Alibaba Cloud
AWS
Google Cloud
Google Workspace
Kubernetes
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
The Cloud Computing Compliance Criteria Catalogue (C5) is published by Germany's Federal Office for Information Security (BSI). It is used to assess whether a cloud service provider operates a cloud service with an appropriate baseline of security, transparency, and resilience.
As of 2026-04-08, the official BSI material still identifies C5:2020 as the current version and publishes C5:2025 separately as a community draft. This file therefore maps against C5:2020.
This first version is intentionally scoped to technical cloud controls only. It maps only those C5 domains where the current Cyscale control catalog can provide meaningful continuous evidence through cloud or workload security checks.
It does not attempt to cover domains that are mainly documentary, contractual, HR, physical-security, or legal-process requirements. Those can be added later with dedicated evidence-based controls if needed.
C5 distinguishes between:
Type 1: design and implementation of controls at a point in time.Type 2: operating effectiveness of controls over a period of time.
For this technical baseline, the included areas are:
OISOrganisation of Information SecurityAMAsset ManagementOPSOperationsIDMIdentity and Access ManagementCRYCryptography and Key ManagementCOSCommunication SecurityDEVProcurement, Development and Modification of Information SystemsSIMSecurity Incident ManagementBCMBusiness Continuity ManagementCOMCompliancePSSProduct Safety and Security
The following C5 areas are intentionally out of scope for this first, controls-only version because they are not honestly measurable through the current CSPM control set alone:
BCGeneral ConditionsSPSecurity Policies and InstructionsHRHuman ResourcesPSPhysical SecurityPIPortability and InteroperabilitySSOControl and Monitoring of Service Providers and SuppliersINQHandling of Investigation Requests from Government Agencies
Official sources:
Technical C5 Areas
Procedures and mapped controls
OIS - Organisation of Information Security
This area covers how the provider organises security: management responsibility, risk governance, information security policy, security roles, and communication with relevant internal and external parties.
The mapping below focuses on technical signals that show whether privileged access is governed sensibly and whether separation of duties is enforced. These are not the whole OIS story, but they are the strongest continuous indicators available from the current control catalog.
Mapped controls
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Service Identities With Access to Everything
Ensure No Custom Subscription Administrator Roles Exist
Identity Provider Super Administrators
Ensure at least two Okta admins are configured
AM - Asset Management
Asset Management in C5 covers knowing what assets exist, using them safely through their lifecycle, and classifying information according to protection needs.
Current automated coverage is partial. The controls below are the best practical matches because they support asset recording, controlled change, retention, or prevention of accidental loss.
Mapped controls
Ensure AWS Config recorder is enabled and recording all supported resources
Unused Service Identities
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Ensure databases have deletion protection enabled
Ensure buckets have versioning enabled
OPS - Operations
OPS is one of the strongest areas for continuous technical monitoring. It covers secure regular operations such as logging, monitoring, vulnerability handling, malware protection, backup, patching, and operational change handling.
The controls below provide strong ongoing evidence that operational security controls are active and not drifting.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure AWS Config recorder is enabled and recording all supported resources
Ensure VPC Flow Logs are enabled for production VPCs
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure logging for Azure Key Vault is 'Enabled'
Ensure organization and folder log sinks include children and have a destination
Ensure security alert policies are enabled and notify responders
Ensure there are no workloads with exploitable vulnerabilities
Ensure container images do not contain exploitable vulnerabilities
Ensure Microsoft Defender for Containers is set to 'On'
IDM - Identity and Access Management
This area covers identification of users and workloads, strong authentication, access approval, least privilege, segregation of duties, and control of privileged access.
Cyscale has good direct coverage here. The controls below are a solid technical baseline for C5 IDM readiness.
