Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Statement
GDPR is a law. As compared to other Standards that generally offer recommendations, GDPR is a set of controls and requirements companies MUST meet as covered entities.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Data protection by design and by default is the main principle that drives GDPR's controls and requirements.
Scope
- All EU organisations that collect, store or otherwise process the personal data of individuals residing in the EU, even if they're not EU citizens.
- Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour, or process their personal data.
Definitions
The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:
-
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it's relatively easy to ID someone from it.
-
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
-
Data subject — The person whose data is processed. These are your customers or site visitors.
-
Data controller — The person who decides why and how personal data will be processed. If you're an owner or employee in your organization who handles data, this is you.
-
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like ProtonMail.
Personal Data
Personal data is any information relating to an identified or identifiable natural person (the data subject). The Regulation places much stronger controls on the processing of special categories of personal data (previously referred to as sensitive personal data) than the Irish Data Protection Act. The inclusion of genetic and biometric data is new to this category.
- Personal data
- Name
- Address
- Email address
- Photo
- IP address
- Location data
- Online behaviour (cookies)
- Profiling and analytics data
- Special category data
- Racial or ethnic origin
- Political opinions
- Religious and philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Sex life and sexual orientation
Penalties
The GDPR states explicitly that some violations are more severe than others. Depending on several factors such as the gravity and nature, intention, the number of data subjects affected and data category, penalties are:
-
Up to 10,000,000 EUR - The less severe infringements could result in a fine of up to €10 million, or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher;
-
Up to 20,000,000 EUR - The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher.
Requirements
Chapter 2, Principles
Article 5: Principles relating to processing of personal data
Chapter 4, Controller and processor
Article 25: Data protection by design and by default
Article 27: Representatives of controllers or processors not established in the Union
Article 28: Processor
Article 30: Records of processing activities
Article 32: Security of processing
Article 33: Notification of a personal data breach to the supervisory authority
Article 37: Designation of the data protection officer
Procedures and mapped controls
(f) Integrity and confidentiality
Mapped controls
Necessary safeguards
Integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Mapped controls
Ensure Key Vaults are Recoverable
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure Functions are not publicly accessible
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure VMs are not publicly accessible
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure RDS instances are not publicly reachable
Ensure buckets are not publicly accessible
Ensure disks are not publicly accessible
Ensure databases are not publicly accessible
Ensure queues are not publicly accessible
Ensure encryption keys are not publicly accessible
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure used KMSKeys are not exposed through publicly accessible VMs
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
(a) Pseudonymisation and encryption of personal data
Mapped controls
Ensure RDS instances use encrypted volumes
Ensure EBS encryption by default is enabled
Ensure databases have deletion protection enabled
Ensure encrypted storage is used for VMs that might host a database
Ensure data stored in SNS Topics is encrypted
Ensure databases are encrypted
Ensure Kinesis Data Streams use encryption at rest
Ensure Compute Instances have Confidential Computing Enabled
Ensure AMIs Are Private
Ensure SageMaker Notebooks Are Encrypted
Ensure that 'Virtual Machine's disk' are encrypted
Launch Templates with Disk Configuration Should Encrypt the Disks
Ensure all S3 buckets employ encryption-at-rest
A representative
The controller or the processor shall designate in writing a representative.
(b) Persons authorised to process the personal data
Mapped controls
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure IAM Role can be assumed only by specific Principals
Ensure IAM Users receive permissions only through Groups
Ensure Service Account has no Admin privileges
Ensure that MySql database instances do not allow root login from any Host
Eliminate use of the "root" user for administrative and daily tasks
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Records of processing activities
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.
Mapped controls
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Delete Public IP Address rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete Security Solution
(b) Confidentiality, integrity, availability and resilience of processing systems and services
Mapped controls
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure Functions are not publicly accessible
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure RDS instances are not publicly reachable
Ensure VMs are not publicly accessible
Ensure buckets are not publicly accessible
Ensure databases are not publicly accessible
Ensure disks are not publicly accessible
Ensure encryption keys are not publicly accessible
Ensure queues are not publicly accessible
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure used KMSKeys are not exposed through publicly accessible VMs
Ensure Anti-DDoS access and security log service is enabled
(c) Restore the availability and access to personal data in a timely manner
Mapped controls
(d) Regularly test, assess and evaluate the effectiveness of technical and organisational measures
Mapped controls
Ensure encryption keys don't have permissive access policies
Ensure in-use encryption keys are not scheduled for deletion
Ensure encryption keys are rotated
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure encryption keys are not expiring within the next 14 days
Ensure used KMSKeys are not exposed through publicly accessible VMs
Ensure access keys are rotated every 90 days or less
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure Storage Account Access Keys are Periodically Regenerated
Ensure access keys are rotated every 90 days or less
Communication of data breach
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Designation of the data protection officer
The controller and the processor shall designate a data protection officer.
