Alibaba Cloud
AWS
Google Cloud
Google Workspace
Kubernetes
Microsoft Azure
Microsoft Entra ID
OktaOverview
The CSF was designed with security and privacy professionals in mind. By taking an abstraction of what is core to and common across most dominant frameworks, the architecture was deliberately chosen to facilitate straightforward understanding and easy consumption. Each control category in the CSF includes control objectives and control specifications, leveraging the primary categories from the ISO/IEC framework, as well as the inclusion of specific categories for an information security management program and risk management practices which collectively help to ensure organizational, regulatory compliance, and system controls are properly specified and implemented. The core structure is then integrated with various authoritative sources, along with the experience and leading practices of the HITRUST Community, to create specific implementation requirements for each control. All requirements are mapped to the related framework, standard, or regulation, and noted as an authoritative source.
Controls
01: Access Control
Control access to information, information assets, and business processes based on business and security requirements.
01.02 Authorized Access to Information Systems
01.04 Network Access Control
01.06 Application and Information Access Control
01.07 Mobile Computing and Teleworking
02: Human Resources Security
Ensure that employees, contractors, and third-party users are suitable for the roles for which they are being considered, to reduce the risk of fraud, theft, or misuse of facilities.
02.01 Prior to Employment
05: Organization of Information Security
Maintain the security of the organization's information and information assets (data centers or offices that process covered information).
05.01 Internal Organization
05.02 External Parties
06: Compliance
Ensure that the design, operation, use, and management of information systems adheres to applicable laws, statutory, regulatory or contractual obligations, and any security requirements.
06.01 Compliance with Legal Requirements
07: Asset Management
Ensure that management requires ownership and defined responsibilities for the protection of information assets.
07.01 Responsibility for Assets
07.02 Information Classification
09: Communications and Operations Management
Ensure that operating procedures are documented, maintained and made available to all users who need them.
09.01 Documented Operating Procedures
09.04 Protection Against Malicious and Mobile Code
09.05 Information Back-Up
09.06 Network Security Management
09.07 Media Handling
09.08 Exchange of Information
09.10 Monitoring
10: Information Systems Acquisition, Development, and Maintenance
Ensure that security is an integral part of information systems.
10.03 Cryptographic controls
10.05 Security In Development and Support Processes
10.06 Technical Vulnerability Management
Procedures and mapped controls
b. User Registration
c. Privilege Management
The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure no "root" user account access key exists
d. User Password Management
Mapped controls
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy prevents password reuse
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure there are no weak password policies
j. User Authentication for External Connections
l. Remote Diagnostic and Configuration Port Protection
Mapped controls
Ensure management ports are restricted from the internet
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure firewall rule does not allow all traffic on all ports
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
m. Segregation in Networks
Mapped controls
n. Network Connection Control
o. Network Routing Control
Mapped controls
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on port 80
Ensure firewall rule does not allow all traffic on all ports
Ensure the default firewall does not have any default rules besides http and https
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure management ports are restricted from the internet
i. Policy on the Use of Network Services
Mapped controls
Ensure MFA is configured with strong factors
Ensure MFA Delete is enabled on S3 buckets
Ensure MFA is enabled for the "root" account
Ensure administrators have multi-factor authentication enabled
Ensure hardware MFA is enabled for the "root" account (Hardware MFA)
Users Should Have Multi-Factor Authentication (MFA/2SV)
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure there is only one active access key available for any single IAM user
Ensure IAM Role can be assumed only by specific Principals
Ensure IAM Users receive permissions only through Groups
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Service Account has no Admin privileges
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure No Custom Subscription Administrator Roles Exist
Ensure that corporate login credentials are used instead of Gmail accounts
v. Information Access Restriction
Mapped controls
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure Functions are not publicly accessible
Ensure databases are not publicly accessible
Ensure disks are not publicly accessible
Ensure buckets are not publicly accessible
