure

### Description

Applies to

Alibaba Cloud

### Description

Applies to

Alibaba Cloud

Create an Activity Log Alert for the Create or Update Network Security Group event.

Applies to

Microsoft Azure

Create an Activity Log Alert for the Create or Update Public IP Addresses event.

Applies to

Microsoft Azure

Create an activity log alert for the Create or Update Security Solution event.

Applies to

Microsoft Azure

Create an activity log alert for the Create or Update SQL Server Firewall Rule events.

Applies to

Microsoft Azure

Create an activity log alert for the Create Policy Assignment event.

Applies to

Microsoft Azure

Create an activity log alert for the "Delete Network Security Group" event.

Applies to

Microsoft Azure

Create an activity log alert for the "Delete Policy Assignment" event.

Applies to

Microsoft Azure

Create an Activity Log Alert for the Delete Public IP Addresses event.

Applies to

Microsoft Azure

Create an activity log alert for the "Delete Security Solution" event.

Applies to

Microsoft Azure

Create an activity log alert for the Delete SQL Server Firewall Rule event.

Applies to

Microsoft Azure

Use network policies to isolate traffic in your cluster network.

Applies to

Kubernetes

SSL/TLS server certificate is required to enable HTTPS connections to your website or application in AWS. You can use ACM or IAM to store and deploy server certificates. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS.

Applies to

AWS

It is recommended to have one IAM role per each Lambda function in order to follow the Principle of Least Privilege.

Applies to

AWS

Use corporate login credentials instead of personal accounts, such as Gmail accounts.

Applies to

Google Cloud

The default service account should not be used to ensure that rights granted to

Applies to

Kubernetes

Services and databases store data that may be sensitive, protected by law, subject to regulatory requirements or compliance standards.

Applies to

AWS

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Applies to

AWS

Install endpoint protection for all virtual machines.

Enable IAM Access analyzer for IAM policies about all resources in each region.

Applies to

AWS

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.

Applies to

Google Cloud

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.

Applies to

Google Cloud

Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.

Applies to

Google Cloud

It is recommended that root access to a MySql Database Instance should be allowed only through specific white-listed trusted IPs.

Applies to

Google Cloud

**Description**

Applies to

Google Cloud

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Applies to

AWS

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Applies to

AWS

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion

Amazon S3 provides *Block public access (bucket settings)* and *Block public access (account settings)* to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However with an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level.

Applies to

AWS

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

Applies to

Google Cloud

Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.

Applies to

Kubernetes

The RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where and when needed.

Applies to

Kubernetes

User-managed service accounts should not have user-managed keys.

Applies to

Google Cloud

It is recommended to set `contained database authentication` database flag for Cloud SQL SQL Server instance to `off`.

Applies to

Google Cloud

It is recommended to set `cross db ownership chaining` database flag for Cloud SQL Server instance to off.

Applies to

Google Cloud

It is recommended to set the `local_infile` database flag for a Cloud SQL MySQL instance to `off`.

Applies to

Google Cloud

Enabling the `log_connections` setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.

Applies to

Google Cloud

Enabling the `log_disconnections` setting logs the end of each session, including the session duration.

Applies to

Google Cloud

The `log_min_duration_statement` flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that `log_min_duration_statement` is disabled, i.e., a value of `-1` is set.

Applies to

Google Cloud

The `log_min_messages` flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.

Applies to

Google Cloud

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Applies to

Google Cloud

### Overview

Applies to

Google Cloud

To prevent use of `default` network, a project should not have a `default` network.

Applies to

Google Cloud

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

Applies to

AWS

Ensure that all Secrets in Azure Key Vaults have an expiration date set.

Applies to

Microsoft Azure

Ensure that all Keys in Azure Key Vaults have an expiration date set.

Applies to

Microsoft Azure

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.

Applies to

AWS

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Applies to

Microsoft Azure

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

Applies to

Microsoft Azure

This control looks for password policies that do not require at least a length of 14 characters, one lowercase letter, one uppercase letter, one numeric character, one symbol, and that allows password reuse.

Applies to

Okta

### Overview

Applies to

AWSGoogle CloudKubernetes

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Applies to

AWS

When **Secure Boot** and **vTPM** are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can detect the intrusion and alert you.

Applies to

Microsoft Azure

Microsoft Entra ID Conditional Access allows an organization to configure `Named locations` and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify `Geographical locations` for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.

Applies to

Microsoft Entra ID

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Applies to

Microsoft Azure

### Overview

Applies to

AWS

### Overview

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated.

Applies to

Google Cloud

### Description

Applies to

Alibaba Cloud

Multi-factor authentication (MFA) is an important tool in protecting corporate resources. MFA, also called 2-step verification (2SV), requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code).

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft AzureMicrosoft Entra ID

Migrate BLOB based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:

Applies to

Microsoft Azure

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

Applies to

Google Cloud

Cyscale looks for virtual machines reachable from the internet on administration ports (22, 3389). To reduce the risk of data breaches, configure the security groups/firewalls to allow access only from specific sources or re-consider whether you really need SSH/RDP access.

Applies to

Alibaba CloudAWSGoogle CloudMicrosoft Azure

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.

Applies to

AWS

VPC Flow Logs capture network metadata that is essential for incident response and threat hunting.

Applies to

AWS

Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet.

Applies to

Google Cloud

### Overview

Applies to

AWS

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

Applies to

Microsoft Azure

Periodically, newer HTTP versions are released, either due to security flaws or to include additional functionality. Apps should use the latest HTTP version to take advantage of any security fixes and/or new functionalities of the newer version.

Applies to

Microsoft Azure

Identities that can be assumed or impersonated by external principals create a direct cross-tenant access path.

Applies to

AWSGoogle Cloud

Check Identity Provider Users with last login older than 30 days

Applies to

Okta

Get super administrators from added identity provider connectors

Applies to

Okta

Get Identity Provider Users with passwords older than 90 days

Applies to

Okta

Launch templates should not allow a metadata hop count greater than 1 when source/destination check is disabled.

Applies to

AWS

With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials. The software starts a session with a simple HTTP PUT request to IMDSv2.

Applies to

AWS

### Overview

Applies to

AWS

Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators.

Applies to

Kubernetes

### Overview

Amazon Elastic Container Service (ECS) [task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html) are JSON files that describe how a Docker container should be launched within an ECS cluster.

Applies to

AWS

The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)

Applies to

Kubernetes

The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.

Applies to

Kubernetes

Configure the Cluster Service Account with Storage Object Viewer Role to only allow

Applies to

AWS

Do not generally permit containers which require the use of HostPorts.

Applies to

Kubernetes

A container running in the host's IPC namespace can use IPC to interact with processes outside the container.

Applies to

Kubernetes

A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods.

Applies to

Kubernetes

A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container.

Applies to

Kubernetes

Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set

Applies to

Kubernetes

Do not generally permit containers to be run with the `securityContext.privileged` flag

Applies to

Kubernetes