ISO/IEC 27001:2013 - Information security management systems

## Statement

Overview

Statement

ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.

The ISO 27001 standard and ISMS provides a framework for information security management best practice that helps organisations to:

Protect client and employee information
Manage risks to information security effectively
Achieve compliance with regulations such as the European Union General Data Protection Regulation (EU GDPR)
Protect the company's brand image

What is an ISMS?

An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets. It consists of policies, procedures and other controls involving people, processes and technology.

Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.

About ISO 27001 Clauses and Controls

The Standard has ten management system clauses. Together with 114 information security controls (also known as safeguards), they support the implementation and maintenance of an ISMS:

Scope
Normative references
Terms and definitions
Context
Leadership
Planning and risk management
Support
Operations
Performance evaluation
Improvement

How do you implement ISO 27001 controls?

Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.

Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc.

Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.

Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.

Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.

Control Objectives and Controls

A.5: Information security policies

A.5.1: Management direction for information security

A.6: Organization of information security

A.6.1: Internal organization

A.6.2: Mobile devices and teleworking

A.7: Human resource security

A.7.1: Prior to employment

A.7.2: During employment

A.7.3: Termination and change of employment

A.8: Asset management

A.8.1: Responsibility for assets

A.8.2: Information classification

A.8.3: Media handling

A.9: Access control

A.9.1: Business requirements of access control

A.9.2: User access management

A.9.3: User responsibilities

A.9.4: System and application access control

A.10: Cryptography

A.10.1: Cryptographic controls

A.11: Physical and environmental security

A.11.1: Secure areas

A.11.2: Equipment

A.12: Operations security

A.12.1: Operational procedures and responsibilities

A.12.2: Protection from malware

A.12.3: Backup

A.12.4: Logging and monitoring

A.12.5: Control of operational software

A.12.6: Technical vulnerability management

A.12.7: Information systems audit considerations

A.13: Communications security

A.13.1: Network security management

A.13.2: Information transfer

A.14: System acquisition, development and maintenance

A.14.1: Security requirements of information systems

A.14.2: Security in development and support processes

A.14.3: Test data

A.15: Supplier relationships

A.15.1: Information security in supplier relationships

A.15.2: Supplier service delivery management

A.16: Information security incident management

A.16.1: Management of information security incidents and improvements

A.17: Information security aspects of business continuity management

A.17.1: Information security continuity

A.17.2: Redundancies

A.18: Compliance

A.18.1: Compliance with legal and contractual requirements

A.18.2: Information security reviews

Procedures and mapped controls

A.5.1.1: Policies for information security

Requires defining and implementing information security policies in your organization.

A.5.1.2: Review of the policies for information security

Requires making sure that information security policies are regularly reviewed and updated.

A.6.1.1: Information security roles and responsibilities

Requires defining roles and responsibilities related to information security.

Mapped controls

Eliminate use of the "root" user for administrative and daily tasks

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure IAM Users receive permissions only through Groups

AWS

A.6.1.2: Segregation of duties

Requires clearly defining and separating between duties or areas of responsibility.

Mapped controls

Eliminate use of the "root" user for administrative and daily tasks

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

A.6.1.3: Contact with authorities

Requires maintaining contacts with relevant authorities.

A.6.1.4: Contact with special interest groups

Requires maintaining contacts with groups, specialists or other professional associations that are relevant for information security.

A.6.1.5: Information security in project management

Requires that information security is addressed in project management as well.

A.6.2.1: Mobile device policy

Requires a policy regarding the secure use of mobile devices.

Mapped controls

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure Compute instances do not have public IP addresses

Google Cloud

Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure Cloud SQL database instances do not have public IPs

Google Cloud

Ensure server-side encryption is set to 'Encrypt with Service Key'

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with BYOK'

Alibaba Cloud

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure Virtual Machines are utilizing Managed Disks

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

A.6.2.2: Teleworking

Requires a policy regarding the protection of information at teleworking sites.

Mapped controls

Ensure IAM Users that are inactive for 30 days or more are deactivated

AWS

A.7.1.1: Screening

Requires background verification of all candidates for employment.

A.7.1.2: Terms and conditions of employment

Requires that information security responsibilities are clearly specified in employment contracts.

A.7.2.1: Management responsibilities

Requires making sure that information security policies are being followed by employees and contractors.

A.7.2.2: Information security awareness, education and training

Requires making sure that employees and contractors receive adequate security training.

A.7.2.3: Disciplinary process

Requires establishing a disciplinary process to be used in case of employees committing a security breach.

A.7.3.1: Termination or change of employment responsibilities

Requires defining information security responsibilities that remain valid after the termination of employment.

A.8.1.1: Inventory of assets

Requires maintaining an inventory of information, assets related to information and information processing facilities.

Mapped controls

Ensure security questions are registered in the AWS account

General guidance

Ensure IAM password policy requires a minimum length of 14 or greater

AWS

Do not setup access keys during initial user setup for all IAM users that have a console password

AWS

Ensure access keys are rotated every 90 days or less

AWS

Ensure IAM Users receive permissions only through Groups

AWS

Ensure a support role has been created to manage incidents with AWS Support

AWS

Ensure that IAM Access analyzer is enabled for all regions

AWS

Ensure AWS Config is enabled in all regions

AWS

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

AWS

Ensure a log metric filter and alarm exist for IAM policy changes

AWS

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure a log metric filter and alarm exist for S3 bucket policy changes

AWS

Ensure a log metric filter and alarm exist for AWS Config configuration changes

AWS

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Service Account has no Admin privileges

Google Cloud

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure user-managed/external keys for service accounts are rotated every 90 days or less

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure "Block Project-wide SSH keys" is enabled for VM instances

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure Cloud Asset Inventory Is Enabled

Google Cloud

Ensure access keys are rotated every 90 days or less

Alibaba Cloud

Ensure RAM password policy requires at least one uppercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one lowercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one symbol

Alibaba Cloud

Ensure RAM password policy requires at least one number

Alibaba Cloud

Ensure RAM password policy requires a minimum length of 14 or greater

Alibaba Cloud

Ensure RAM password policy expires passwords within 90 days or less

Alibaba Cloud

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Alibaba Cloud

Ensure RAM policies are attached only to groups or roles

Alibaba Cloud

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure that the shared URL signature expires within an hour

General guidance

Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Microsoft Entra ID

Ensure 'Users Can Register Applications' Is Set to 'No'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure Only Approved Extensions Are Installed (Manual)

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure that Resource Locks are set for mission critical Azure resources

General guidance

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

A.8.1.2: Ownership of assets

Requires assigning owners to the assets in the inventory.

A.8.1.3: Acceptable use of assets

Requires defining, documenting and implementing rules on how information and information assets can be used.

Mapped controls

Ensure security questions are registered in the AWS account

General guidance

Ensure IAM password policy requires a minimum length of 14 or greater

AWS

Do not setup access keys during initial user setup for all IAM users that have a console password

AWS

Ensure access keys are rotated every 90 days or less

AWS

Ensure IAM Users receive permissions only through Groups

AWS

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

AWS

Ensure a log metric filter and alarm exist for IAM policy changes

AWS

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Service Account has no Admin privileges

Google Cloud

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure user-managed/external keys for service accounts are rotated every 90 days or less

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure "Block Project-wide SSH keys" is enabled for VM instances

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure access keys are rotated every 90 days or less

Alibaba Cloud

Ensure RAM password policy requires at least one uppercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one lowercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one symbol

Alibaba Cloud

Ensure RAM password policy requires at least one number

Alibaba Cloud

Ensure RAM password policy requires a minimum length of 14 or greater

Alibaba Cloud

Ensure RAM password policy expires passwords within 90 days or less

Alibaba Cloud

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Alibaba Cloud

Ensure RAM policies are attached only to groups or roles

Alibaba Cloud

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure that the shared URL signature expires within an hour

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

Ensure 'HTTPS Only' is set to 'On' for App Service

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

A.8.1.4: Return of assets

Requires making sure that employees and contractors return any assets belonging to the organization once their contracts end.

A.8.2.1: Classification of information

Requires that all information is classified by criteria such as legal requirements or criticality.

Mapped controls

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure Compute instances do not have public IP addresses

Google Cloud

Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure Cloud SQL database instances do not have public IPs

Google Cloud

Ensure server-side encryption is set to 'Encrypt with Service Key'

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with BYOK'

Alibaba Cloud

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure Virtual Machines are utilizing Managed Disks

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

A.8.2.2: Labelling of information

Requires defining a procedure for information labelling.

Mapped controls

Ensure Kubernetes Clusters are configured with Labels

Google Cloud

A.8.2.3: Handling of assets

Requires defining procedures for handling assets, taking into consideration information classification.

A.8.3.1: Management of removable media

Requires defining procedures for how to manage removable media, taking into consideration information classification.

Mapped controls

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure Compute instances do not have public IP addresses

Google Cloud

Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure Cloud SQL database instances do not have public IPs

Google Cloud

Ensure server-side encryption is set to 'Encrypt with Service Key'

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with BYOK'

Alibaba Cloud

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure Virtual Machines are utilizing Managed Disks

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

A.8.3.2: Disposal of media

Requires defining procedures for how to dispose of removable media.

A.8.3.3: Physical media transfer

Requires defining procedures on how to securely transport media.

A.9.1.1: Access control policy

Requires defining an access control policy that considers the security needs of the organization.

Mapped controls

Ensure a support role has been created to manage incidents with AWS Support

AWS

Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

AWS

Ensure that IAM Access analyzer is enabled for all regions

AWS

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

AWS

Ensure a log metric filter and alarm exist for S3 bucket policy changes

AWS

Ensure a log metric filter and alarm exist for security group changes

AWS

Ensure a log metric filter and alarm exist for AWS Organizations changes

AWS

Ensure the default security group of every VPC restricts all traffic

AWS

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure Cloud Storage buckets have uniform bucket-level access enabled

Google Cloud

Ensure the 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'Off'

Google Cloud

Ensure the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible

Google Cloud

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure routing tables for VPC peering are 'least access'

General guidance

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Microsoft Azure

Ensure that Resource Locks are set for mission critical Azure resources

General guidance

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

A.9.1.2: Access to networks and network services

Requires making sure that users have access only to those networks and network services that they are authorized to use.

Mapped controls

Ensure AMIs Are Private

AWS

Ensure EC2 Instances are deployed in a VPC

AWS

Ensure IAM Users that are inactive for 30 days or more are deactivated

AWS

Ensure RDS instances are not publicly reachable

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible

Google Cloud

A.9.2.1: User registration and de-registration

Requires establishing the procedures to assign and to de-assign access rights for users.

