Alibaba Cloud
AWS
Google Cloud
Google Workspace
Kubernetes
Microsoft Azure
Microsoft Entra ID
OktaOverview
#Statement
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories.
DORA has nine chapters. The chapter that contains technical requirements that apply to cloud environments is the second one, ICT risk management.
The final text of DORA can be found here.
#Recommendations
Procedures and mapped controls
Article 5, Governance and organisation
Management arrangements such as budgets, roles, responsibilities, and audit plans are overseen in this first article.
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Ensure IAM Users receive permissions only through Groups
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one number
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure MFA is configured with strong factors
Ensure MFA is enabled for the "root" account
Ensure access keys are rotated every 90 days or less
Ensure administrators have multi-factor authentication enabled
Ensure credentials unused for 45 days or greater are disabled
Ensure hardware MFA is enabled for the "root" account (Hardware MFA)
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure no "root" user account access key exists
Ensure Microsoft Entra authentication is Configured for SQL Servers
Article 6, ICT risk management framework
In this article, requirements include any strategies, policies, protocols, and tools that can be used to protect and secure computer software, servers, as well as physical components.
Mapped controls
Ensure Compute instances are launched with Shielded VM enabled
Ensure there are no workloads with exploitable vulnerabilities
Ensure AWS Inspector is configured for EC2 Instances
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure 'Endpoint protection' component status is set to 'On'
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for Containers is set to 'On'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Servers is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Article 7, ICT systems, protocols and tools
This article refers to how ICT systems, protocols, and tools should be resilient, reliable, and performant and how they should be updated regularly.
Mapped controls
ECS Fargate services should run on the latest Fargate platform version
Ensure no databases have outdated engine versions
Ensure Web App Uses HTTP 2.0
Ensure that 'Java version' is currently supported (if in use)
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
Ensure Web App is using the latest version of TLS encryption
Article 8, Identification
Article 8 oversees that financial entities classify documentation for business functions, roles, and responsibilities. Moreover, entities must identify all sources of ICT risk, perform risk assessments, identify which assets are critical, and document all processes dependent on third-party service providers.
Article 9, Protection and prevention
This article reiterates the importance of data availability, authenticity, integrity, and confidentiality. Strong authentication mechanisms, minimization of loss or corruption of data, protection of data from human error, and other important terms are present in this article. Moreover, the company should monitor and control the security and functioning of tools and systems.
Mapped controls
Ensure Automatic node repair is enabled for Kubernetes Clusters
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure Key Vaults are Recoverable
Ensure AWS Config is enabled in all regions
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure databases have deletion protection enabled
Ensure in-use encryption keys are not scheduled for deletion
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure management ports are restricted from the internet
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that object versioning is enabled on log-buckets
Ensure the Expiration Date is set for Key Vault Secrets
Ensure the default security group of every VPC restricts all traffic
Ensure databases are encrypted
Ensure all S3 buckets employ encryption-at-rest
Ensure encrypted storage is used for VMs that might host a database
Ensure encryption keys are not expiring within the next 14 days
Ensure encryption keys are rotated
Ensure encryption keys don't have permissive access policies
EC2 Instances Should Only Allow IMDSv2
Ensure AMIs Are Private
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure API Keys Are Rotated Every 90 Days
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure Amazon ECS task definitions include secure networking modes and user definitions
Article 10, Detection
The main point of this article is to ensure that logging and monitoring are implemented in order to detect anomalous activities and suspicious behavior. Other key activities described in this article are identifying single points of failure, selecting criteria and alert thresholds for incident response processes, and data reporting.
Mapped controls
Ensure Cloud Asset Inventory Is Enabled
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure sinks are configured for all Log entries
Ensure that object versioning is enabled on log-buckets
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure Diagnostic Setting captures appropriate categories
Ensure logging for Azure Key Vault is 'Enabled'
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure AWS Config is enabled in all regions
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure rotation for customer-created symmetric CMKs is enabled
Ensure VPC flow logging is enabled in all VPCs
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure Anti-DDoS access and security log service is enabled
Ensure Web Application Firewall access and security log service is enabled
Ensure that ActionTrail is configured to export copies of all Log entries
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure Access Logs is Enabled for ELB
Article 11, Response and recovery
The ICT business must implement arrangements, plans, procedures, and mechanisms to ensure the continuity of critical and important functions, quickly, appropriately, and effectively respond to incidents, activate containment processes in case of incidents, estimate damages and losses, and set out communication and crisis management actions to transmit updated and relevant information to internal staff and external stakeholders, as well as competent authorities.
Article 12, Backup policies and procedures, restoration and recovery procedures and methods
This article oversees that entities implement a good backup process, which includes deciding on a minimum frequency of performing backups, their protection and where they are stored, and the restoration of a backup. One important thing to note is that backups should be logically and physically separated from the ICT system. Redundancy is also regulated. Entities should have a “secondary processing site”, separated geographically, and that ensures the continuity of critical functions, being immediately accessible in the case the primary processing site becomes unavailable.
Mapped controls
Article 13, Learning and evolving
Gathering information about emerging threats and continuously evolving based on findings is one of the main ideas of this article. Providing security awareness programs and digital operational resilience training to employees is mandatory. Moreover, entities must monitor the effectiveness of digital operational resilience testing of the ICT systems and understand the impact of new technologies introduced.