Ensure queues are not publicly accessible
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure RDS instances are not publicly reachable
Ensure VMs are not publicly accessible
Ensure encryption keys are not publicly accessible
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure used KMSKeys are not exposed through publicly accessible VMs
w. Sensitive System Isolation
y. Teleworking
a. Roles and Responsibilities
Mapped controls
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Eliminate use of the "root" user for administrative and daily tasks
Ensure Service Account has no Admin privileges
Ensure that MySql database instances do not allow root login from any Host
Ensure IAM Users receive permissions only through Groups
Ensure IAM Role can be assumed only by specific Principals
a. Management Commitment to Information Security
k. Addressing Security in Third Party Agreements
d. Data Protection and Privacy of Covered Information
Mapped controls
Ensure Compute Instances have Confidential Computing Enabled
Ensure all S3 buckets employ encryption-at-rest
Ensure databases are encrypted
Ensure databases have deletion protection enabled
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure EBS encryption by default is enabled
Ensure data stored in SNS Topics is encrypted
Ensure Kinesis Data Streams use encryption at rest
Ensure RDS instances use encrypted volumes
Ensure SageMaker Notebooks Are Encrypted
Ensure encrypted storage is used for VMs that might host a database
Ensure that 'Unattached disks' are encrypted
Ensure that 'Virtual Machine's disk' are encrypted
Launch Templates with Disk Configuration Should Encrypt the Disks
Ensure Key Vaults are Recoverable
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Launch Templates Should Not Allow Metadata Response Hop Limit Higher Than 1
EC2 Instances Should Not Allow Metadata Response Hop Limit Higher Than 1
Ensure AMIs Are Private
Ensure that 'TDE' is set to 'Enabled' for applicable database instances
Ensure the Expiration Date is set for Key Vault Secrets
f. Regulation of Cryptographic Controls
Mapped controls
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)
Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure Web App is using the latest version of TLS encryption
Ensure RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure weak TLS Protocols are not used for ELB
c. Acceptable Use of Assets
e. Information Labeling and Handling
b. Change Management
Mapped controls
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
c. Segregation of Duties
j. Controls Against Malicious Code
l. Back-up
Mapped controls
n. Security of Network Services
Mapped controls
Ensure DNSSEC is enabled for Cloud DNS
Ensure Application Load Balancer uses HTTPS Listener
Ensure Network Load Balancer uses TLS Listener
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on port 80
Ensure firewall rule does not allow all traffic on all ports
Ensure legacy networks do not exist for a project
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure EC2 Instances are deployed in a VPC
Ensure unencrypted LDAP port (389) is not exposed to the internet
Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure management ports are restricted from the internet
Ensure the default network does not exist in a project
Ensure the default firewall does not have any default rules besides http and https
Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Ensure App Engine Applications Enforce HTTPS Connections
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure Compute instances do not have public IP addresses
Ensure ECS services don't have public IP addresses assigned to them automatically
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure databases are not publicly accessible
Ensure databases have TLS 1.2 or newer enabled
Ensure disks are not publicly accessible
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure AMIs Are Private
p. Disposal of Media
s. Information Exchange Policies and Procedures
Mapped controls
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Web App is using the latest version of TLS encryption
Ensure weak TLS Protocols are not used for ELB
Ensure Network Load Balancer uses TLS Listener
Ensure databases have TLS 1.2 or newer enabled
aa. Audit Logging
Mapped controls
Ensure Anti-DDoS access and security log service is enabled
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Ensure that Activity Log Alert exists for Delete Public IP Address rule
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
ab. Monitoring System Use
Mapped controls
Ensure AWS Config is enabled in all regions
Ensure Access Logs is Enabled for ELB
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure VPC flow logging is enabled in all VPCs
Ensure Web Application Firewall access and security log service is enabled
Ensure sinks are configured for all Log entries
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that logging is enabled for Cloud Storage buckets
Ensure logging for Azure Key Vault is 'Enabled'
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure that logging is enabled for OSS buckets
Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure 'Auditing' is set to 'On' for SQL Servers
ac. Protection of Log Information