Mapped controls

Ensure security questions are registered in the AWS account

General guidance

Ensure IAM password policy requires a minimum length of 14 or greater

AWS

Do not setup access keys during initial user setup for all IAM users that have a console password

AWS

Ensure access keys are rotated every 90 days or less

AWS

Ensure IAM Users receive permissions only through Groups

AWS

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

AWS

Ensure a log metric filter and alarm exist for IAM policy changes

AWS

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure Managed IAM Policies are used instead of Inline Policies

AWS

Ensure IAM Role can be assumed only by specific Principals

AWS

Ensure that AWS Lambda functions do not share the same AWS IAM execution role

AWS

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Service Account has no Admin privileges

Google Cloud

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure user-managed/external keys for service accounts are rotated every 90 days or less

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure "Block Project-wide SSH keys" is enabled for VM instances

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure access keys are rotated every 90 days or less

Alibaba Cloud

Ensure RAM password policy requires at least one uppercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one lowercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one symbol

Alibaba Cloud

Ensure RAM password policy requires at least one number

Alibaba Cloud

Ensure RAM password policy requires a minimum length of 14 or greater

Alibaba Cloud

Ensure RAM password policy expires passwords within 90 days or less

Alibaba Cloud

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Alibaba Cloud

Ensure RAM policies are attached only to groups or roles

Alibaba Cloud

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure that the shared URL signature expires within an hour

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

A.9.2.2: User access provisioning

Requires defining a formal process for user access provisioning.

Mapped controls

Ensure Managed IAM Policies are used instead of Inline Policies

AWS

Ensure IAM Role can be assumed only by specific Principals

AWS

Ensure that AWS Lambda functions do not share the same AWS IAM execution role

AWS

A.9.2.3: Management of privileged access rights

Requires restricting and controlling privileged access rights.

Mapped controls

Ensure no "root" user account access key exists

AWS

Eliminate use of the "root" user for administrative and daily tasks

AWS

Ensure there is only one active access key available for any single IAM user

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure basic/primitive roles are not used

Google Cloud

Avoid the use of the 'root' account

Alibaba Cloud

Ensure no root account access key exists

General guidance

Ensure RAM policies that allow full '*:*'' administrative privileges are not created

Alibaba Cloud

Ensure Kubernetes web UI / Dashboard is not enabled

General guidance

Ensure that Config Assessment is granted with privilege

General guidance

Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Additional email addresses' is configured with a security contact email

Microsoft Azure

Ensure that 'Notify about alerts with the following severity' is set to 'High'

Microsoft Azure

Ensure security alert emails for subscription owners are enabled

Microsoft Azure

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

A.9.2.4: Management of secret authentication information of users

Requires having a management process for secret authentication information.

A.9.2.5: Review of user access rights

Requires regularly reviewing user access rights.

A.9.2.6: Removal or adjustment of access rights

Requires making sure that access rights of employees and contractors are removed once their contracts end.

Mapped controls

Ensure security questions are registered in the AWS account

General guidance

Ensure IAM password policy requires a minimum length of 14 or greater

AWS

Do not setup access keys during initial user setup for all IAM users that have a console password

AWS

Ensure access keys are rotated every 90 days or less

AWS

Ensure IAM Users receive permissions only through Groups

AWS

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

AWS

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Service Account has no Admin privileges

Google Cloud

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure user-managed/external keys for service accounts are rotated every 90 days or less

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure "Block Project-wide SSH keys" is enabled for VM instances

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure access keys are rotated every 90 days or less

Alibaba Cloud

Ensure RAM password policy requires at least one uppercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one lowercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one symbol

Alibaba Cloud

Ensure RAM password policy requires at least one number

Alibaba Cloud

Ensure RAM password policy requires a minimum length of 14 or greater

Alibaba Cloud

Ensure RAM password policy expires passwords within 90 days or less

Alibaba Cloud

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Alibaba Cloud

Ensure RAM policies are attached only to groups or roles

Alibaba Cloud

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure that the shared URL signature expires within an hour

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

A.9.3.1: Use of secret authentication information

Requires making sure users are following the organizational practices for the use of secret authentication information.

A.9.4.1: Information access restriction

Requires making sure access to systems and applications is restricted.

Mapped controls

Ensure Managed IAM Policies are used instead of Inline Policies

AWS

Ensure IAM Role can be assumed only by specific Principals

AWS

Ensure that AWS Lambda functions do not share the same AWS IAM execution role

AWS

Ensure basic/primitive roles are not used

Google Cloud

A.9.4.2: Secure log-on procedures

Requires establishing a secure log-on procedure where necessary.

Mapped controls

Ensure there is only one active access key available for any single IAM user

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure a log metric filter and alarm exist for usage of "root" account

AWS

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure RAM policies that allow full '*:*'' administrative privileges are not created

Alibaba Cloud

Ensure log monitoring and alerts are set up for usage of 'root' account

General guidance

Ensure Kubernetes web UI / Dashboard is not enabled

General guidance

Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Microsoft Azure

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

Users Should Have Multi-Factor Authentication (MFA/2SV)

Alibaba CloudAWSGoogle CloudMicrosoft AzureMicrosoft Entra ID

Ensure MFA is configured with strong factors

Okta

Ensure there are no weak password policies

Okta

A.9.4.3: Password management system

Requires ensuring quality passwords.

Mapped controls

Ensure MFA is enabled for the "root" account

AWS

Ensure hardware MFA is enabled for the "root" account (Hardware MFA)

AWS

Ensure IAM password policy prevents password reuse

AWS

Ensure there is only one active access key available for any single IAM user

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure MFA is enabled for the 'root' account

General guidance

Ensure RAM password policy prevents password reuse

Alibaba Cloud

Ensure RAM policies that allow full '*:*'' administrative privileges are not created

Alibaba Cloud

Ensure Kubernetes web UI / Dashboard is not enabled

General guidance

Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

A.9.4.4: Use of privileged utility programs

Requires controlling the use of certain utility programs.

Mapped controls

Ensure there is only one active access key available for any single IAM user

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure RAM policies that allow full '*:*'' administrative privileges are not created

Alibaba Cloud

Ensure Kubernetes web UI / Dashboard is not enabled

General guidance

Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

A.9.4.5: Access control to program source code

Requires restricting access to source code.

A.10.1.1: Policy on the use of cryptographic controls

Requires defining a policy regarding the use of cryptographic controls for information security.

Mapped controls

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure all S3 buckets employ encryption-at-rest

AWS

Ensure EBS encryption by default is enabled

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure data stored in SNS Topics is encrypted

AWS

Ensure Kinesis Data Streams use encryption at rest

AWS

Ensure RDS instances use encrypted volumes

AWS

Ensure databases are encrypted

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure that 'Unattached disks' are encrypted

Alibaba Cloud

Ensure that 'Virtual Machine's disk' are encrypted

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with Service Key'

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with BYOK'

Alibaba Cloud

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that 'TDE' is set to 'Enabled' for applicable database instances

Alibaba Cloud

Ensure RDS instance TDE protector is encrypted with BYOK (Use your own key)

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Secure transfer required' is set to 'Enabled'

Microsoft Azure

Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys

Microsoft Azure

Ensure 'Data encryption' is set to 'On' on SQL Databases

Microsoft Azure

Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

Microsoft Azure

Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server

Microsoft Azure

Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)

Microsoft Azure

Ensure Virtual Machines are utilizing Managed Disks

Microsoft Azure

Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)

Microsoft Azure

Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'

Microsoft Azure

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

A.10.1.2: Key management

Requires defining a policy on the use of cryptographic keys.

Mapped controls

Ensure encryption keys are rotated

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure encryption keys don't have permissive access policies

AWSGoogle Cloud

Ensure encryption keys are not publicly accessible

AWSGoogle Cloud

Ensure KMSKeys are not exposed through publicly accessible VMs

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure in-use encryption keys are not scheduled for deletion

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure encryption keys are not expiring within the next 14 days

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible

Google Cloud

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)

Microsoft Azure

A.11.1.1: Physical security perimeter

Requires defining security perimeters based on the criticality of information stored or processed.

A.11.1.2: Physical entry controls

Requires establishing entry controls in order to allow access for authorized personnel only.

A.11.1.3: Securing offices, rooms and facilities

Requires taking physical security measures for offices, rooms and facilities.

A.11.1.4: Protecting against external and environmental threats

Requires ensuring physical protection against natural disasters or accidents.

A.11.1.5: Working in secure areas

Requires defining procedures for working in secure areas.

A.11.1.6: Delivery and loading areas

Requires making sure that places where unauthorized persons might enter are safe against unauthorized access to information.

A.11.2.1: Equipment siting and protection

Requires ensuring safety of equipment.

A.11.2.2: Supporting utilities

Requires ensuring the protection of equipment against power failures or other disruptions.

A.11.2.3: Cabling security

Requires ensuring the protection of cables carrying data.

A.11.2.4: Equipment maintenance

Requires ensuring the correct maintenance of equipment.

A.11.2.5: Removal of assets

Requires ensuring that authorization is needed for removing assets from the organization's premises.

A.11.2.6: Security of equipment and assets off-premises

Requires ensuring security when assets are used off-site.

A.11.2.7: Secure disposal or reuse of equipment

Requires ensuring the removal of any sensitive data or licensed software from storage media before disposal or re-use.

A.11.2.8: Unattended user equipment

Requires ensuring the protection of unattended equipment.

A.11.2.9: Clear desk and clear screen policy

Requires defining policies for what is accepted on the physical desk and on the computer desktop.

A.12.1.1: Documented operating procedures

Requires documenting any procedures for operating.

Mapped controls

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Microsoft Entra ID

Ensure 'Users Can Register Applications' Is Set to 'No'

Microsoft Entra ID

A.12.1.2: Change management

Requires controlling how changes that affect information security may happen in the organization.

Mapped controls

Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

AWS

Ensure a log metric filter and alarm exist for changes to network gateways

AWS

Ensure a log metric filter and alarm exist for route table changes

AWS

Ensure a log metric filter and alarm exist for VPC changes

AWS

Ensure Network policy is enabled on Kubernetes Engine Clusters

General guidance

Ensure ENI multiple IP mode support for Kubernetes Cluster

General guidance

Ensure Kubernetes Cluster is created with 'Private cluster' enabled

General guidance

A.12.1.3: Capacity management

Requires monitoring and forecasting the use of resources, in order to ensure performance needs.

A.12.1.4: Separation of development, testing and operational environments

Requires making sure that development, testing and operational environments are separated.

A.12.2.1: Controls against malware

Requires ensuring protection against malware.

Mapped controls

Ensure that the endpoint protection for all Virtual Machines is installed

General guidance

Ensure that Security Center is Advanced or Enterprise Edition

General guidance

Ensure that all assets are installed with security agent

General guidance

Ensure that Automatic Quarantine is enabled

General guidance

Ensure Microsoft Defender for Servers is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for App Services is set to 'On`

Microsoft Azure

Ensure Microsoft Defender for Azure SQL databases is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for SQL Servers on machines is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Storage is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Key Vault is set to 'On'

Microsoft Azure

Ensure 'Endpoint protection' component status is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected

Microsoft Azure

Ensure that Endpoint Protection for all Virtual Machines is installed

General guidance

Ensure 'HTTPS Only' is set to 'On' for App Service

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

A.12.3.1: Information backup

Requires defining a backup policy and making sure backups are created.