Mapped controls
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure administrators have multi-factor authentication enabled
Ensure Users With Access to Datastores Have MFA/2SV
Identities allowing external access
Service Identities With Access to Everything
Ensure instances are not configured to use the default service account
Ensure that default service accounts are not actively used
Ensure 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure no "root" user account access key exists
CRY - Cryptography and Key Management
This area requires appropriate encryption for data in transit and at rest, plus secure key management and key lifecycle controls.
The controls below focus on encryption coverage, minimum TLS posture, key exposure, and key rotation.
Mapped controls
Ensure databases are encrypted
Ensure databases have TLS 1.2 or newer enabled
Encrypt traffic to HTTPS load balancers with TLS certificates
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure encryption keys are rotated
Ensure encryption keys don't have permissive access policies
Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Ensure 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Ensure SSL policies enforce minimum TLS 1.2 for HTTPS proxies
Ensure Cloud Bigtable uses CMEK for regulated data
Ensure Cloud Spanner uses CMEK for regulated data
COS - Communication Security
Communication Security covers how traffic is protected across networks, how management paths are separated, and how unnecessary public exposure is removed.
This area maps well to network exposure, private connectivity, segmentation, and flow-logging controls.
Mapped controls
Ensure management ports are restricted from the internet
Ensure VMs are not publicly accessible
Ensure databases are not publicly accessible
Ensure queues are not publicly accessible
Ensure Functions are not publicly accessible
Ensure VPC Flow Logs are enabled for production VPCs
Ensure Network Security Group Flow logs are captured and sent to Log Analytics
Ensure subnetworks enable Private Google Access and Flow Logs
Ensure Private Endpoints are Used for Azure Key Vault
Ensure 'Public Network Access' is 'Disabled' for storage accounts
Ensure Service Bus namespaces disable public network access
Ensure Azure Container Registry public network access is disabled
Ensure Cloud SQL database instances do not have public IPs
DEV - Procurement, Development and Modification of Information Systems
This area covers secure procurement and development, secure change management, testing, approvals before production, and separation of environments.
The controls below are the strongest current matches because they monitor software supply-chain hygiene, secrets handling, runtime support, and exploitable weaknesses.
Mapped controls
Ensure container images do not contain exploitable vulnerabilities
Ensure there are no workloads with exploitable vulnerabilities
Ensure ECR repositories use immutable tags and image scanning
Make sure secrets are not passed as container environment variables
Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Prefer using secrets as files over secrets as environment variables
Ensure no databases have outdated engine versions
Ensure that 'Java version' is currently supported (if in use)
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
ECS Fargate services should run on the latest Fargate platform version
SIM - Security Incident Management
Incident Management covers detecting, triaging, processing, documenting, reporting, and learning from security incidents.
Continuous audit evidence here mainly comes from alerting, audit trails, and retained incident-relevant logs.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure AWS Config is enabled in all regions
Ensure logging for Azure Key Vault is 'Enabled'
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure organization and folder log sinks include children and have a destination
Ensure security alert policies are enabled and notify responders
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
BCM - Business Continuity Management
Business Continuity Management focuses on planning for disruption, defining recovery targets, protecting recoverability, and testing whether recovery plans actually work.
The controls below do not prove a full BCM programme, but they do provide strong technical signals for recoverability and accidental-loss prevention.
Mapped controls
Ensure Cloud SQL database instances are configured with automated backups
Ensure databases have deletion protection enabled
Ensure buckets have versioning enabled
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure in-use encryption keys are not scheduled for deletion
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Ensure no SSL certificates expire in the next 14 days
COM - Compliance
Compliance covers identifying applicable legal, regulatory, self-imposed, and contractual requirements, then auditing whether the cloud service still meets them.
The controls below are the strongest current matches because they improve auditability, retained evidence, and visibility into whether important security controls are actually active.