Mapped controls
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Ensure that object versioning is enabled on log-buckets
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure that ActionTrail is configured to export copies of all Log entries
ad. Administrator and Operator Logs
ae. Fault Logging
Mapped controls
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Ensure the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
g. Key Management
Mapped controls
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure access keys are rotated every 90 days or less
Ensure access keys are rotated every 90 days or less
Ensure encryption keys are not expiring within the next 14 days
Ensure encryption keys are not publicly accessible
Ensure encryption keys are rotated
Ensure in-use encryption keys are not scheduled for deletion
Ensure encryption keys don't have permissive access policies
Ensure Storage Account Access Keys are Periodically Regenerated
Ensure used KMSKeys are not exposed through publicly accessible VMs
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
k. Change Control Procedures
Mapped controls
ECS Fargate services should run on the latest Fargate platform version
Ensure no databases have outdated engine versions
Ensure Web App Uses HTTP 2.0
Ensure that 'Java version' is currently supported (if in use)
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
Ensure Web App is using the latest version of TLS encryption
m. Control of Technical Vulnerabilities
Mapped controls
Ensure there are no workloads with exploitable vulnerabilities
Ensure Compute instances are launched with Shielded VM enabled
Ensure AWS Inspector is configured for EC2 Instances
Ensure security alert emails for subscription owners are enabled
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Query logic
These are the stored checks tied to this framework.
IAM Users that are inactive for 30 days or more are deactivated
Connectors
Covered asset types
Expected check: eq []
{AWSIAM20{...AssetFragment}}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}RAM policies that allow full '*:*'' administrative privileges are not created
Connectors
Covered asset types
Expected check: eq []
iamPolicies(where: { policyType: "Custom", iamPolicyStatements_SOME: { effect: "Allow", actions_INCLUDES: "*" } }) {...AssetFragment}
IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy prevents password reuse (24 times)
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } RAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireUppercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireLowercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireSymbols: false}) {...AssetFragment}RAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireNumbers: false}) {...AssetFragment}RAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { minimumPasswordLength_LT: 14}) {...AssetFragment}RAM password policy prevents password reuse
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { passwordReusePrevention_NOT: 24 }) {...AssetFragment}RAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxPasswordAge_GT: 90 }) {...AssetFragment}RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxLoginAttempts_LT: 5 }) {...AssetFragment}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}Retrieve AWS Launch Templates without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
launchTemplateVersions(
where: { NOT: { metadataOptionHTTPTokens: "required" } }
) {...AssetFragment}
}
'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}Firewall rule does not allow all traffic on all ports
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 0, destToPort_GTE: 65535, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}EC2 Instances are deployed in a VPC
Connectors
Covered asset types
Expected check: eq []
{vms(where:{OR:[{vpcID:null},{vpcID:""}]}){...AssetFragment}}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}Unencrypted LDAP port (389) is not exposed to the internet
Connectors
Covered asset types
Expected check: eq []
{securityGroups(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 389, destToPort_GTE: 389, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Firewall rule does not allow all traffic for Oracle DB (port 1521)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 1521, destToPort_GTE: 1521, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for MongoDB (port 27017)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 27017, destToPort_GTE: 27017, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for MySQL (port 3306)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 3306, destToPort_GTE: 3306, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 5432, destToPort_GTE: 5432, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic on port 80
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 80, destToPort_GTE: 80, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}The default firewall does not have any default rules besides http and https
Connectors
Covered asset types
Expected check: eq []
{GCPNetworking7{...AssetFragment}}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}MFA Delete is enabled on S3 buckets