Mapped controls

Ensure buckets have versioning enabled

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure Cloud SQL database instances are configured with automated backups

Google Cloud

Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

A.12.4.1: Event logging

Requires producing and storing logs of information security events.

Mapped controls

Maintain current contact details

General guidance

Ensure security questions are registered in the AWS account

General guidance

Ensure IAM password policy requires a minimum length of 14 or greater

AWS

Do not setup access keys during initial user setup for all IAM users that have a console password

AWS

Ensure access keys are rotated every 90 days or less

AWS

Ensure IAM Users receive permissions only through Groups

AWS

Ensure CloudTrail is enabled in all regions

AWS

Ensure CloudTrail log file validation is enabled

AWS

Ensure CloudTrail trails are integrated with CloudWatch Logs

AWS

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

AWS

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

AWS

Ensure rotation for customer-created symmetric CMKs is enabled

AWS

Ensure VPC flow logging is enabled in all VPCs

AWS

Ensure that Object-level logging for write events is enabled for S3 bucket

AWS

Ensure that Object-level logging for read events is enabled for S3 bucket

AWS

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

AWS

Ensure a log metric filter and alarm exist for IAM policy changes

AWS

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

AWS

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

AWS

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

AWS

Ensure a log metric filter and alarm exist for S3 bucket policy changes

AWS

Ensure a log metric filter and alarm exist for security group changes

AWS

Ensure a log metric filter and alarm exist for changes to network gateways

AWS

Ensure a log metric filter and alarm exist for route table changes

AWS

Ensure a log metric filter and alarm exist for AWS Organizations changes

AWS

Ensure Access Logs is Enabled for ELB

AWS

Ensure that there are only GCP-managed service account keys for each service account

Google Cloud

Ensure Service Account has no Admin privileges

Google Cloud

Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Google Cloud

Ensure user-managed/external keys for service accounts are rotated every 90 days or less

Google Cloud

Ensure Separation of duties is enforced while assigning Service Account related roles to users

Google Cloud

Ensure KMS encryption keys are rotated within a period of 90 days

Google Cloud

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure Cloud Audit Logging is configured properly across all services and all users from a project

Google Cloud

Ensure sinks are configured for all Log entries

Google Cloud

Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock

Google Cloud

Ensure log metric filter and alerts exist for Project Ownership assignments/changes

Google Cloud

Ensure log metric filter and alerts exist for Audit Configuration Changes

Google Cloud

Ensure log metric filter and alerts exist for Custom Role changes

Google Cloud

Ensure log metric filter and alerts exist for VPC Network Firewall rule changes

Google Cloud

Ensure log metric filter and alerts exist for VPC network route changes

Google Cloud

Ensure log metric filter and alerts exist for VPC network changes

Google Cloud

Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes

Google Cloud

Ensure log metric filter and alerts exist for SQL instance configuration changes

Google Cloud

Ensure VPC Flow logs is enabled for every subnet in a VPC Network

Google Cloud

Ensure instances are not configured to use the default service account

Google Cloud

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs

Google Cloud

Ensure "Block Project-wide SSH keys" is enabled for VM instances

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'On'

Google Cloud

Ensure the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'On'

Google Cloud

Ensure the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately

Google Cloud

Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)

Google Cloud

Ensure access keys are rotated every 90 days or less

Alibaba Cloud

Ensure RAM password policy requires at least one uppercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one lowercase letter

Alibaba Cloud

Ensure RAM password policy requires at least one symbol

Alibaba Cloud

Ensure RAM password policy requires at least one number

Alibaba Cloud

Ensure RAM password policy requires a minimum length of 14 or greater

Alibaba Cloud

Ensure RAM password policy expires passwords within 90 days or less

Alibaba Cloud

Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Alibaba Cloud

Ensure RAM policies are attached only to groups or roles

Alibaba Cloud

Ensure that ActionTrail is configured to export copies of all Log entries

Alibaba Cloud

Ensure the OSS used to store ActionTrail logs is not publicly accessible

Alibaba Cloud

Ensure audit logs for multiple cloud resources are integrated with Log Service

General guidance

Ensure Log Service is enabled for Container Service for Kubernetes

General guidance

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure that Logstore data retention period is set to 365 days or greater

General guidance

Ensure VPC flow logging is enabled in all VPCs

General guidance

Ensure that logging is enabled for OSS buckets

Alibaba Cloud

Ensure that the shared URL signature expires within an hour

General guidance

Ensure that 'Auditing' is set to 'On' for applicable database instances

General guidance

Ensure that 'Auditing' Retention is 'greater than 6 months'

General guidance

Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database

General guidance

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

General guidance

Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server

General guidance

Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters

General guidance

Ensure CloudMonitor is set to Enabled on Kubernetes Engine Clusters

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure that Asset Fingerprint automatically collects asset fingerprint data

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure Microsoft Defender for Servers is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for App Services is set to 'On`

Microsoft Azure

Ensure Microsoft Defender for Azure SQL databases is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for SQL Servers on machines is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Storage is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Key Vault is set to 'On'

Microsoft Azure

Ensure 'Endpoint protection' component status is set to 'On'

Microsoft Azure

Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected

Microsoft Azure

Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Microsoft Azure

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

Microsoft Azure

Ensure 'Auditing' is set to 'On' for SQL Servers

Microsoft Azure

Ensure 'Auditing' Retention is greater than 90 days for SQL Servers

Microsoft Azure

Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Microsoft Azure

[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server

Microsoft Azure

[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server

Microsoft Azure

Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

Microsoft Azure

Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Microsoft Azure

Ensure Diagnostic Setting captures appropriate categories

Microsoft Azure

Ensure logging for Azure Key Vault is 'Enabled'

Microsoft Azure

Ensure that Activity Log Alert exists for Create Policy Assignment

Microsoft Azure

Ensure that Activity Log Alert exists for Delete Policy Assignment

Microsoft Azure

Ensure that Activity Log Alert exists for Create or Update Network Security Group

Microsoft Azure

Ensure that Activity Log Alert exists for Delete Network Security Group

Microsoft Azure

Ensure that Activity Log Alert exists for Create or Update Security Solution

Microsoft Azure

Ensure that Activity Log Alert exists for Delete Security Solution

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

Ensure Cloud DNS Logging Is Enabled for All VPC Networks

Google Cloud

Ensure Logging is enabled for HTTP(S) Load Balancers

Google Cloud

A.12.4.2: Protection of log information

Requires making sure that logs are protected, in order to ensure their integrity and to prevent unauthorized log access.

A.12.4.3: Administrator and operator logs

Requires producing and storing logs recording system administrator and system operator activities.

Mapped controls

Ensure there is only one active access key available for any single IAM user

AWS

Ensure IAM policies that allow full "*:*" administrative privileges are not attached

AWS

Ensure a support role has been created to manage incidents with AWS Support

AWS

Ensure that IAM Access analyzer is enabled for all regions

AWS

Ensure CloudTrail log file validation is enabled

AWS

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

AWS

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

AWS

Ensure rotation for customer-created symmetric CMKs is enabled

AWS

Ensure a log metric filter and alarm exist for unauthorized API calls

AWS

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

AWS

Ensure a log metric filter and alarm exist for S3 bucket policy changes

AWS

Ensure that Separation of duties is enforced while assigning KMS related roles to users

Google Cloud

Ensure Cloud Audit Logging is configured properly across all services and all users from a project

Google Cloud

Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock

Google Cloud

Ensure RAM policies that allow full '*:*'' administrative privileges are not created

Alibaba Cloud

Ensure the OSS used to store ActionTrail logs is not publicly accessible

Alibaba Cloud

Ensure Log Service is enabled for Container Service for Kubernetes

General guidance

Ensure virtual network flow log service is enabled

General guidance

Ensure Anti-DDoS access and security log service is enabled

Alibaba Cloud

Ensure Web Application Firewall access and security log service is enabled

Alibaba Cloud

Ensure Cloud Firewall access and security log analysis is enabled

General guidance

Ensure Security Center Network, Host and Security log analysis is enabled

General guidance

Ensure log monitoring and alerts are set up for RAM Role changes

General guidance

Ensure log monitoring and alerts are set up for Cloud Firewall changes

General guidance

Ensure log monitoring and alerts are set up for VPC network route changes

General guidance

Ensure log monitoring and alerts are set up for VPC changes

General guidance

Ensure log monitoring and alerts are set up for OSS permission changes

General guidance

Ensure log monitoring and alerts are set up for RDS instance configuration changes

General guidance

Ensure log monitoring and alerts are set up for unauthorized API calls

General guidance

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure log monitoring and alerts are set up for security group changes

General guidance

Ensure that 'Auditing' is set to 'On' for applicable database instances

General guidance

Ensure that 'Auditing' Retention is 'greater than 6 months'

General guidance

Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database

General guidance

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

General guidance

Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server

General guidance

Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

General guidance

Ensure Kubernetes web UI / Dashboard is not enabled

General guidance

Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure that Resource Locks are set for mission critical Azure resources

General guidance

Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services

Microsoft Azure

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

A.12.4.4: Clock synchronisation

Requires using a single reference time source for all logs.

Mapped controls

Ensure CloudTrail log file validation is enabled

AWS

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

AWS

Ensure rotation for customer-created symmetric CMKs is enabled

AWS

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

AWS

Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock

Google Cloud

Ensure the OSS used to store ActionTrail logs is not publicly accessible

Alibaba Cloud

A.12.5.1: Installation of software on operational systems

Requires defining procedures for installation of software.

Mapped controls

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Microsoft Entra ID

Ensure 'Users Can Register Applications' Is Set to 'No'

Microsoft Entra ID

A.12.6.1: Management of technical vulnerabilities

Requires addressing the risk posed by technical vulnerabilities in the information systems being used by the organization.

Mapped controls

Ensure AWS Inspector is configured for EC2 Instances

AWS

Ensure that notification is enabled on all high risk items

General guidance

Ensure 'Additional email addresses' is configured with a security contact email

Microsoft Azure

Ensure that 'Notify about alerts with the following severity' is set to 'High'

Microsoft Azure

Ensure security alert emails for subscription owners are enabled

Microsoft Azure

A.12.6.2: Restrictions on software installation

Requires establishing rules regarding the installation of software by users.

Mapped controls

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Microsoft Entra ID

Ensure 'Users Can Register Applications' Is Set to 'No'

Microsoft Entra ID

Ensure 'HTTPS Only' is set to 'On' for App Service

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

A.12.7.1: Information systems audit controls

Requires planning and management of audits.

A.13.1.1: Network controls

Requires ensuring the protection of networks.