Mapped controls
Ensure IAM Access Analyzer is enabled in all active regions
Ensure AWS Config recorder is enabled and recording all supported resources
Ensure CloudTrail is enabled in all regions
Ensure logging for Azure Key Vault is 'Enabled'
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure organization and folder log sinks include children and have a destination
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
PSS - Product Safety and Security
Product Safety and Security is one of the most cloud-specific C5 areas. It covers secure customer guidance, known-vulnerability handling, secure authentication and authorisation, logging, secure defaults, and security features exposed by the cloud service itself.
The controls below are the strongest current technical matches because they cover vulnerability hygiene, secure access, transport protection, and security monitoring.
Mapped controls
Ensure there are no workloads with exploitable vulnerabilities
Ensure container images do not contain exploitable vulnerabilities
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure administrators have multi-factor authentication enabled
Ensure security alert policies are enabled and notify responders
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure SSL policies enforce minimum TLS 1.2 for HTTPS proxies
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Query logic
These are the stored checks tied to this framework.
Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}AWS/Alibaba roles granting access to everything
Connectors
Covered asset types
Expected check: eq []
{
iamRoles(
where: {
cloudProvider_IN: ["alibaba", "aws"]
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
) {
...AssetFragment
}
}Google Cloud Service Accounts with access to everything
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: { hasIAMRole_SOME: { name_IN: ["roles/owner", "roles/editor"] } }
) {
...AssetFragment
}
}K8s Service Accounts granting access to everything
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
OR: [
{
podIdentityAssociations_SOME: {
role: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
}
}
{
annotations_SOME: {
awsRole: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
}
}
]
}
) {
...AssetFragment
}
}Azure Managed Identities with access to everything
Connectors
Covered asset types
Expected check: eq []
{
managedIdentities(
where: {
servicePrincipals_SOME: { roles_SOME: { permissions_INCLUDES: "*" } }
}
) {
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Okta Super Administrator Users
Connectors
Covered asset types
Expected check: eq []
{
users(where: {isSuperAdmin: true}) {...AssetFragment}
}At least two Okta admins are configured
Connectors
Covered asset types
Expected check: eq []
Okta1{...AssetFragment}Config recorders not fully enabled
Connectors
Covered asset types
Expected check: eq []
{ configurationRecorders(where: { OR: [ { recording: false }, { allSupported: false }, { includeGlobalResourceTypes: false } ] }) { ...AssetFragment } }Unused AWS IAM Roles
Connectors
Covered asset types
Expected check: eq []
{
UnusedAWSIAMRoles {
...AssetFragment
}
}Unused Azure Managed Identities
Connectors
Covered asset types
Expected check: eq []
{
UnusedAzureManagedIdentities {
...AssetFragment
}
}Unused Google Cloud Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
UnusedGoogleCloudIAMServiceAccounts {
...AssetFragment
}
}Unused Kubernetes Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
UnusedK8sServiceAccounts {
...AssetFragment
}
}Unused Alibaba RAM Roles
Connectors
Covered asset types
Expected check: eq []
{
UnusedAlibabaIAMRoles {
...AssetFragment
}
}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
VPCs without flow logs
Connectors
Covered asset types
Expected check: eq []
{ vpcs(where: { cloudProvider: "aws", OR: [{ hasFlowLog: null }, { hasFlowLog_NONE: { flowLogStatus: "ACTIVE" } }] }) { ...AssetFragment } }Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Missing aggregated log sinks
Connectors
Covered asset types
Expected check: eq []
{ logSinks(where: { OR: [ { includeChildren: false }, { destination: "" } ] }) { ...AssetFragment } }Missing required high-risk alert policies
Connectors
Covered asset types
Expected check: eq []
{ alertPolicies(where: { OR: [ { enabled: false }, { notificationChannels: "" } ] }) { ...AssetFragment } }Ensure there are no Compute with exploitable vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ComputeWithExploitableVulnerabilities {...AssetFragment}}CloudRun revisions with high severity vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
