Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Policy Statement
Information assets shall be handled according to their determined classification, including access controls, labeling, retention policies, and destruction methods, among others.
In general, controls assigned by Data Asset Owners will deal with the confidentiality category of the data. The categories representing Integrity and Availability will be used to guide your organization to protect against the loss or corruption of the data.
your organization uses an asset inventory solution to ensure an updated and accurate software, cloud, physical, and data repositories asset inventory.
Asset = data/information
Information assets come in many shapes and forms. Therefore, the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they are all related to the same information system or business process.
Scope
All devices, systems, people, and processes that constitute your organization information and cloud-based systems.
Tip: You can generate an inventory report from the Inventory page.
Procedures
Procedures and mapped controls
Software Assets Inventory
All of the major software components that participate in offering your organization services to the customers must be cataloged. For each of these components, identification is done by specifying:
- Component Name
- Component Version
- Component Vendor
- Component Published
- Component URL
- Component Maintainer(s)
- Component Owner(s) inside your organization
- Component Update Frequency
Cloud Assets Inventory
All of the major infrastructure and cloud computing components (details, hostnames, DNS records, IPs, state, etc.) must be cataloged. For each of these cloud assets, identification is done by specifying:
- Asset Cloud Service Provider
- Asset Name
- Asset Create Date
- Asset Change Date
- Asset Owner(s) inside your organization
Data Repositories Inventory
your organization uses an automated system to query across IT infrastructure to obtain records (details, IPs) of all data repositories, such as:
- GCP Buckets
- GCP BigQuery
- AWS S3
- AWS RDS, Redshift and DynamoDB
- AWS EC2 Volumes
- Microsoft Azure Storage
- Source code repositories (Gitlab, Github)
- Data lakes and Data warehouses (Snowflake, Teradata, etc.)
Mapped controls
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure all S3 buckets employ encryption-at-rest
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure EBS encryption by default is enabled
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure that object versioning is enabled on log-buckets
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure that MySql database instances do not allow root login from any Host
Ensure buckets are not publicly accessible
Ensure that logging is enabled for Cloud Storage buckets
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure Cloud Storage buckets have uniform bucket-level access enabled
Physical Assets Inventory
All of the important hardware/physical assets (e.g. laptops, mobile devices, media for storage, servers, printers, etc.) that the your organization owns or manages must be cataloged. For each of these devices, identification is done by specifying:
- Hardware Name
- Hardware Manufacturer
- Hardware Model/Version
- Hardware Operating System (name, version, patch/update status - if applicable)
- Hardware IP(s)
- Renewal date (change of laptop, printer, etc.)
- Hardware Owner
- Devices as part of the BYOD Policy:
- Installed applications
- Status (in-use, lost, wiped, etc.)
- Security Policies status (such as the enforcement of encryption, strong passwords, auto-updates, etc.)
Query logic
These are the stored checks tied to this policy.
S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Object versioning is enabled on log-buckets
Connectors
Covered asset types
Expected check: eq []
GCPLogging3{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}MySql database instances do not allow root login from any Host
Connectors
Covered asset types
Expected check: eq []
sqlUsers(where:{name:"root"OR:[{host:"%"},{host:"0.0.0.0"},{host:""}]}){...AssetFragment}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}