Mapped controls

Ensure management ports are restricted from the internet

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure security questions are registered in the AWS account

General guidance

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure S3 Bucket Policy is set to deny HTTP requests

AWS

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

AWS

Ensure Application Load Balancer uses HTTPS Listener

AWS

Ensure Network Load Balancer uses TLS Listener

AWS

Ensure weak TLS Protocols are not used for ELB

AWS

Ensure API keys are not created for a project

General guidance

Ensure API Keys are restricted to use by only specified hosts and apps

Google Cloud

Ensure API Keys are restricted to use only APIs that application needs access to

Google Cloud

Ensure API Keys Are Rotated Every 90 Days

Google Cloud

Ensure VPC Flow logs is enabled for every subnet in a VPC Network

Google Cloud

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure oslogin is enabled for a Project

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure Compute instances do not have public IP addresses

Google Cloud

Ensure App Engine Applications Enforce HTTPS Connections

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure Cloud SQL database instances do not have public IPs

Google Cloud

Ensure the default firewall does not have any default rules besides http and https

Google Cloud

Ensure log monitoring and alerts are set up for Management Console sign-in without MFA

General guidance

Ensure log monitoring and alerts are set up for Management Console authentication failures

General guidance

Ensure log monitoring and alerts are set up for disabling or deletion of customer created CMKs

General guidance

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure the security groups are configured with fine grained rules

General guidance

Ensure that 'Secure transfer required' is set to 'Enabled'

General guidance

Ensure that the shared URL signature expires within an hour

General guidance

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

General guidance

Ensure Basic Authentication is not enabled on Kubernetes Engine Clusters

General guidance

Ensure Network policy is enabled on Kubernetes Engine Clusters

General guidance

Ensure ENI multiple IP mode support for Kubernetes Cluster

General guidance

Ensure Kubernetes Cluster is created with 'Private cluster' enabled

General guidance

Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'

Microsoft Entra ID

Ensure 'Notify users on password resets?' is set to 'Yes'

Microsoft Entra ID

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Microsoft Entra ID

Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Microsoft Entra ID

Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Microsoft Entra ID

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'

Microsoft Entra ID

Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'

Microsoft Entra ID

Ensure 'Secure transfer required' is set to 'Enabled'

Microsoft Azure

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Microsoft Azure

Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled

Microsoft Azure

Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure the Expiration Date is set for Key Vault Secrets

Microsoft Azure

Ensure that Resource Locks are set for mission critical Azure resources

General guidance

Ensure App Service Authentication is set up for apps in Azure App Service

Microsoft Azure

Ensure 'HTTPS Only' is set to 'On' for App Service

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'

Microsoft Azure

A.13.1.2: Security of network services

Requires making sure that security mechanisms, service levels and requirements of network services are included in network services agreements.

A.13.1.3: Segregation in networks

Requires ensuring proper network segregation.

Mapped controls

Ensure management ports are restricted from the internet

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure a support role has been created to manage incidents with AWS Support

AWS

Ensure that IAM Access analyzer is enabled for all regions

AWS

Ensure a log metric filter and alarm exist for S3 bucket policy changes

AWS

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

AWS

Ensure AMIs Are Private

AWS

Ensure RDS Instances accept traffic only from the Application Servers

AWS

Ensure EC2 Instances are deployed in a VPC

AWS

Ensure RDS instances are not publicly reachable

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

Ensure unencrypted LDAP port (389) is not exposed to the internet

AWS

Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)

AWS

Ensure 'Enable connecting to serial ports' is not enabled for VM Instance

Google Cloud

Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)

Google Cloud

Ensure firewall rule does not allow all traffic for MongoDB (port 27017)

Google Cloud

Ensure firewall rule does not allow all traffic for MySQL (port 3306)

Google Cloud

Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)

Google Cloud

Ensure firewall rule does not allow all traffic on port 80

Google Cloud

Ensure firewall rule does not allow all traffic on all ports

Google Cloud

Ensure log monitoring and alerts are set up for OSS bucket policy changes

General guidance

Ensure the security groups are configured with fine grained rules

General guidance

Ensure role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters

General guidance

Ensure Network policy is enabled on Kubernetes Engine Clusters

General guidance

Ensure ENI multiple IP mode support for Kubernetes Cluster

General guidance

Ensure Kubernetes Cluster is created with 'Private cluster' enabled

General guidance

Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Microsoft Entra ID

Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Microsoft Azure

Ensure UDP access from the Internet is evaluated and restricted

Microsoft Azure

Ensure that Resource Locks are set for mission critical Azure resources

General guidance

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft Azure

A.13.2.1: Information transfer policies and procedures

Requires ensuring the protection of information being transfered.

Mapped controls

Ensure AMIs Are Private

AWS

Ensure EC2 Instances are deployed in a VPC

AWS

Ensure RDS instances are not publicly reachable

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

A.13.2.2: Agreements on information transfer

Requires ensuring that the secure transfer of business information is addressed in agreements.

A.13.2.3: Electronic messaging

Requires ensuring the protection of information involved in electronic messaging.

Mapped controls

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed

AWS

Ensure AMIs Are Private

AWS

Ensure RDS Instances accept traffic only from the Application Servers

AWS

Ensure EC2 Instances are deployed in a VPC

AWS

Ensure RDS instances are not publicly reachable

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

Ensure unencrypted LDAP port (389) is not exposed to the internet

AWS

Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)

AWS

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Google Cloud

Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Google Cloud

Ensure Compute instances are launched with Shielded VM enabled

Google Cloud

Ensure Compute instances do not have public IP addresses

Google Cloud

Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'

Google Cloud

Ensure the Cloud SQL database instances require all incoming connections to use SSL

Google Cloud

Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses

Google Cloud

Ensure Cloud SQL database instances do not have public IPs

Google Cloud

Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)

Google Cloud

Ensure firewall rule does not allow all traffic for MongoDB (port 27017)

Google Cloud

Ensure firewall rule does not allow all traffic for MySQL (port 3306)

Google Cloud

Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)

Google Cloud

Ensure firewall rule does not allow all traffic on port 80

Google Cloud

Ensure firewall rule does not allow all traffic on all ports

Google Cloud

Ensure server-side encryption is set to 'Encrypt with Service Key'

Alibaba Cloud

Ensure server-side encryption is set to 'Encrypt with BYOK'

Alibaba Cloud

Ensure RDS instances require all incoming connections to use SSL

Alibaba Cloud

Ensure that RDS instances are not open to the world

Alibaba Cloud

Ensure Virtual Machines are utilizing Managed Disks

Microsoft Azure

[Legacy] Ensure that VHDs are Encrypted

Microsoft Azure

Ensure Key Vaults are Recoverable

Microsoft Azure

Ensure 'HTTPS Only' is set to 'On' for App Service

Microsoft Azure

Ensure Web App is using the latest version of TLS encryption

Microsoft Azure

Ensure Azure Key Vaults are used to store secrets

Microsoft Azure

A.13.2.4: Confidentiality or non-disclosure agreements

Requires defining and regularly reviewing the requirements for confidentiality and the non-disclosure agreements employed by the organization.

A.14.1.1: Information security requirements analysis and specification

Requires including requirements related to information security in the design of new information systems, as well as in updates to existing information systems.

A.14.1.2: Securing application services on public networks

Requires ensuring the protection of information passing over public networks.

Mapped controls

Ensure AMIs Are Private

AWS

Ensure EC2 Instances are deployed in a VPC

AWS

Ensure RDS instances are not publicly reachable

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

A.14.1.3: Protecting application services transactions

Requires ensuring the protection of information involved in application service transactions.

Mapped controls

Ensure buckets have versioning enabled

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure MFA Delete is enabled on S3 buckets

AWS

Ensure S3 bucket policy does not grant Allow permission to everyone

AWS

Ensure S3 bucket ACL grants permissions only to specific AWS accounts

AWS

Ensure the default firewall does not have any default rules besides http and https

Google Cloud

Ensure Kubernetes Engine uses HTTP load balancing

Google Cloud

A.14.2.1: Secure development policy

Requires establishing rules for the development of software and systems.

Mapped controls

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Microsoft Entra ID

Ensure 'Users Can Register Applications' Is Set to 'No'

Microsoft Entra ID

A.14.2.2: System change control procedures

Requires the use of change control procedures for changes to systems within the development lifecycle.

A.14.2.3: Technical review of applications after operating platform changes

Requires testing business critical applications after changes to operating platforms.

A.14.2.4: Restrictions on changes to software packages

Requires controlling changes to software packages.

A.14.2.5: Secure system engineering principles

Requires enforcement of secure system engineering principles.

A.14.2.6: Secure development environment

Requires ensuring the protection of development environments.

A.14.2.7: Outsourced development

Requires ensuring the supervisation and monitoring of outsourced development.

A.14.2.8: System security testing

Requires testing for security during development.

A.14.2.9: System acceptance testing

Requires establishing acceptance testing criteria for new information systems or for upgrades to existing information systems.

A.14.3.1: Protection of test data

Requires ensuring secure management of test data.

A.15.1.1: Information security policy for supplier relationships

Requires ensuring secure management of any supplier's access to the organization's assets.

A.15.1.2: Addressing security within supplier agreements

Requires establishing information security requirements with each supplier.

A.15.1.3: Information and communication technology supply chain

Requires that agreements with suppliers address risks associated with information and communications technology services.

A.15.2.1: Monitoring and review of supplier services

Requires that supplier service delivery is monitored and reviewed at regular intervals.

A.15.2.2: Managing changes to supplier services

Requires proper management of changes related to supplier services.

A.16.1.1: Responsibilities and procedures

Requires defining the responsibilities and the procedures to be employed in case of an information security incident.

Mapped controls

Ensure security contact information is registered

General guidance

Ensure IAM instance roles are used for AWS resource access from instances

General guidance

Ensure Cluster Check is triggered at least once per week for Kubernetes Clusters

General guidance

A.16.1.2: Reporting information security events

Requires establishing a proper way to report information security events.

A.16.1.3: Reporting information security weaknesses

Requires making sure that employees and contractors report any security weakness that they notice in the systems or services being used.

Mapped controls

Ensure security contact information is registered

General guidance

Ensure IAM instance roles are used for AWS resource access from instances

General guidance

Ensure Cluster Check is triggered at least once per week for Kubernetes Clusters

General guidance

A.16.1.4: Assessment of and decision on information security events

Requires ensuring the assessment of any security event in order to classify it as an information security incident when the case may be.

A.16.1.5: Response to information security incidents

Requires ensuring responses to security incidents.

A.16.1.6: Learning from information security incidents

Requires making sure that any knowledge gained from analysing information security incidents is used to prevent or properly address future incidents.

A.16.1.7: Collection of evidence

Requires ensuring collection of evidence that can be used in case of security incidents.

A.17.1.1: Planning information security continuity

Requires establishing plans for the continuity of information security in case of crisis or disaster.

A.17.1.2: Implementing information security continuity

Requires defining processes and procedures for the continuity of information security in case of crisis or disaster.

A.17.1.3: Verify, review and evaluate information security continuity

Requires ensuring the review of plans, processes and procedures designed for the continuity of information security in case of crisis or disaster.

A.17.2.1: Availability of information processing facilities

Requires taking redundancy measures, so that information processing facilities are available according to requirements.

A.18.1.1: Identification of applicable legislation and contractual requirements

Requires making sure that applicable legislation is identified and documented.

A.18.1.2: Intellectual property rights

Requires making sure that procedures to ensure compliance with legislation and regulations regarding intellectual property rights and use of proprietary software are implemented.

