Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Service identities attached to public-facing workloads increase blast radius.
What this control checks
Identities attached to workloads that are reachable from the public internet.
Why this matters
If a public workload is compromised, over-privileged service identities can accelerate account-wide compromise.
Remediation guidance
Remediation strategy
- Remove unnecessary public exposure from workloads.
- Replace broad identity permissions with least privilege.
- Use dedicated identities per workload.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- https://cloud.google.com/iam/docs/using-iam-securely
- https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
AWS/Alibaba roles used by public workloads
Connectors
Covered asset types
Expected check: eq []
{
iamRoles(
where: {
OR: [
{
vms_SOME: {
NOT: { publicIpAddress: null }
networkInterfaces_SOME: {
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
}
{ functions_SOME: { NOT: { functionURL: "" }, authType: "NONE" } }
]
}
) {
...AssetFragment
}
}Google Cloud Service Accounts used by public workloads
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
OR: [
{
vms_SOME: {
networkInterfaces_SOME: {
hasNetworkInterfaceAccessConfig_NOT: null
}
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
]
}
) {
...AssetFragment
}
}Managed Identities used by publicly accessible workloads
Connectors
Covered asset types
Expected check: eq []
{
managedIdentities(
where: {
OR: [
{
vms_SOME: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
}
}
}
}
{
functions_SOME: {
bindings_SOME: { direction: "in", type: "httpTrigger" }
}
}
{ appServices_SOME: { authSettings: { NOT: { enabled: true } } } }
]
}
) {
...AssetFragment
}
}