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{bucketVersioningMFADelete:false}){...AssetFragment}}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Alibaba & AWS Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: {
cloudProvider_IN: ["alibaba", "aws"],
OR: [
{
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
},
{
hasIAMGroup_SOME: {
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
}
}
],
mfaSerialNumbers: []
}) {
...AssetFragment
}
}Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}Okta Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
applications_SOME: {
name: "Okta Admin Console"
hasPolicy_SOME: { mfaEnabled: false }
}
OR: [
{ roles_INCLUDES: "Super Administrator" }
{ roles_INCLUDES: "API Access Management Administrator" }
{ roles_INCLUDES: "Application Administrator" }
{ roles_INCLUDES: "Group Membership Administrator" }
{ roles_INCLUDES: "Help Desk Administrator" }
{ roles_INCLUDES: "Mobile Administrator" }
{ roles_INCLUDES: "Organizational Administrator" }
{ roles_INCLUDES: "Read-only Administrator" }
{ roles_INCLUDES: "Report Administrator" }
{ roles_INCLUDES: "Group Administrator" }
]
}
) {
...AssetFragment
}
}
Google Workspace Admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { isAdmin: true, NOT: { isEnrolledIn2Sv: true } }) {
...AssetFragment
}
}Google Cloud Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
OR: [
{ name_IN: ["roles/owner", "roles/editor"] }
{ name_CONTAINS: "admin" }
]
}
NOT: { user: { isEnrolledIn2Sv: true } }
}
) {
...AssetFragment
}
}Entra admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { cloudProvider: "entra", isAdmin: true, mfaActive: false }) {
...AssetFragment
}
}
Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}Separation of duties is enforced while assigning KMS related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.admin" }
{ name: "roles/owner" }
{ name: "roles/editor" }
]
}
}
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.cryptoKeyEncrypterDecrypter" }
{ name: "roles/cloudkms.cryptoKeyEncrypter" }
{ name: "roles/cloudkms.cryptoKeyDecrypter" }
]
}
}
]
}
) {
...AssetFragment
}
}
There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}IAM Role can be assumed only by specific Principals
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value:"*"}}}){...AssetFragment}}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}Managed IAM Policies are used instead of Inline Policies
Connectors
Covered asset types
Expected check: eq []
{AWSIAM8{...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Corporate login credentials are used instead of Gmail accounts
Connectors
Covered asset types
Expected check: eq []
GCPIAM1{...AssetFragment}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Publicly Accessible Functions for AWS
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
OR: [
{
securityRules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
},
{
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
]
}
) {
...AssetFragment
}
}
Publicly Accessible Functions for Azure
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
bindings_SOME: {
direction: "in",
type: "httpTrigger"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Alibaba
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
triggers_SOME: {
triggerType: "http"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
NOT: {
httpsRequired: true
}
}
) {
...AssetFragment
}
}
Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Disks for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {
...AssetFragment
}
}
}
}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly accessible SQS queues
Connectors
Covered asset types
Expected check: eq []
{ sqsQueues(where: { policyDocument: { statements_SOME: { AND: [ { effect: "Allow" }, { OR: [ { principals_INCLUDES: "" }, { principals_INCLUDES: "*" }, { principals_INCLUDES: "AWS|*" }, ] } ] } } }) {...AssetFragment} }Publicly Accessible PubSub Subscriptions
Connectors
Covered asset types
Expected check: eq []
{ pubSubSubscriptions( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible PubSub Topics
Connectors
Covered asset types
Expected check: eq []
{ pubSubTopics( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } iamRoles_SOME: { iamPolicies_SOME: { iamPolicyStatements_SOME: { effect: "Allow" } } } } ) { iamRoles { iamPolicies { iamPolicyStatements { permissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } } }Google Cloud KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { firewalls_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } ) { serviceAccount { serviceAccountRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Alibaba KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaKMSKeysExposedThroughVMs {...AssetFragment}
}Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{ vms( where: { networkInterfaces_SOME: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } { sources_INCLUDES: "tag:Internet" } { sources: [] } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } } ) { vmRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }RDS instances are not publicly reachable
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{publicAccessBlocked:false}){...AssetFragment}}Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible AWS Keys
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} } Publicly Accessible Google Cloud Keys