A.18.1.3: Protection of records

Requires ensuring the protection of records against loss, destruction, and mishandling.

Mapped controls

Ensure data stored in SNS Topics is encrypted

AWS

Ensure encrypted storage is used for VMs that might host a database

AWS

Ensure Kinesis Data Streams use encryption at rest

AWS

Ensure buckets have versioning enabled

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Ensure MFA Delete is enabled on S3 buckets

AWS

Ensure S3 bucket ACL grants permissions only to specific AWS accounts

AWS

Ensure unencrypted LDAP port (389) is not exposed to the internet

AWS

Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)

AWS

Ensure the default firewall does not have any default rules besides http and https

Google Cloud

Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)

Google Cloud

Ensure firewall rule does not allow all traffic for MongoDB (port 27017)

Google Cloud

Ensure firewall rule does not allow all traffic for MySQL (port 3306)

Google Cloud

Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)

Google Cloud

Ensure firewall rule does not allow all traffic on port 80

Google Cloud

Ensure firewall rule does not allow all traffic on all ports

Google Cloud

A.18.1.4: Privacy and protection of personally identifiable information

Requires ensuring the protection of PII.

A.18.1.5: Regulation of cyptographic controls

Requires regulating the use of cryptographic controls in accordance with legislation.

Mapped controls

Ensure Application Load Balancer uses HTTPS Listener

AWS

Ensure Network Load Balancer uses TLS Listener

AWS

Ensure weak TLS Protocols are not used for ELB

AWS

Ensure data stored in SNS Topics is encrypted

AWS

Ensure encrypted storage is used for VMs that might host a database

AWS

Ensure Kinesis Data Streams use encryption at rest

AWS

Ensure RDS instances use encrypted volumes

AWS

A.18.2.1: Independent review of information security

Requires making sure that information security policies and procedures belonging to the organization are independently and regularly reviewed.

A.18.2.2: Compliance with security policies and standards

Requires making sure that information processing in the organization is compliant with relevant security policies and standards.

A.18.2.3: Technical compliance review

Requires making sure that information systems are compliant with the relevant security policies and standards.

Query logic

These are the stored checks tied to this framework.

Eliminate use of the "root" user for administrative and daily tasks

Connectors

AWS

Covered asset types

RootUser

Expected check: eq []

AWSIAM1 {...AssetFragment}

IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles

Connectors

AWS

Covered asset types

IAMRole

Expected check: eq []

{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}

IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}

IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups

Connectors

AWS

Covered asset types

IAMGroup

Expected check: eq []

iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}

IAM Users receive permissions only through Groups

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}

All the expired SSL/TLS certificates stored in AWS IAM are removed

Connectors

AWS

Covered asset types

IAMServerCertificate

Expected check: eq []

AWS130IAM19 {...AssetFragment}

No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

Connectors

Google Cloud

Covered asset types

LoadBalancer

Expected check: eq []

{
  loadBalancers(
    where: {OR: [
      {httpsProxies_SOME: {OR: [
        {sslPolicy: ""},
        {hasSSLPolicy: {OR: [
          {profile: "COMPATIBLE"},
          {AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
          {AND: [
            {profile: "CUSTOM"}, 
            {OR: [
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
                ]
            }
          ]}
        ]}
        }
      ]}},
      {sslProxies_SOME: {OR: [
        {sslPolicy: ""},
        {hasSSLPolicy: {OR: [
          {profile: "COMPATIBLE"},
          {AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
          {AND: [
            {profile: "CUSTOM"}, 
            {OR: [
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
                  {enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
                ]
            }
          ]}
        ]}
        }
      ]}},
    ]}){
    ...AssetFragment
  }
}

VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)

Connectors

Google Cloud

Covered asset types

Disk

Expected check: eq []

disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}

GCP VMs with security features disabled

Connectors

Google Cloud

Covered asset types

Expected check: eq []

{
  vms(
    where: {
      OR: [
        { shieldedInstanceConfigEnableVtpm: false }
        { shieldedInstanceConfigEnableSecureBoot: false }
        { shieldedInstanceConfigEnableIntegrityMonitoring: false }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Compute instances do not have public IP addresses

Connectors

Google Cloud

Covered asset types

Expected check: eq []

{
  vms(
    where: {
      networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
      NOT: { name_STARTS_WITH: "gke-" }
    }
  ) {
    ...AssetFragment
  }
}

The 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "mysql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "local_infile" } } { dbFlags_SOME: { name: "local_infile", value: "on" } } ] } ) { ...AssetFragment }}

Cloud SQL database instances require all incoming connections to use SSL

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}

Google Cloud Cloud SQL

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{
  cloudSqlInstances(
    where: {
      cloudProvider: "gcp"
      networkSettings_SOME: {
        authorizedNetworks_SOME: {
        OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
      }
      }
    }
  ) {
    ...AssetFragment
  }
}

Cloud SQL database instances do not have public IPs

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}

Server-side encryption is set to 'Encrypt with Service Key'

Connectors

Alibaba Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}

Server-side encryption is set to 'Encrypt with BYOK'

Connectors

Alibaba Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}

RDS instances require all incoming connections to use SSL

Connectors

Alibaba Cloud

Covered asset types

DBInstance

Expected check: eq []

AlibabaRDS2{...AssetFragment}

RDS instances are not open to the world

Connectors

Alibaba Cloud

Expected check: eq []

dbInstances(where: { netInfo_SOME: { ipAddress: "0.0.0.0" } }) {...AssetFragment}

Azure VMs with unmanaged disks

Connectors

Microsoft Azure

Covered asset types

Expected check: eq []

{
  vms(where: { diskAttachments_SOME: { NOT: { vhdURI: "" } } }) {
    ...AssetFragment
  }
}

Azure unmanaged disks

Connectors

Microsoft Azure

Covered asset types

Disk

Expected check: eq []

{
  disks(where: { diskAttachments: { NOT: { vhdURI: "" } } }) {
    ...AssetFragment
  }
}

The key vault is recoverable

Connectors

Microsoft Azure

Covered asset types

KMSVault

Expected check: eq []

{
  kmsVaults(
    where: 
    { 
      OR: [ 
        {enableSoftDelete_NOT: true } 
        {enablePurgeProtection_NOT: true } 
      ]  }
    ) {...AssetFragment}
}

FunctionApps with secrets that are not keyvault references

Connectors

Microsoft Azure

Covered asset types

FunctionApp

Expected check: eq []

{
  functionApps(
    where: {
      applicationConfig: {
        settings_SOME: {
          type: "AppService"
          key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
        }
      }
    }
  ) {...AssetFragment}
}

Sites with secrets that are not keyvault references

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(
    where: {
      applicationConfig: {
        settings_SOME: {
          type: "AppService"
          key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
        }
      }
    }
  ) {...AssetFragment}
}

IAM Users that are inactive for 30 days or more are deactivated

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

{AWSIAM20{...AssetFragment}}

IAM password policy requires a minimum length of 14 or greater

Connectors

AWS

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}

Do not setup access keys during initial user setup for all IAM users that have a console password

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}

Access keys are rotated every 90 days or less

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

AWSIAM4{...AssetFragment}

AWS IAMPolicies with support role

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

{
  AWSIAM16 {...AssetFragment}
}

IAM Access analyzer is enabled for all regions

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWS140IAM20{...AssetFragment}

AWS Config is enabled in all regions

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSLogging5{...AssetFragment}

A log metric filter and alarm exist for Management Console sign-in without MFA

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for IAM policy changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for AWS Management Console authentication failures

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for S3 bucket policy changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for AWS Config configuration changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}

There are only GCP-managed service account keys for each service account

Connectors

Google Cloud

Covered asset types

IAMServiceAccount

Expected check: eq []

{iamServiceAccounts(where:{hasIAMServiceAccountKeys_SOME:{keyType: "USER_MANAGED"}}){...AssetFragment}}

Ensure Service Account has no Admin privileges

Connectors

Google Cloud

Covered asset types

IAMServiceAccount

Expected check: eq []

{
  iamServiceAccounts(
    where: {
      hasIAMRole_SOME: {
        OR: [
          { name: "roles/owner" }
          { name: "roles/editor" }
          { name_CONTAINS: "admin" }
        ]
      }
    }
  ) {
    ...AssetFragment
  }
}

IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

Connectors

Google Cloud

Covered asset types

IAMServiceAccountIAMUser

Expected check: eq []

GCP110IAM6{...AssetFragment}

User-managed/external keys for service accounts are rotated every 90 days or less

Connectors

Google Cloud

Covered asset types

IAMServiceAccountKey

Expected check: eq []

GCPIAM5{...AssetFragment}

Separation of duties is enforced while assigning service account related roles to users

Connectors

Google Cloud

Covered asset types

IAMUser

Expected check: eq []

{
  iamUsers(
    where: {
      AND: [
        {
          hasIAMRole_SOME: {
            name: "roles/iam.serviceAccountAdmin"
          }
        }
        {
          hasIAMRole_SOME: {
            name: "roles/iam.serviceAccountUser"
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

KMS encryption keys are rotated within a period of 90 days

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

GCP110IAM10{...AssetFragment}

Separation of duties is enforced while assigning KMS related roles to users

Connectors

Google Cloud

Covered asset types

IAMUser

Expected check: eq []

{
  iamUsers(
    where: {
      AND: [
        {
          hasIAMRole_SOME: {
            OR: [
              { name: "roles/cloudkms.admin" }
              { name: "roles/owner" }
              { name: "roles/editor" }
            ]
          }
        }
        {
          hasIAMRole_SOME: {
            OR: [
              { name: "roles/cloudkms.cryptoKeyEncrypterDecrypter" }
              { name: "roles/cloudkms.cryptoKeyEncrypter" }
              { name: "roles/cloudkms.cryptoKeyDecrypter" }
            ]
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

GCP API Keys are restricted based on hosts and apps

Connectors

Google Cloud

Covered asset types

APIKey

Expected check: eq []

{
  apiKeys(
    where: {
      clientRestrictions: []
    }
  ) {
    ...AssetFragment
  }
}

GCP API Keys are restricted based on APIs

Connectors

Google Cloud

Covered asset types

APIKey

Expected check: eq []

{
  apiKeys(
    where: {
       apiRestrictions: []
    }
  ) {
    ...AssetFragment
  }
}

API Keys rotation

Connectors

Google Cloud

Covered asset types

APIKey

Expected check: eq []

{
  APIKeysRotation(days: 90) {...AssetFragment}
}

Instances are not configured to use the default service account

Connectors

Google Cloud

Covered asset types

Expected check: eq []

vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}

Instances are not configured to use the default service account with full access to all Cloud APIs

Connectors

Google Cloud

Covered asset types

Expected check: eq []

GCPVM1{...AssetFragment}

"Block Project-wide SSH keys" is enabled for VM instances

Connectors

Google Cloud

Covered asset types

Expected check: eq []

vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}

Oslogin is enabled for a Project

Connectors

Google Cloud

Covered asset types

Project

Expected check: eq []

projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}

Google Cloud Projects Without Asset Inventory

Connectors

Google Cloud

Covered asset types

Project

Expected check: eq []