Article 14, Communication
Communication policies and plans should be established, for regular communication between staff and during crisis, as well as with the public and media in case of incidents.
Query logic
These are the stored checks tied to this framework.
Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "user options" }
}
) {
...AssetFragment
}
}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}Alibaba & AWS Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: {
cloudProvider_IN: ["alibaba", "aws"],
OR: [
{
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
},
{
hasIAMGroup_SOME: {
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
}
}
],
mfaSerialNumbers: []
}) {
...AssetFragment
}
}Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}Okta Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
applications_SOME: {
name: "Okta Admin Console"
hasPolicy_SOME: { mfaEnabled: false }
}
OR: [
{ roles_INCLUDES: "Super Administrator" }
{ roles_INCLUDES: "API Access Management Administrator" }
{ roles_INCLUDES: "Application Administrator" }
{ roles_INCLUDES: "Group Membership Administrator" }
{ roles_INCLUDES: "Help Desk Administrator" }
{ roles_INCLUDES: "Mobile Administrator" }
{ roles_INCLUDES: "Organizational Administrator" }
{ roles_INCLUDES: "Read-only Administrator" }
{ roles_INCLUDES: "Report Administrator" }
{ roles_INCLUDES: "Group Administrator" }
]
}
) {
...AssetFragment
}
}
Google Workspace Admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { isAdmin: true, NOT: { isEnrolledIn2Sv: true } }) {
...AssetFragment
}
}Google Cloud Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
OR: [
{ name_IN: ["roles/owner", "roles/editor"] }
{ name_CONTAINS: "admin" }
]
}
NOT: { user: { isEnrolledIn2Sv: true } }
}
) {
...AssetFragment
}
}Entra admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { cloudProvider: "entra", isAdmin: true, mfaActive: false }) {
...AssetFragment
}
}
Credentials unused for 45 days or greater are disabled
Connectors
Covered asset types
Expected check: eq []
AWSIAM3(days: 45){...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
Azure SQL Servers without Entra admin
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
}
) {
...AssetFragment
}
}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}Ensure there are no Compute with exploitable vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ComputeWithExploitableVulnerabilities {...AssetFragment}}CloudRun revisions with high severity vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
cloudRunRevisions(
where: {
image: {
findings_SOME: {
vulnerability: {
exploitAvailable: true
}
}
}
}) {
...AssetFragment
}
}Containers with exploitable high/critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
ContainersWithExploitableVulnerabilities {
...AssetFragment
}
}
AWS Inspector is configured for EC2 Instances
Connectors
Covered asset types
Expected check: eq []
{vms(where:{inspectorEnabled:false}){...AssetFragment}}Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}Azure subscriptions with WDATP (endpoint protection) disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for App Services
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Cosmos DB
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "CosmosDbs", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Azure SQL
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Containers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Containers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for DNS
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Dns", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Key Vault
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Resource Manager
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Arm", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for SQL Servers on Machines
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
}
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Servers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Storage
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
) {
...AssetFragment
}
}ECS Services should use the latest platform version
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {NOT: { platformVersion_IN: ["LATEST", ""] }}) {...AssetFragment}
}Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}Automatic node repair is enabled for Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{nodePools_SOME:{managementAutoRepair_NOT:true}}){...AssetFragment}Kubernetes Cluster is created with Alias IP ranges enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{ipAllocationPolicy_SOME:{useIPAliases:false}}){...AssetFragment}The web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Connectors
Covered asset types
Expected check: eq []
{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}Object versioning is enabled on log-buckets
Connectors
Covered asset types
Expected check: eq []
GCPLogging3{...AssetFragment}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Retrieve AWS VMs without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: { NOT: { metadataOptionHTTPTokens: "required" } }
) {...AssetFragment}
}
AMIs Are Private
Connectors
Covered asset types
Expected check: eq []
{amis(where:{isPublic:true}){...AssetFragment}}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}API Keys rotation
Connectors
Covered asset types
Expected check: eq []
{
APIKeysRotation(days: 90) {...AssetFragment}
}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}Check if Amazon ECS task definitions should have secure networking modes and user definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
networkMode: "host", task_NOT: null,
OR:[
{containerSpecs_SOME: { privileged: true }},
{containerSpecs_SOME: { user_CONTAINS: "root" }}
] }
) {...AssetFragment}
}
Google Cloud Projects Without Asset Inventory
Connectors
Covered asset types
Expected check: eq []
{
projects(
where: { NOT: { enabledServices_INCLUDES: "cloudasset.googleapis.com" } }
) {
...AssetFragment
}
}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "3625" }}, {dbFlags_SOME: {name: "3625", value: "off"}}]
}
) {
...AssetFragment
}
}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled:false}){...AssetFragment}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}Rotation for customer created CMKs is enabled
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
Web Application Firewall access and security log service is enabled
Connectors
Covered asset types
Expected check: eq []
domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}Alibaba ActionTrails that export copies of all log entries
Connectors
Covered asset types
Expected check: eq []
{
AlibabaLogging1 {...AssetFragment}
}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}Access Logs is Enabled for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}AWS IAMPolicies with support role
Connectors
Covered asset types
Expected check: eq []
{
AWSIAM16 {...AssetFragment}
}
Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}