Query logic
These are the stored checks tied to this framework.
Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Publicly Accessible Functions for AWS
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
OR: [
{
securityRules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
},
{
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
]
}
) {
...AssetFragment
}
}
Publicly Accessible Functions for Azure
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
bindings_SOME: {
direction: "in",
type: "httpTrigger"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Alibaba
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
triggers_SOME: {
triggerType: "http"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
NOT: {
httpsRequired: true
}
}
) {
...AssetFragment
}
}
Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } iamRoles_SOME: { iamPolicies_SOME: { iamPolicyStatements_SOME: { effect: "Allow" } } } } ) { iamRoles { iamPolicies { iamPolicyStatements { permissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } } }Google Cloud KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { firewalls_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } ) { serviceAccount { serviceAccountRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Alibaba KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaKMSKeysExposedThroughVMs {...AssetFragment}
}Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{ vms( where: { networkInterfaces_SOME: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } { sources_INCLUDES: "tag:Internet" } { sources: [] } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } } ) { vmRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }RDS instances are not publicly reachable
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{publicAccessBlocked:false}){...AssetFragment}}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Accessible Disks for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {
...AssetFragment
}
}
}
}Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly accessible SQS queues
Connectors
Covered asset types
Expected check: eq []
{ sqsQueues(where: { policyDocument: { statements_SOME: { AND: [ { effect: "Allow" }, { OR: [ { principals_INCLUDES: "" }, { principals_INCLUDES: "*" }, { principals_INCLUDES: "AWS|*" }, ] } ] } } }) {...AssetFragment} }Publicly Accessible PubSub Subscriptions
Connectors
Covered asset types
Expected check: eq []
{ pubSubSubscriptions( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible PubSub Topics
Connectors
Covered asset types
Expected check: eq []
{ pubSubTopics( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible AWS Keys
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} } Publicly Accessible Google Cloud Keys
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}Used AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
]
}
}
iamRoles_SOME: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
AND: [
{ effect: "Allow" }
{
permissions_SOME: {
isOwnedByIAMAssetType_SOME: {
includesKMSKey_ALL: {
dataStores_NOT: null
}
}
}
}
]
}
}
}
}
) {
iamRoles {
iamPolicies {
iamPolicyStatements {
permissions {
isOwnedByIAMAssetType {
includesKMSKey {
...AssetFragment
}
}
}
}
}
}
}
}Used Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
iamRoles_SOME: {
hasIAMPermissions_SOME: {
isOwnedByIAMAssetType_SOME: {
includesKMSKey_SOME: { dataStores_NOT: null }
}
}
}
networkInterfaces_SOME: {
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
]
}
}
}
}
) {
vmRoles {
hasIAMPermissions {
isOwnedByIAMAssetType {
includesKMSKey {
...AssetFragment
}
}
}
}
}
}
Alibaba Used KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaUsedKMSKeysExposedThroughVMs {...AssetFragment}
}Google Cloud Used KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
gcpUsedKMSKeysExposedThroughVMs {
...AssetFragment
}
}
The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}RDS instances use encrypted volumes
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}Data stored in SNS Topics is encrypted
Connectors
Covered asset types
Expected check: eq []
{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}Kinesis Data Streams use encryption at rest
Connectors
Covered asset types
Expected check: eq []
{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
AMIs Are Private
Connectors
Covered asset types
Expected check: eq []
{amis(where:{isPublic:true}){...AssetFragment}}Get unencrypted SageMaker notebooks
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
kmsKey: null
}
) {...AssetFragment}
}
'Virtual Machine's disk' are encrypted
Connectors
Covered asset types
Expected check: eq []
vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}Retrieve AWS Launch Template Without Encrypted EBS
Connectors
Covered asset types
Expected check: eq []
{
launchTemplateVersions(
where: { blockDeviceMappings_SOME: { encrypted: "false" } }
) {...AssetFragment}
}
All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}Essential Contacts Set
Connectors
Covered asset types
Expected check: eq []
EssentialContactsSetOnConnector{...AssetFragment}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}IAM Role can be assumed only by specific Principals
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value:"*"}}}){...AssetFragment}}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}MySql database instances do not allow root login from any Host
Connectors
Covered asset types
Expected check: eq []
sqlUsers(where:{name:"root"OR:[{host:"%"},{host:"0.0.0.0"},{host:""}]}){...AssetFragment}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Activity Log Alert exists for Create or Update Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/write") {
...AssetFragment
}
}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Delete Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/delete") {
...AssetFragment
}
}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}Storage account access keys are periodically regenerated
Connectors
Covered asset types
Expected check: eq []
{StorageAccountsWithOldKeys{...AssetFragment}}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM6 {...AssetFragment}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}