{
  projects(
    where: { NOT: { enabledServices_INCLUDES: "cloudasset.googleapis.com" } }
  ) {
    ...AssetFragment
  }
}

Access keys are rotated every 90 days or less

Connectors

Alibaba Cloud

Covered asset types

IAMUser

Expected check: eq []

AlibabaIAM6 {...AssetFragment}

RAM password policy requires at least one uppercase letter

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { requireUppercaseCharacters: false}) {...AssetFragment}

RAM password policy requires at least one lowercase letter

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { requireLowercaseCharacters: false}) {...AssetFragment}

RAM password policy requires at least one symbol

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { requireSymbols: false}) {...AssetFragment}

RAM password policy requires at least one number

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { requireNumbers: false}) {...AssetFragment}

RAM password policy requires a minimum length of 14 or greater

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { minimumPasswordLength_LT: 14}) {...AssetFragment}

RAM password policy expires passwords within 90 days or less

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { maxPasswordAge_GT: 90 }) {...AssetFragment}

RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { maxLoginAttempts_LT: 5 }) {...AssetFragment}

RAM policies are attached only to groups or roles

Connectors

Alibaba Cloud

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where: { iamPolicies_SOME: { idFromProvider_NOT: null } }) {...AssetFragment}

All Entra tenants

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: {cloudProvider: "entra"}) {
    ...AssetFragment
  }
}

Entra tenants that do not block user consent

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      authorizationPolicy: {
        OR: [
          {
            defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
          }
          {
            defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-legacy"
          }
        ]
      }
    }
  ) {
    ...AssetFragment
  }
}

Entra tenants without consent allowed for verified publishers

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      authorizationPolicy: {
        NOT: {
          defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

Entra Tenants allowing users to register apps

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { directoryProperties: { usersCanRegisterApps: true } }) {
    ...AssetFragment
  }
}

Entra with permissive guest user restrictions

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      authorizationPolicy: {
        NOT: { guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b" }
      }
    }
  ) {
    ...AssetFragment
  }
}

Entra with permissive guest invite restrictions

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      authorizationPolicy: {
        NOT: { allowInvitesFrom: "adminsAndGuestInviters" }
      }
    }
  ) {
    ...AssetFragment
  }
}

Entra tenants allowing users to create security groups

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      authorizationPolicy: { defaultUserAllowedToCreateSecurityGroups: true }
    }
  ) {
    ...AssetFragment
  }
}

Entra Tenants allowing Microsoft 365 group creation

Connectors

Microsoft Entra ID

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { groupUnifiedSettings: { enableGroupCreation: true } }) {
    ...AssetFragment
  }
}

Storage accounts with the default action not set to Deny

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
    ...AssetFragment
  }
}

Azure VMs with extensions

Connectors

Microsoft Azure

Covered asset types

Expected check: eq []

{
  vms(where: { NOT: { extensions_SOME: null } }) {
    ...AssetFragment
  }
}

Azure Key Vault secrets without expiration date

Connectors

Microsoft Azure

Covered asset types

KMSSecret

Expected check: eq []

{
  kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
    ...AssetFragment
  }
}

Enable role-based access control (RBAC) within Azure Kubernetes Services

Connectors

Microsoft Azure

Covered asset types

Cluster

Expected check: eq []

{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}

Azure App Services without authentication

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { authSettings: { enabled: true } }) {
    ...AssetFragment
  }
}

The web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}

Azure app services allowing plain HTTP

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { httpsOnly: false }) {
    ...AssetFragment
  }
}

Azure app services allowing old TLS

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
    ...AssetFragment
  }
}

Kubernetes Clusters are configured with Labels

Connectors

Google Cloud

Covered asset types

Cluster

Expected check: eq []

gkeClusters(where:{tags:null}){...AssetFragment}

S3 Buckets are configured with 'Block public access (bucket settings)'

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

buckets(where: { publicAccessBlocked: false }) {...AssetFragment}

The S3 bucket used to store CloudTrail logs is not publicly accessible

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}

A log metric filter and alarm exist for security group changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for AWS Organizations changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}

The default security group of every VPC restricts all traffic

Connectors

AWS

Covered asset types

SecurityGroup

Expected check: eq []

{
  securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
    ...AssetFragment
  }
}

Cloud KMS cryptokeys are not anonymously or publicly accessible

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}

Cloud Storage buckets have uniform bucket-level access enabled

Connectors

Google Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}

The 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'off'

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "cross db ownership chaining" } } { dbFlags_SOME: { name: "cross db ownership chaining", value: "on" } } ] } ) { ...AssetFragment }}

The 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "contained database authentication" } } { dbFlags_SOME: { name: "contained database authentication" value: "on" } } ] } ) { ...AssetFragment }}

BigQuery datasets are not anonymously or publicly accessible

Connectors

Google Cloud

Covered asset types

BigQueryTable

Expected check: eq []

bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}

Azure IAM Custom roles with lock permission

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  AzureConnectorsWithoutCustomLockRoles{
    ...AssetFragment
  }
}

AMIs Are Private

Connectors

AWS

Covered asset types

AMI

Expected check: eq []

{amis(where:{isPublic:true}){...AssetFragment}}

EC2 Instances are deployed in a VPC

Connectors

AWS

Covered asset types

Expected check: eq []

{vms(where:{OR:[{vpcID:null},{vpcID:""}]}){...AssetFragment}}

RDS instances are not publicly reachable

Connectors

AWS

Covered asset types

DBInstance

Expected check: eq []

{dbInstances(where:{publicAccessBlocked:false}){...AssetFragment}}

S3 bucket policy does not grant Allow permission to everyone

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets(where:{AND:[{policyDocument_CONTAINS:"\"Effect\":\"Allow\""},{policyDocument_CONTAINS:"\"Principal\":\"*\""}]}){...AssetFragment}}

Managed IAM Policies are used instead of Inline Policies

Connectors

AWS

Covered asset types

IAMGroupIAMRoleIAMUser

Expected check: eq []

{AWSIAM8{...AssetFragment}}

IAM Role can be assumed only by specific Principals

Connectors

AWS

Covered asset types

IAMRole

Expected check: eq []

{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value:"*"}}}){...AssetFragment}}

AWS Lambda functions do not share the same AWS IAM execution role

Connectors

AWS

Covered asset types

Function

Expected check: eq []

{AWSIAM21{...AssetFragment}}

AWS Root users with access key

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

{
  rootUsers(
    where: {
      hasIAMUserCredentials: {
        OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
      }
    }
  ) {
    connector {...AssetFragment}
  }
}

There is only one active access key available for any single IAM user

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

AWS130IAM13 {...AssetFragment}

Basic/primitive roles are not used

Connectors

Google Cloud

Covered asset types

IAMRole

Expected check: eq []

{
  iamUsers(
    where: {
      hasIAMRole_SOME: {
        name_IN: ["roles/viewer", "roles/editor", "roles/owner"]
      }
    }
  ) {
    ...AssetFragment
  }
}

Avoid the use of the 'root' account

Connectors

Alibaba Cloud

Covered asset types

Connector

Expected check: eq []

AlibabaIAM1{...AssetFragment}

RAM policies that allow full '*:*'' administrative privileges are not created

Connectors

Alibaba Cloud

Covered asset types

IAMPolicy

Expected check: eq []

iamPolicies(where: { policyType: "Custom", iamPolicyStatements_SOME: { effect: "Allow", actions_INCLUDES: "*" } }) {...AssetFragment}

Azure connectors without security contact additional email addresses

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      OR: [
        { securityContacts_SOME: null }
        { securityContacts_SOME: { email: null } }
        { securityContacts_SOME: { email: "" } }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Azure connectors without notifications for high alerts

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      OR: [
        { securityContacts_SOME: null }
        { securityContacts_SOME: { alertNotifications: false } }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Azure connectors without subscription owner notifications

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      OR: [
        { securityContacts_SOME: null }
        { securityContacts_SOME: { notificationByRoleState: "Off" } }
        {
          NOT: {
            securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

A log metric filter and alarm exist for usage of "root" account

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}

No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}

Multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Connectors

AWS

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}

Google Cloud IAMUsers Without MFA

Connectors

Google Cloud

Covered asset types

IAMUser

Expected check: eq []

{
  iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
    ...AssetFragment
  }
}

Entra Users Without MFA With Access to Azure

Connectors

Microsoft Azure

Covered asset types

User

Expected check: eq []

{
  users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
    ...AssetFragment
  }
}

Multi-factor authentication is enabled for all RAM users that have a console password

Connectors

Alibaba Cloud

Covered asset types

IAMUser

Expected check: eq []

iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}

Entra users without mfa

Connectors

Microsoft Entra ID

Covered asset types

User

Expected check: eq []

{
  users(where: { mfaActive: false }) {
    ...AssetFragment
  }
}

MFA is configured with strong factors

Connectors

Okta

Covered asset types

Policy

Expected check: eq []

oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}

There are no weak password policies

Connectors

Okta

Covered asset types

PasswordPolicy

Expected check: eq []

passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}

MFA is enabled for the "root" account

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSIAM13{...AssetFragment}

Hardware MFA is enabled for the "root" account (Hardware MFA)

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSIAM14{...AssetFragment}

IAM password policy prevents password reuse (24 times)

Connectors

AWS

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}

RAM password policy prevents password reuse

Connectors

Alibaba Cloud

Covered asset types

IAMPasswordPolicy

Expected check: eq []

iamPasswordPolicies( where: { passwordReusePrevention_NOT: 24 }) {...AssetFragment}

All S3 buckets employ encryption-at-rest

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

buckets(where: { encrypted: false}) {...AssetFragment}

EBS encryption by default is enabled

Connectors

AWS

Covered asset types

EBSSettings

Expected check: eq []

{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}

Data stored in SNS Topics is encrypted

Connectors

AWS

Covered asset types

SNSTopic

Expected check: eq []

{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}

Kinesis Data Streams use encryption at rest

Connectors

AWS

Covered asset types

KinesisDataStream

Expected check: eq []

{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}

RDS instances use encrypted volumes

Connectors

AWS

Covered asset types

DBInstance

Expected check: eq []

{dbInstances(where:{encrypted:false}){...AssetFragment}}

Azure MySQL Servers with no encryption

Connectors

Microsoft Azure

Covered asset types

MySQLServer

Expected check: eq []

{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }

Azure MySQL Flexible Servers with no encryption

Connectors

Microsoft Azure

Covered asset types

MySQLFlexibleServer

Expected check: eq []

{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }

Azure PostgreSQL Servers with no encryption

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }

Azure PostgreSQL Flexible Servers with no encryption

Connectors

Microsoft Azure

Covered asset types

PostgreSQLFlexibleServer

Expected check: eq []

{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }

AWS RDS with no encryption

Connectors

AWS

Covered asset types

DBInstance

Expected check: eq []

{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }

ApsaraDB RDS with no encryption

Connectors

Alibaba Cloud

Covered asset types

DBInstance

Expected check: eq []