cloudRunRevisions(
where: {
image: {
findings_SOME: {
vulnerability: {
exploitAvailable: true
}
}
}
}) {
...AssetFragment
}
}Containers with exploitable high/critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
ContainersWithExploitableVulnerabilities {
...AssetFragment
}
}
GCP container images with exploitable high or critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ ContainerImagesWithExploitableVulnerabilities { ...AssetFragment } }Azure subscriptions without Microsoft Defender for Containers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Containers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Alibaba & AWS Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: {
cloudProvider_IN: ["alibaba", "aws"],
OR: [
{
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
},
{
hasIAMGroup_SOME: {
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
}
}
],
mfaSerialNumbers: []
}) {
...AssetFragment
}
}Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}Okta Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
applications_SOME: {
name: "Okta Admin Console"
hasPolicy_SOME: { mfaEnabled: false }
}
OR: [
{ roles_INCLUDES: "Super Administrator" }
{ roles_INCLUDES: "API Access Management Administrator" }
{ roles_INCLUDES: "Application Administrator" }
{ roles_INCLUDES: "Group Membership Administrator" }
{ roles_INCLUDES: "Help Desk Administrator" }
{ roles_INCLUDES: "Mobile Administrator" }
{ roles_INCLUDES: "Organizational Administrator" }
{ roles_INCLUDES: "Read-only Administrator" }
{ roles_INCLUDES: "Report Administrator" }
{ roles_INCLUDES: "Group Administrator" }
]
}
) {
...AssetFragment
}
}
Google Workspace Admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { isAdmin: true, NOT: { isEnrolledIn2Sv: true } }) {
...AssetFragment
}
}Google Cloud Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
OR: [
{ name_IN: ["roles/owner", "roles/editor"] }
{ name_CONTAINS: "admin" }
]
}
NOT: { user: { isEnrolledIn2Sv: true } }
}
) {
...AssetFragment
}
}Entra admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { cloudProvider: "entra", isAdmin: true, mfaActive: false }) {
...AssetFragment
}
}
AWS Roles allowing external access
Connectors
Covered asset types
Expected check: eq []
{
AWSRolesWithExternalAccess {
...AssetFragment
}
}Google Cloud Service Accounts allowing external access
Connectors
Covered asset types
Expected check: eq []
{
GCPServiceAccountsWithExternalAccess{
...AssetFragment
}
}Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}Kubernetes default Service Accounts that automatically mount
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: { internalName: "default", automountServiceAccountToken: true }
) {
...AssetFragment
}
}
Kubernetes RoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
roleBindingSubjects_SOME: { roleBinding: { idFromProvider_NOT: "" } }
}
) {
roleBindingSubjects {
roleBinding {
...AssetFragment
}
}
}
}
Kubernetes ClusterRoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
clusterRoleBindingSubjects_SOME: {
clusterRoleBindings: { idFromProvider_NOT: "" }
}
}
) {
clusterRoleBindingSubjects {
clusterRoleBindings {
...AssetFragment
}
}
}
}
AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "" } { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: false }
{
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
{
OR: [
{ tlsStatus: "" }
{ tlsStatus: "disabled" }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: false }
{
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: false }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Ingresses without TLS config
Connectors
Covered asset types
Expected check: eq []
{
EKSIngressesWithoutTLSConfig {
...AssetFragment
}
}
Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Azure Key Vault keys without automatic rotation
Connectors
Covered asset types
Expected check: eq []
{
kmsKeys(where: { automaticRotationEnabled: false }) {
...AssetFragment
}
}Azure Storage Accounts Without Minimum TLS 1.2
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { minimumTlsVersion_IN: ["TLS1_0", "TLS1_1"] }) {
...AssetFragment
}
}SSL policies with legacy TLS
Connectors
Covered asset types
Expected check: eq []
{ sslPolicies(where: { OR: [ { minTlsVersion_IN: ["TLS_1_0", "TLS_1_1"] }, { profile: "COMPATIBLE" } ] }) { ...AssetFragment } }Bigtable instances without CMEK
Connectors
Covered asset types
Expected check: eq []