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}Used AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
]
}
}
iamRoles_SOME: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
AND: [
{ effect: "Allow" }
{
permissions_SOME: {
isOwnedByIAMAssetType_SOME: {
includesKMSKey_ALL: {
dataStores_NOT: null
}
}
}
}
]
}
}
}
}
) {
iamRoles {
iamPolicies {
iamPolicyStatements {
permissions {
isOwnedByIAMAssetType {
includesKMSKey {
...AssetFragment
}
}
}
}
}
}
}
}Used Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
iamRoles_SOME: {
hasIAMPermissions_SOME: {
isOwnedByIAMAssetType_SOME: {
includesKMSKey_SOME: { dataStores_NOT: null }
}
}
}
networkInterfaces_SOME: {
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
]
}
}
}
}
) {
vmRoles {
hasIAMPermissions {
isOwnedByIAMAssetType {
includesKMSKey {
...AssetFragment
}
}
}
}
}
}
Alibaba Used KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaUsedKMSKeysExposedThroughVMs {...AssetFragment}
}Google Cloud Used KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
gcpUsedKMSKeysExposedThroughVMs {
...AssetFragment
}
}
Private Google Access is set on Kubernetes Engine Cluster Subnets
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{subnetworks_SOME:{privateIpGoogleAccess:false}}){...AssetFragment}MySql database instances do not allow root login from any Host
Connectors
Covered asset types
Expected check: eq []
sqlUsers(where:{name:"root"OR:[{host:"%"},{host:"0.0.0.0"},{host:""}]}){...AssetFragment}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "external scripts enabled",value: "on" }
}
) {
...AssetFragment
}
}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}Data stored in SNS Topics is encrypted
Connectors
Covered asset types
Expected check: eq []
{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}Kinesis Data Streams use encryption at rest
Connectors
Covered asset types
Expected check: eq []
{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}RDS instances use encrypted volumes
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}Get unencrypted SageMaker notebooks
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
kmsKey: null
}
) {...AssetFragment}
}
Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}'Unattached disks' are encrypted
Connectors
Covered asset types
Expected check: eq []
disks(where: { status_NOT: "In_use", encrypted: false }) {...AssetFragment}'Virtual Machine's disk' are encrypted
Connectors
Covered asset types
Expected check: eq []
vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}Retrieve AWS Launch Template Without Encrypted EBS
Connectors
Covered asset types
Expected check: eq []
{
launchTemplateVersions(
where: { blockDeviceMappings_SOME: { encrypted: "false" } }
) {...AssetFragment}
}
The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}AWS Launch Templates with Hop Count Greater than 1
Connectors
Covered asset types
Expected check: eq []
{
launchTemplateVersions(
where: { metadataOptionHTTPPutResponseHopLimit_GT: 1 }
) {...AssetFragment}
}
AWS VM Source Destination Check Disabled and Hop Count Greater Than 1
Connectors
Covered asset types
Expected check: eq []
{
vms (
where: {
networkInterfaces_SOME: {
sourceDestCheck: false
}
metadataOptionHTTPPutResponseHopLimit_GT: 1
}
) {...AssetFragment}
}AMIs Are Private
Connectors
Covered asset types
Expected check: eq []
{amis(where:{isPublic:true}){...AssetFragment}}'TDE' is set to 'Enabled' for applicable database instances
Connectors
Covered asset types
Expected check: eq []
dbInstances(where: { tdeStatus_NOT: "Enabled" }) {...AssetFragment}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}Server-side encryption is set to 'Encrypt with Service Key'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}'OS and Data' disks are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}'Unattached disks' are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"zoneSigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Kubernetes Clusters are configured with Labels
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{tags:null}){...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Organizations changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Ensure there are no Compute with exploitable vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ComputeWithExploitableVulnerabilities {...AssetFragment}}CloudRun revisions with high severity vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
cloudRunRevisions(
where: {
image: {
findings_SOME: {
vulnerability: {
exploitAvailable: true
}
}
}
}) {
...AssetFragment
}
}Containers with exploitable high/critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
ContainersWithExploitableVulnerabilities {
...AssetFragment
}
}
GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } DNSSEC is enabled for Cloud DNS
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{dnsSecConfigState_NOT:"on"}){...AssetFragment}Application Load Balancer uses HTTPS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Network Load Balancer uses TLS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"network",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Legacy networks do not exist for a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{IPv4Range_NOT:"" gatewayIPv4_NOT:""}){...AssetFragment}Potential Elasticsearch database exposed to the internet (ports 9200 and/or 9300)