{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }

Google Cloud Cloud SQL with no encryption

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }

Azure MariaDB Servers with no encryption

Connectors

Microsoft Azure

Covered asset types

MariaDBServer

Expected check: eq []

{
  mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}

'Unattached disks' are encrypted

Connectors

Alibaba Cloud

Covered asset types

Disk

Expected check: eq []

disks(where: { status_NOT: "In_use", encrypted: false }) {...AssetFragment}

'Virtual Machine's disk' are encrypted

Connectors

Alibaba Cloud

Covered asset types

Expected check: eq []

vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}

'TDE' is set to 'Enabled' for applicable database instances

Connectors

Alibaba Cloud

Covered asset types

DBInstance

Expected check: eq []

dbInstances(where: { tdeStatus_NOT: "Enabled" }) {...AssetFragment}

Azure storage accounts not enforcing HTTPS

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
    ...AssetFragment
  }
}

Storage for critical data is encrypted with Customer Managed Key

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}

'Data encryption' is set to 'On' on a SQL Database

Connectors

Microsoft Azure

Covered asset types

SQLDatabase

Expected check: eq []

{sqlDatabases(where: {encrypted: false}){...AssetFragment}}

'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}

'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server

Connectors

Microsoft Azure

Covered asset types

MySQLServer

Expected check: eq []

{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}

Azure SQL Servers without TDE protector key encrypted with CMK

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{
  sqlServers(
    where: {
      OR: [
        { encryptionProtector: null }
        { encryptionProtector: { serverKeyType: "ServiceManaged" } }
      ]
    }
  ) {
    ...AssetFragment
  }
}

'OS and Data' disks are encrypted with CMK

Connectors

Microsoft Azure

Covered asset types

Expected check: eq []

{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}

'Unattached disks' are encrypted with CMK

Connectors

Microsoft Azure

Covered asset types

Disk

Expected check: eq []

{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}

Azure App Services allowing plain FTP deployments

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { siteConfig: { ftpsState: "AllAllowed" } }) {
    ...AssetFragment
  }
}

Encryption Keys haven't been rotated in more than 90 days for AWS

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

{
  EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}

Encryption Keys haven't been rotated in more than 90 days

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

{
  EncryptionKeysRotation(days: 90) {...AssetFragment}
}

AWS Keys With Permissive Access Policy

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}

Google Cloud Keys With Permissive Access Policy

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} }

Publicly Accessible AWS Keys

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} }

Publicly Accessible Google Cloud Keys

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}

AWS KMSKeys Exposed Through Vulnerable VMs

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

vms( where: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } iamRoles_SOME: { iamPolicies_SOME: { iamPolicyStatements_SOME: { effect: "Allow" } } } } ) { iamRoles { iamPolicies { iamPolicyStatements { permissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } } }

Google Cloud KMSKeys Exposed Through Vulnerable VMs

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

vms( where: { firewalls_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } ) { serviceAccount { serviceAccountRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }

Alibaba KMSKeys Exposed Through Vulnerable VMs

Connectors

Alibaba Cloud

Covered asset types

KMSKey

Expected check: eq []

{
  alibabaKMSKeysExposedThroughVMs {...AssetFragment}
}

Azure KMSKeys Exposed Through Vulnerable VMs

Connectors

Microsoft Azure

Covered asset types

KMSKey

Expected check: eq []

{ vms( where: { networkInterfaces_SOME: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } { sources_INCLUDES: "tag:Internet" } { sources: [] } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } } ) { vmRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }

Encryption Keys scheduled for deletion

Connectors

Google Cloud

Covered asset types

KMSKey

Expected check: eq []

{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }

Encryption Keys expiring within the next 14 days

Connectors

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Covered asset types

KMSKey

Expected check: eq []

{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }

A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for changes to network gateways

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for route table changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}

A log metric filter and alarm exist for VPC changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}

Azure subscriptions without Microsoft Defender for Servers

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}

Azure Subscriptions without Microsoft Defender for App Services

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}

Azure Subscriptions without Microsoft Defender for Azure SQL

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}

Azure Subscriptions without Microsoft Defender for SQL Servers on Machines

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: {
      pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
    }
  ) {
    ...AssetFragment
  }
}

Azure Subscriptions without Microsoft Defender for Storage

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}

Azure Subscriptions without Microsoft Defender for Key Vault

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
  ) {
    ...AssetFragment
  }
}

Azure subscriptions with WDATP (endpoint protection) disabled

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
  ) {
    ...AssetFragment
  }
}

Azure subscriptions with MCAS disabled

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(
    where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
  ) {
    ...AssetFragment
  }
}

Buckets without versioning enabled

Connectors

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Covered asset types

BlobContainerBucket

Expected check: eq []

{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} }

Cloud SQL database instances are configured with automated backups

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}

Azure Storage Accounts Without Soft Delete

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { blobServiceDeletePolicyEnabled: false }
        { blobServiceDeletePolicyDays: 0 }
        { containerDeleteRetentionPolicyEnabled: false }
        { containerDeleteRetentionPolicyDays: 0 }
      ]
    }
  ) {
    ...AssetFragment
  }
}

AWS Multi-region cloud trails with logging enabled

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

{
  AWSLogging1 {...AssetFragment}
}

CloudTrail log file validation is enabled

Connectors

AWS

Covered asset types

Trail

Expected check: eq []

trails(where:{logFileValidationEnabled:false}){...AssetFragment}

CloudTrail trails are integrated with CloudWatch Logs

Connectors

AWS

Covered asset types

Trail

Expected check: eq []

AWSLogging4{...AssetFragment}

S3 bucket access logging is enabled on the CloudTrail S3 bucket

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}

CloudTrail logs are encrypted at rest

Connectors

AWS

Covered asset types

Trail

Expected check: eq []

trails(where:{kmsKeyID:""}){...AssetFragment}

Rotation for customer created CMKs is enabled

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}

VPC flow logging is enabled in all VPCs

Connectors

AWS

Covered asset types

VPC

Expected check: eq []

vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}

Object-level logging for write events is enabled for S3 bucket

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}

Object-level logging for read events is enabled for S3 bucket

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}

A log metric filter and alarm exist for CloudTrail configuration changes

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}

Access Logs is Enabled for ELB

Connectors

AWS

Covered asset types

LoadBalancer

Expected check: eq []

{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}

Cloud Audit Logging is configured properly across all services and all users from a project

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging1{...AssetFragment}

Sinks are configured for all Log entries

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging2{...AssetFragment}

Retention policies on log buckets are configured using Bucket Lock

Connectors

Google Cloud

Covered asset types

LogBucket

Expected check: eq []

logBuckets(where:{locked:false}){...AssetFragment}

Log metric filter and alerts exist for Project Ownership assignments/changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging4{...AssetFragment}

Log metric filter and alerts exist for Audit Configuration Changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging5{...AssetFragment}

Log metric filter and alerts exist for Custom Role changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging6{...AssetFragment}

Log metric filter and alerts exist for VPC Network Firewall rule changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging7{...AssetFragment}

Log metric filter and alerts exist for VPC network route changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging8{...AssetFragment}

Log metric filter and alerts exist for VPC network changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging9{...AssetFragment}

Log metric filter and alerts exist for Cloud Storage IAM permission changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging10{...AssetFragment}

Log metric filter and alerts exist for SQL instance configuration changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging11{...AssetFragment}

VPC Flow logs is enabled for every subnet in a VPC Network

Connectors

Google Cloud

Covered asset types

VPC

Expected check: eq []

vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}

The 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_connections" } } { dbFlags_SOME: { name: "log_connections", value: "off" } } ] } ) { ...AssetFragment }}

The 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_disconnections" } } { dbFlags_SOME: { name: "log_disconnections", value: "off" } } ] } ) { ...AssetFragment }}

The 'log_min_messages' database flag for a Cloud SQL PostgreSQL is set

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_messages" NOT: { value_IN: ["error", "log", "fatal", "panic"] } } } ) { ...AssetFragment }}

The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}

Alibaba ActionTrails that export copies of all log entries

Connectors

Alibaba Cloud

Covered asset types

Connector

Expected check: eq []

{
  AlibabaLogging1 {...AssetFragment}
}

The OSS used to store ActionTrail logs is not publicly accessible

Connectors

Alibaba Cloud

Covered asset types

Bucket

Expected check: eq []

{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}

Logging is enabled for OSS buckets

Connectors

Alibaba Cloud

Covered asset types

Bucket

Expected check: eq []

buckets(where:{ loggingEnabled: false }){...AssetFragment}

Azure storage accounts without queue service diagnostic settings logging

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { isQueueServicesDiagnosticsSettingsEnabled: false }
        {
          AND: [
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                AND: [
                  { logs_SINGLE: { enabled: true, category: "StorageRead" } }
                  { logs_SINGLE: { enabled: true, category: "StorageWrite" } }
                  { logs_SINGLE: { enabled: true, category: "StorageDelete" } }
                ]
              }
            }
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/queueServices"
                logs_SOME: {
                  enabled: true
                  categoryGroup_IN: ["audit", "allLogs"]
                }
              }
            }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Storage Accounts without Blob Diagnostic Settings

Connectors

Microsoft Azure

Covered asset types

BlobContainer

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { isBlobServicesDiagnosticsSettingsEnabled: false }
        {
          AND: [
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/blobServices"
                AND: [
                  { logs_SINGLE: { enabled: true, category: "StorageRead" } }
                  { logs_SINGLE: { enabled: true, category: "StorageWrite" } }
                  { logs_SINGLE: { enabled: true, category: "StorageDelete" } }
                ]
              }
            }
            {
              diagnosticSettings_NONE: {
                resourceType: "Microsoft.Storage/storageAccounts/blobServices"
                logs_SOME: {
                  enabled: true
                  categoryGroup_IN: ["audit", "allLogs"]
                }
              }
            }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Azure SQL Servers without auditing

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{
  sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
    ...AssetFragment
  }
}

Azure SQL Servers with audit retention lesser than 90 days

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{
  sqlServers(
    where: {
      blobAuditingPolicies_NONE: {
        state: "Enabled"
        OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
      }
    }
  ) {
    ...AssetFragment
  }
}

Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{configurations_NONE:{name:"log_checkpoints",value_MATCHES:"(?i)on"}},){...AssetFragment}}

Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{
  postgreSqlServers(
    where: {
      configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
    }
  ) {
    ...AssetFragment
  }
}

Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{
  postgreSqlServers(
    where: {
      configurations_SOME: {
        name: "log_disconnections"
        value_MATCHES: "(?i)off"
      }
    }
  ) {
    ...AssetFragment
  }
}

Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{configurations_NONE:{name:"connection_throttling", value_MATCHES:"(?i)on"}}){...AssetFragment}}

Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{configurations_SOME:{name:"log_retention_days", value_MATCHES:"[0-3]"}}){...AssetFragment}}

Diagnostic Setting captures appropriate categories

Connectors

Microsoft Azure

Covered asset types

SubscriptionDiagnosticSettings

Expected check: eq []