{ bigTableInstances(where: { OR: [ { kmsKeyName: "" }, { kmsKeyName: null } ] }) { ...AssetFragment } }Spanner instances without CMEK
Connectors
Covered asset types
Expected check: eq []
{ cloudSpannerInstances(where: { OR: [ { kmsKeyName: "" }, { kmsKeyName: null } ] }) { ...AssetFragment } }Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly accessible SQS queues
Connectors
Covered asset types
Expected check: eq []
{ sqsQueues(where: { policyDocument: { statements_SOME: { AND: [ { effect: "Allow" }, { OR: [ { principals_INCLUDES: "" }, { principals_INCLUDES: "*" }, { principals_INCLUDES: "AWS|*" }, ] } ] } } }) {...AssetFragment} }Publicly Accessible PubSub Subscriptions
Connectors
Covered asset types
Expected check: eq []
{ pubSubSubscriptions( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible PubSub Topics
Connectors
Covered asset types
Expected check: eq []
{ pubSubTopics( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible Functions for AWS
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
OR: [
{
securityRules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
},
{
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
]
}
) {
...AssetFragment
}
}
Publicly Accessible Functions for Azure
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
bindings_SOME: {
direction: "in",
type: "httpTrigger"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Alibaba
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
triggers_SOME: {
triggerType: "http"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
NOT: {
httpsRequired: true
}
}
) {
...AssetFragment
}
}
Azure Flow Logs for NSGs without Log Analytics
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
trafficAnalyticsEnabled: false
}
) {
...AssetFragment
}
}Subnets without Private Google Access or Flow Logs
Connectors
Covered asset types
Expected check: eq []
{ subnetworks(where: { OR: [ { privateIpGoogleAccess: false }, { enableFlowLogs: false } ] }) { ...AssetFragment } }Azure key vaults without private endpoints
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { privateEndpoints_SOME: null }) {
...AssetFragment
}
}Azure Storage Accounts Allowing Public Network Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { publicNetworkAccess: "Disabled" } }) {
...AssetFragment
}
}Service Bus namespaces with public network enabled
Connectors
Covered asset types
Expected check: eq []
{ sbNamespaces(where: { publicNetworkAccess_NOT: "Disabled" }) { ...AssetFragment } }Container registries with public network enabled
Connectors
Covered asset types
Expected check: eq []
{ containerRegistries(where: { OR: [ { publicNetworkAccess_NOT: "Disabled" }, { networkRuleBypassOptions_INCLUDES: "AzureServices" } ] }) { ...AssetFragment } }Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}ECR repositories without immutability and scan-on-push
Connectors
Covered asset types
Expected check: eq []
{ ecrRepositories(where: { OR: [ { imageScanningConfigurationScanOnPush: false }, { imageTagMutability_NOT: "IMMUTABLE" } ] }) { ...AssetFragment } }Check if secrets are passed as ENV vars on ECS Task Definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
task_NOT: null,
containerSpecs_SOME: {
envEntries_SOME: {
key_IN: [
"AWS_ACCESS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"ECS_ENGINE_AUTH_DATA"
]
}
}
}
) {...AssetFragment}
}
Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
envVars_SOME: {
key_MATCHES: "(?i).*(api|key|secret|token|password|access|id|auth|app|client|credential|security|private|public|authorization|confidential|encryption|hmac|signature|passphrase|session|authentication|verify|oauth|ssl|tls|jwt|service_account|code|secure|sudo).*"
}
}
) {
...AssetFragment
}
}Check if CronJobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Jobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if DaemonSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Deployments templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if ReplicaSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if StatefulSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}ECS Services should use the latest platform version
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {NOT: { platformVersion_IN: ["LATEST", ""] }}) {...AssetFragment}
}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }SSL Certificates Expire in 14 Days
Connectors
Covered asset types
Expected check: eq []
{
ExpiringSSLCertificates(days: 14) {
...AssetFragment
}
}IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