Connectors
Covered asset types
Expected check: eq []
{ securityGroups(where: {vms_NOT: null, rules_SOME: {direction: "Inbound", AND: [{OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}, {OR: [{destFromPort_LTE: 9200, destToPort_GTE: 9200}, {destFromPort_LTE: 9300, destToPort_GTE: 9300}]}]}}) {...AssetFragment}}The default network does not exist in a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{name:"default"}){...AssetFragment}'Allow access to Azure services' for PostgreSQL Database Server is disabled
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers (where: {
firewallRules_SOME: {
OR: [
{ name_MATCHES: "(?i)allowallwindowsazureips" }
{ name_MATCHES: "(?i)allowallazureips" }
{ AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
]
}
}) {...AssetFragment}
}
App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}ECS services should not have public IP addresses assigned to them automatically
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {hasECSServiceNetworkConfigurations_SOME: { assignPublicIP: true}}) {...AssetFragment}
}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "" } { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: false }
{
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
{
OR: [
{ tlsStatus: "" }
{ tlsStatus: "disabled" }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: false }
{
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: false }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}'Enforce SSL connection' is set to 'ENABLED' for MariaDB Database Server
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
OR: [
{ sslEnforcement_MATCHES: "Disabled" }
{ sslEnforcement: null }
]
}
) {
...AssetFragment
}
}'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Connectors
Covered asset types
Expected check: eq []
{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for Management Console sign-in without MFA
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for usage of "root" account
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Management Console authentication failures
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
}
) {
...AssetFragment
}
}Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: {
name: "log_disconnections"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create or Update Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/write") {
...AssetFragment
}
}Activity Log Alert exists for Delete Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/delete") {
...AssetFragment
}
}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}The 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_connections" } } { dbFlags_SOME: { name: "log_connections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_disconnections" } } { dbFlags_SOME: { name: "log_disconnections", value: "off" } } ] } ) { ...AssetFragment }}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}Access Logs is Enabled for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{loggingService_NOT:"logging.googleapis.com"}){...AssetFragment}VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}Web Application Firewall access and security log service is enabled
Connectors
Covered asset types
Expected check: eq []
domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"log_checkpoints",value_MATCHES:"(?i)on"}},){...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Logging is enabled for OSS buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{ loggingEnabled: false }){...AssetFragment}The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{monitoringService_NOT:"monitoring.googleapis.com"}){...AssetFragment}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled:false}){...AssetFragment}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_SOME:{name:"log_retention_days", value_MATCHES:"[0-3]"}}){...AssetFragment}}Object versioning is enabled on log-buckets
Connectors
Covered asset types
Expected check: eq []
GCPLogging3{...AssetFragment}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Alibaba ActionTrails that export copies of all log entries
Connectors
Covered asset types
Expected check: eq []
{
AlibabaLogging1 {...AssetFragment}
}The 'log_min_messages' database flag for a Cloud SQL PostgreSQL is set
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_messages" NOT: { value_IN: ["error", "log", "fatal", "panic"] } } } ) { ...AssetFragment }}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM6 {...AssetFragment}Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Storage account access keys are periodically regenerated
Connectors
Covered asset types
Expected check: eq []
{StorageAccountsWithOldKeys{...AssetFragment}}User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}ECS Services should use the latest platform version
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {NOT: { platformVersion_IN: ["LATEST", ""] }}) {...AssetFragment}
}Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}AWS Inspector is configured for EC2 Instances
Connectors
Covered asset types
Expected check: eq []
{vms(where:{inspectorEnabled:false}){...AssetFragment}}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}