{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}

Key Vaults without Diagnostic Settings

Connectors

Microsoft Azure

Covered asset types

KMSVault

Expected check: eq []

{
  kmsVaults(
    where: {
      OR: [
        { loggingEnabled: false }
        {
          diagnosticSettings_SOME: {
            resourceType: "Microsoft.KeyVault/vaults"
            logs_SOME: {
              enabled: false
              categoryGroup_IN: ["audit", "allLogs"]
            }
          }
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Activity Log Alert exists for Create Policy Assignment

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}

Activity Log Alert exists for Delete Policy Assignment

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}

Activity Log Alert exists for Create or Update Network Security Group

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}

Activity Log Alert exists for Delete Network Security Group

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}

Activity Log Alert exists for Create or Update Security Solution

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}

Activity Log Alert exists for Delete Security Solution

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

query ($subscriptionResourceId: String!) {
  AzureActivityLogAlertsForAction(
    subscriptionResourceId: $subscriptionResourceId
    equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}

Google Cloud VPCs without DNS logging

Connectors

Google Cloud

Covered asset types

VPC

Expected check: eq []

{
  vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
    ...AssetFragment
  }
}

Google Cloud Load Balancers without logging

Connectors

Google Cloud

Covered asset types

LoadBalancer

Expected check: eq []

{
  loadBalancers(
    where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
  ) {
    ...AssetFragment
  }
}

A log metric filter and alarm exist for unauthorized API calls

Connectors

AWS

Covered asset types

Connector

Expected check: eq []

AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}

Alibaba IAM account summaries with Anti-DDos log service enabled

Connectors

Alibaba Cloud

Covered asset types

Connector

Expected check: eq []

{
  iamAccountSummaries(
    where: {
      hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
    }
  ) {
    connector {...AssetFragment}
  }
}

Web Application Firewall access and security log service is enabled

Connectors

Alibaba Cloud

Covered asset types

Domain

Expected check: eq []

domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}

AWS Inspector is configured for EC2 Instances

Connectors

AWS

Covered asset types

Expected check: eq []

{vms(where:{inspectorEnabled:false}){...AssetFragment}}

Security Groups with management ports not restricted from the internet

Connectors

Alibaba CloudAWSMicrosoft Azure

Covered asset types

SecurityGroup

Expected check: eq []

{
  securityGroups(
    where: {
      rules_SOME: {
        direction: "Inbound"
        action: "Allow"
        AND: [
          {
            OR: [
              { sources_INCLUDES: "cidr:0.0.0.0/0" }
              { sources_INCLUDES: "cidr:::/0" }
              { sources_INCLUDES: "tag:Internet" }
              { sources: [] }
            ]
          }
          { 
            OR: [
                { destFromPort_LTE: 22, destToPort_GTE: 22 }
                { destFromPort_LTE: 3389, destToPort_GTE: 3389 }
              ]
          }
        ]
      }
    }
  ) {
    ...AssetFragment
  }
}

Firewalls with management ports not restricted from the internet

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{
  firewalls(
    where: {
      rules_SOME: {
        direction: "Inbound"
        AND: [
          {
            OR: [
              { sources_INCLUDES: "cidr:0.0.0.0/0" }
              { sources_INCLUDES: "cidr:::/0" }
              { sources: [] }
            ]
          }
          {
            OR: [
              { destFromPort_LTE: 22, destToPort_GTE: 22 }
              { destFromPort_LTE: 3389, destToPort_GTE: 3389 }
            ]
          }
        ]
      }
    }
  ) {
    ...AssetFragment
  }
}

S3 Bucket Policy is set to deny HTTP requests

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}

No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Connectors

AWS

Covered asset types

NetworkACL

Expected check: eq []

networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}

Application Load Balancer uses HTTPS Listener

Connectors

AWS

Covered asset types

LoadBalancer

Expected check: eq []

{loadBalancers(where:{type:"application",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}

Network Load Balancer uses TLS Listener

Connectors

AWS

Covered asset types

LoadBalancer

Expected check: eq []

{loadBalancers(where:{type:"network",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}

Weak TLS Protocols are not used for ELB

Connectors

AWS

Covered asset types

LoadBalancer

Expected check: eq []

{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}

App Engine Allowing Plain HTTP

Connectors

Google Cloud

Covered asset types

AppEngineService

Expected check: eq []

{
  appEngineServices(
    where: {
      serviceVersions_NONE: {
        urlHandlers_SOME: {
          urlRegex_IN: ["/.*", ".*"]
          securityLevel_IN: ["SECURE_ALWAYS"]
        }
      }
    }
  ) {
    ...AssetFragment
  }
}

The default firewall does not have any default rules besides http and https

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{GCPNetworking7{...AssetFragment}}

'Allow access to Azure services' for PostgreSQL Database Server is disabled

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}

Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled

Connectors

Microsoft Azure

Covered asset types

PostgreSQLFlexibleServer

Expected check: eq []

{
  postgreSqlFlexibleServers (where: {
      firewallRules_SOME: {
        OR: [
          { name_MATCHES: "(?i)allowallwindowsazureips" }
          { name_MATCHES: "(?i)allowallazureips" }
          { AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
        ]
      }
    }) {...AssetFragment}
}

RDS Instances accept traffic only from the Application Servers

Connectors

AWS

Covered asset types

DBInstance

Expected check: eq []

{ dbInstances(where: {securityGroups_SOME: {rules_SOME: {direction: "Inbound", OR: [{destToPort_NOT_IN: [3306, 5432, 1521, 1433, 27017]}, {OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}]}}}) {...AssetFragment}}

Unencrypted LDAP port (389) is not exposed to the internet

Connectors

AWS

Covered asset types

SecurityGroup

Expected check: eq []

{securityGroups(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 389, destToPort_GTE: 389, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Potential Elasticsearch database exposed to the internet (ports 9200 and/or 9300)

Connectors

AWS

Covered asset types

SecurityGroup

Expected check: eq []

{ securityGroups(where: {vms_NOT: null, rules_SOME: {direction: "Inbound", AND: [{OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}, {OR: [{destFromPort_LTE: 9200, destToPort_GTE: 9200}, {destFromPort_LTE: 9300, destToPort_GTE: 9300}]}]}}) {...AssetFragment}}

'Enable connecting to serial ports' is not enabled for VM Instance

Connectors

Google Cloud

Covered asset types

Expected check: eq []

vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}

Firewall rule does not allow all traffic for Oracle DB (port 1521)

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 1521, destToPort_GTE: 1521, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Firewall rule does not allow all traffic for MongoDB (port 27017)

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 27017, destToPort_GTE: 27017, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Firewall rule does not allow all traffic for MySQL (port 3306)

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 3306, destToPort_GTE: 3306, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Firewall rule does not allow all traffic for PostgreSQL DB (port 5432)

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 5432, destToPort_GTE: 5432, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Firewall rule does not allow all traffic on port 80

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 80, destToPort_GTE: 80, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Firewall rule does not allow all traffic on all ports

Connectors

Google Cloud

Covered asset types

Firewall

Expected check: eq []

{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 0, destToPort_GTE: 65535, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}

Storage accounts not allowing access from trusted Azure Services

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(
    where: {
      OR: [
        { AND: [{ networkRuleSetDefaultAction_CONTAINS: "Allow" }] }
        {
          AND: [
            { networkRuleSetDefaultAction_CONTAINS: "Deny" }
            { NOT: { networkRuleSetBypass_CONTAINS: "AzureServices" } }
          ]
        }
      ]
    }
  ) {
    ...AssetFragment
  }
}

Azure NSGs allowing UDP traffic

Connectors

Microsoft Azure

Covered asset types

SecurityGroup

Expected check: eq []

{
  securityGroups(
    where: {
      rules_SOME: {
        direction: "Inbound"
        action: "Allow"
        protocol: "UDP"
        AND: [
          {
            OR: [
              { sources_INCLUDES: "cidr:0.0.0.0/0" }
              { sources_INCLUDES: "cidr:::/0" }
              { sources_INCLUDES: "tag:Internet" }
              { sources: [] }
            ]
          }
          {
            OR: [
              { destFromPort_LTE: 53, destToPort_GTE: 53 }
              { destFromPort_LTE: 123, destToPort_GTE: 123 }
              { destFromPort_LTE: 161, destToPort_GTE: 161 }
              { destFromPort_LTE: 389, destToPort_GTE: 389 }
              { destFromPort_LTE: 1900, destToPort_GTE: 1900 }
            ]
          }
        ]
      }
    }
  ) {
    ...AssetFragment
  }
}

MFA Delete is enabled on S3 buckets

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets(where:{bucketVersioningMFADelete:false}){...AssetFragment}}

S3 bucket ACL grants permissions only to specific AWS accounts

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets(where:{hasBucketACLGrant_SOME: {granteeType_NOT:"CanonicalUser"}}){...AssetFragment}}

Kubernetes Engine uses HTTP load balancing

Connectors

Google Cloud

Covered asset types

Cluster

Expected check: eq []

{gkeClusters(where:{httpLoadBalancingEnabled:false}){...AssetFragment}}

Encrypted storage is used for VMs that might host a database

Connectors

AWS

Covered asset types

Expected check: eq []

{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}

ISO/IEC 27001:2013 - Information security management systems

Overview

Statement

What is an ISMS?

About ISO 27001 Clauses and Controls

How do you implement ISO 27001 controls?

Control Objectives and Controls

A.5: Information security policies

A.5.1: Management direction for information security

A.6: Organization of information security

A.6.1: Internal organization

A.6.2: Mobile devices and teleworking

A.7: Human resource security

A.7.1: Prior to employment

A.7.2: During employment

A.7.3: Termination and change of employment

A.8: Asset management

A.8.1: Responsibility for assets

A.8.2: Information classification

A.8.3: Media handling

A.9: Access control

A.9.1: Business requirements of access control

A.9.2: User access management

A.9.3: User responsibilities

A.9.4: System and application access control

A.10: Cryptography

A.10.1: Cryptographic controls

A.11: Physical and environmental security

A.11.1: Secure areas

A.11.2: Equipment

A.12: Operations security

A.12.1: Operational procedures and responsibilities

A.12.2: Protection from malware

A.12.3: Backup

A.12.4: Logging and monitoring

A.12.5: Control of operational software

A.12.6: Technical vulnerability management

A.12.7: Information systems audit considerations

A.13: Communications security

A.13.1: Network security management

A.13.2: Information transfer

A.14: System acquisition, development and maintenance

A.14.1: Security requirements of information systems

A.14.2: Security in development and support processes

A.14.3: Test data

A.15: Supplier relationships

A.15.1: Information security in supplier relationships

A.15.2: Supplier service delivery management

A.16: Information security incident management

A.16.1: Management of information security incidents and improvements

A.17: Information security aspects of business continuity management

A.17.1: Information security continuity

A.17.2: Redundancies

A.18: Compliance

A.18.1: Compliance with legal and contractual requirements

A.18.2: Information security reviews

Procedures and mapped controls

Query logic

Platform

Use Cases

Industries

Compare

Resources

Company