Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
HIPAA is a federal law. As compared to other Standards that generally offer recommendations, HIPAA is a set of controls and requirements companies MUST meet as covered entities.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals' medical records and other personal health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
In recent years, a very important type of records that are required to be protected under HIPAA regulation is the Electronic protected health information or ePHI, defined in HIPAA as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media, cloud computing included. Although HIPAA has the same confidentiality requirements for all PHI, the ease with which ePHI can be copied and transmitted requires special safeguards to prevent breaches.
Under HIPAA, PHI can generally only be used to furnish medical services and process payments. There are also a few special cases when PHI must be disclosed, such as under a court-ordered warrant. Medical information that has been de-identified — stripped of all identifying information — is no longer subject to the HIPAA Privacy Rule, and can be used for other purposes, such as case studies.
HIPAA is governed by three main rules:
- Privacy Rule: how PHI can be used and disclosed;
- Security Rule: describes standards and safeguards required to protect ePHI at rest and in transit;
- Breach Notification Rule: describes procedures and controls required to notify patients and the proper authorities in case of a PHI/ePHI data breach.
Additional information
Scope
HIPAA covers all these entities: the actual providers that offer treatment, payment, or operations in healthcare, but also all the associates with access to patient information that support them in the discharge of these services. Subcontractors, as well as business partners' associates, must comply with HIPAA.
Purpose
Technical Safeguards play a central role in protecting HIPAA ePHI through access control. Many of these safeguards are security best practices, including:
- Unique accounts for each user;
- Strong passwords and (ideally) multi-factor authentication;
- Providing each user the minimum ePHI access required to do their job;
- Recording all access and changes to ePHI.
Although Technical Safeguards are central to securing ePHI, Physical Safeguards (protecting workstations) and Administrative Safeguards (training and auditing) also play a crucial role. your organization uses a complete HIPAA compliance checklist to protects patient confidentiality everywhere - not just in the cloud.
Scoring Information
A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:
-
Scored
Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
-
Not Scored
Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.
Demographics of ePHI
HIPAA regulation states that ePHI includes any of 18 distinct demographics that can be used to identify a patient:
- Name
- Address (including subdivisions smaller than states such as a street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Penalties for HIPAA Violations
Penalties for HIPAA violations can be issued by the Department of Health and Human Services' Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.
Violation Classifications
- Tier 1: a violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules;
- Tier 2: a violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules);
- Tier 3: a violation suffered as a direct result of "willful neglect" of HIPAA Rules, in cases where an attempt has been made to correct the violation;
- Tier 4: a violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
Financial Penalties
- Tier 1: minimum fine of $100 per violation up to $50,000;
- Tier 2: minimum fine of $1,000 per violation up to $50,000;
- Tier 3: minimum fine of $10,000 per violation up to $50,000;
- Tier 4: minimum fine of $50,000 per violation.
Criminal Penalties
- Tier 1: reasonable cause or no knowledge of violation – Up to 1 year in jail;
- Tier 2: obtaining PHI under pretenses – Up to 5 years in jail;
- Tier 3: obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail.
Security Standards - Technical Safeguards
Security Standards - Administrative Safeguards
Security Standards - Physical Safeguards
Procedures and mapped controls
164.312(a) - Access Control
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Mapped controls
Ensure no "root" user account access key exists
Eliminate use of the "root" user for administrative and daily tasks
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure there is only one active access key available for any single IAM user
Ensure IAM Users receive permissions only through Groups
Ensure IAM instance roles are used for AWS resource access from instances
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that IAM Access analyzer is enabled for all regions
Ensure all S3 buckets employ encryption-at-rest
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure Application Load Balancer uses HTTPS Listener
Ensure Network Load Balancer uses TLS Listener
Ensure weak TLS Protocols are not used for ELB
Ensure encrypted storage is used for VMs that might host a database
Ensure data stored in SNS Topics is encrypted
Ensure Kinesis Data Streams use encryption at rest
Ensure RDS instances use encrypted volumes
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure API keys are not created for a project
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure API Keys Are Rotated Every 90 Days
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure No Custom Subscription Administrator Roles Exist
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure security alert emails for subscription owners are enabled
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure at least two Okta admins are configured
Ensure application assignments are configured through groups
Ensure MFA is configured with strong factors
Ensure there are no weak password policies
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
164.312(b) - Audit Controls
A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure VPC flow logging is enabled in all VPCs
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure Diagnostic Setting captures appropriate categories
Ensure logging for Azure Key Vault is 'Enabled'
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure ECS clusters use Container Insights
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
164.312(c) - Integrity
A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
164.312(d) - Person or entity authentication
A covered entity must implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Mapped controls
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure Basic Authentication is disabled on Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Client Certificate enabled
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
164.312(e) - Transmission Security
A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Mapped controls
Ensure management ports are restricted from the internet
Ensure no "root" user account access key exists
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure VPC flow logging is enabled in all VPCs
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure the default security group of every VPC restricts all traffic
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure DNSSEC is enabled for Cloud DNS
Ensure RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure Compute instances do not have public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Ensure Diagnostic Setting captures appropriate categories
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure security alert emails for subscription owners are enabled
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure Amazon ECS task definitions include secure networking modes and user definitions
Ensure ECS services don't have public IP addresses assigned to them automatically
Ensure ECS containers run as non-privileged
ECS containers should be limited to read-only access to root filesystems
Ensure App Engine Applications Enforce HTTPS Connections
Security Management Process
A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Security Personnel
A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Information Access Management
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the minimum necessary, the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure No Custom Subscription Administrator Roles Exist
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Make sure secrets are not passed as container environment variables
ECS containers should be limited to read-only access to root filesystems
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Instance IP assignment is set to private
Workforce Training and Management
A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Evaluation
A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Facility Access and Control
A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security
A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Query logic
These are the stored checks tied to this framework.
AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}Do not setup access keys during initial user setup for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}Application Load Balancer uses HTTPS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Network Load Balancer uses TLS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"network",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}Data stored in SNS Topics is encrypted
Connectors
Covered asset types
Expected check: eq []
{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}Kinesis Data Streams use encryption at rest
Connectors
Covered asset types
Expected check: eq []
{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}RDS instances use encrypted volumes
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{legacyAbacEnabled_NOT:false}){...AssetFragment}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}API Keys rotation
Connectors
Covered asset types
Expected check: eq []
{
APIKeysRotation(days: 90) {...AssetFragment}
}Azure App Services without authentication
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { authSettings: { enabled: true } }) {
...AssetFragment
}
}The web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Connectors
Covered asset types
Expected check: eq []
{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}At least two Okta admins are configured
Connectors
Covered asset types
Expected check: eq []
Okta1{...AssetFragment}Application assignments are configured through groups
Connectors
Covered asset types
Expected check: eq []
users(where: { applicationsConnection_SOME: {edge: {scope_NOT: "GROUP"}}}) {...AssetFragment}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "mysql"
cloudProvider: "gcp"
OR: [
{ dbFlags_NONE: { name: "skip_show_database" } }
{ dbFlags_SOME: { name: "skip_show_database", value: "off" } }
]
}
) {
...AssetFragment
}}Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "remote access" }}, {dbFlags_SOME: {name: "remote access", value: "on"}}]
}
) {
...AssetFragment
}
}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled:false}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{loggingService_NOT:"logging.googleapis.com"}){...AssetFragment}Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{monitoringService_NOT:"monitoring.googleapis.com"}){...AssetFragment}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}ECS clusters should use Container Insights
Connectors
Covered asset types
Expected check: eq []
{
ecsClusters(where: {hasECSSettings_NONE: {
key: "containerInsights",
value: "enabled"
}}) {...AssetFragment}
}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "3625" }}, {dbFlags_SOME: {name: "3625", value: "off"}}]
}
) {
...AssetFragment
}
}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy prevents password reuse (24 times)
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Basic Authentication is disabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{OR:[{masterAuthUsername_NOT:"" masterAuthPassword_NOT:""}]}){...AssetFragment}}Kubernetes Cluster is created with Client Certificate enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthClientKey:""}){...AssetFragment}Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}Network policy is enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{networkPolicyEnabled:false}){...AssetFragment}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}DNSSEC is enabled for Cloud DNS
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{dnsSecConfigState_NOT:"on"}){...AssetFragment}RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"zoneSigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Connectors
Covered asset types
Expected check: eq []
{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}'Allow access to Azure services' for PostgreSQL Database Server is disabled
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers (where: {
firewallRules_SOME: {
OR: [
{ name_MATCHES: "(?i)allowallwindowsazureips" }
{ name_MATCHES: "(?i)allowallazureips" }
{ AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
]
}
}) {...AssetFragment}
}
Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}Check if Amazon ECS task definitions should have secure networking modes and user definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
networkMode: "host", task_NOT: null,
OR:[
{containerSpecs_SOME: { privileged: true }},
{containerSpecs_SOME: { user_CONTAINS: "root" }}
] }
) {...AssetFragment}
}
ECS services should not have public IP addresses assigned to them automatically
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {hasECSServiceNetworkConfigurations_SOME: { assignPublicIP: true}}) {...AssetFragment}
}ECS containers should run as non-privileged
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {AND: [
{
task_NOT: null
},
{
containerSpecs_SOME: {
privileged: true
}
}
]}) {...AssetFragment}
}ECS containers should be limited to read-only access to root filesystems
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {task_NOT: null, containerSpecs_SOME: { readOnlyRootFS: false }}) {...AssetFragment}
}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}Check if secrets are passed as ENV vars on ECS Task Definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
task_NOT: null,
containerSpecs_SOME: {
envEntries_SOME: {
key_IN: [
"AWS_ACCESS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"ECS_ENGINE_AUTH_DATA"
]
}
}
}
) {...AssetFragment}
}
Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}
