Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2012 (the updated version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
The ISO 27001:2022 standard provides a framework for information security management best practice that helps organizations to:
- Protect client and employee information
- Manage risks to information security effectively
- Achieve compliance with regulations such as the European Union General Data Protection Regulation (EU GDPR)
- Protect the company's brand
What is an ISMS?
An ISMS is a holistic approach to securing the confidentiality, integrity and availability (CIA) of corporate information assets. It consists of policies, procedures and other controls involving people, processes and technology.
Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.
How do you implement ISO 27001:2022 controls?
The Standard has 93 controls grouped into four themes. The information security controls (also known as safeguards) support the implementation and maintenance of an ISMS. The four topics are:
- Organizational,
- People,
- Physical
- Technological
Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc. There are 37 such controls in the standard.
People controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc. There are 8 controls in this category.
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc. This category is comprised of 14 controls.
Technological controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc. There are 34 controls in this category.
Controls
A.5: Organizational controls
A.6: People controls
A.8: Technical controls
Procedures and mapped controls
A.5.2: Information security roles and responsibilities
Requires defining roles and responsibilities related to information security.
A.5.3: Segregation of duties
Requires clearly defining and separating between duties or areas of responsibility.
A.5.9: Inventory of information and other associated assets
Requires maintaining an inventory of information, assets related to information and information processing facilities.
Mapped controls
Ensure IAM password policy requires a minimum length of 14 or greater
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure access keys are rotated every 90 days or less
Ensure IAM Users receive permissions only through Groups
Ensure a support role has been created to manage incidents with AWS Support
Ensure that IAM Access analyzer is enabled for all regions
Ensure AWS Config is enabled in all regions
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure Cloud Asset Inventory Is Enabled
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies are attached only to groups or roles
Ensure No Custom Subscription Administrator Roles Exist
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure the Expiration Date is set for Key Vault Secrets
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
A.5.10: Acceptable use of information and other associated assets
Requires defining, documenting and implementing rules on how information and information assets can be used.
Mapped controls
Ensure IAM password policy requires a minimum length of 14 or greater
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure access keys are rotated every 90 days or less
Ensure IAM Users receive permissions only through Groups
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies are attached only to groups or roles
Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Ensure No Custom Subscription Administrator Roles Exist
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
A.5.12: Classification of information
Requires that all information is classified by criteria such as legal requirements or criticality.
Mapped controls
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure RDS instances require all incoming connections to use SSL
Ensure that RDS instances are not open to the world
Ensure Virtual Machines are utilizing Managed Disks
Ensure Key Vaults are Recoverable
Ensure Azure Key Vaults are used to store secrets
A.5.13: Labelling of information
Requires defining a procedure for information labelling.
A.5.14: Information transfer
Requires ensuring the protection of information being transfered.
Mapped controls
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure AMIs Are Private
Ensure RDS Instances accept traffic only from the Application Servers
Ensure EC2 Instances are deployed in a VPC
Ensure RDS instances are not publicly reachable
Ensure S3 bucket policy does not grant Allow permission to everyone
Ensure unencrypted LDAP port (389) is not exposed to the internet
Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on port 80
Ensure firewall rule does not allow all traffic on all ports
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure RDS instances require all incoming connections to use SSL
Ensure that RDS instances are not open to the world
Ensure Virtual Machines are utilizing Managed Disks
Ensure Key Vaults are Recoverable
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
Ensure Azure Key Vaults are used to store secrets
A.5.15: Access control
Requires defining an access control policy that considers the security needs of the organization.
Mapped controls
Ensure buckets are not publicly accessible
Ensure queues are not publicly accessible
Ensure a support role has been created to manage incidents with AWS Support
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that IAM Access analyzer is enabled for all regions
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure the default security group of every VPC restricts all traffic
Ensure AMIs Are Private
Ensure EC2 Instances are deployed in a VPC
Ensure IAM Users that are inactive for 30 days or more are deactivated
Ensure RDS instances are not publicly reachable
Ensure S3 bucket policy does not grant Allow permission to everyone
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure Cloud Storage buckets have uniform bucket-level access enabled
Ensure the 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'Off'
Ensure the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure that RDS instances are not open to the world
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure Amazon ECS task definitions include secure networking modes and user definitions
Ensure ECS services don't have public IP addresses assigned to them automatically
Ensure ECS containers run as non-privileged
ECS containers should be limited to read-only access to root filesystems
Make sure secrets are not passed as container environment variables
Ensure Instance IP assignment is set to private
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
A.5.16: Identity management
Requires establishing the procedures to assign and to de-assign access rights for users.
Mapped controls
Ensure IAM password policy requires a minimum length of 14 or greater
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure access keys are rotated every 90 days or less
Ensure IAM Users receive permissions only through Groups
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure IAM Role can be assumed only by specific Principals
Ensure that AWS Lambda functions do not share the same AWS IAM execution role
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies are attached only to groups or roles
Ensure No Custom Subscription Administrator Roles Exist
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
A.5.17: Authentication information
Requires ensuring quality passwords.
Mapped controls
Ensure MFA is enabled for the "root" account
Ensure hardware MFA is enabled for the "root" account (Hardware MFA)
Ensure IAM password policy prevents password reuse
Ensure there is only one active access key available for any single IAM user
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure No Custom Subscription Administrator Roles Exist
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
A.5.18: Access rights
Requires defining a formal process for user access provisioning.
Mapped controls
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure IAM Role can be assumed only by specific Principals
Ensure that AWS Lambda functions do not share the same AWS IAM execution role
Ensure IAM password policy requires a minimum length of 14 or greater
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure access keys are rotated every 90 days or less
Ensure IAM Users receive permissions only through Groups
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies are attached only to groups or roles
Ensure No Custom Subscription Administrator Roles Exist
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
A.5.33: Protection of records
Requires ensuring the protection of records against loss, destruction, and mishandling.
Mapped controls
Ensure data stored in SNS Topics is encrypted
Ensure encrypted storage is used for VMs that might host a database
Ensure Kinesis Data Streams use encryption at rest
Ensure buckets have versioning enabled
Ensure MFA Delete is enabled on S3 buckets
Ensure S3 bucket ACL grants permissions only to specific AWS accounts
Ensure unencrypted LDAP port (389) is not exposed to the internet
Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)
Ensure the default firewall does not have any default rules besides http and https
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on port 80
Ensure firewall rule does not allow all traffic on all ports
A.6.7: Remote working
Requires a policy regarding the protection of information at teleworking sites.
A.8.1: User endpoint devices
Requires a policy regarding the secure use of mobile devices.
Mapped controls
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure RDS instances require all incoming connections to use SSL
Ensure that RDS instances are not open to the world
Ensure Virtual Machines are utilizing Managed Disks
Ensure Key Vaults are Recoverable
Ensure Azure Key Vaults are used to store secrets
A.8.2: Privileged access rights
Requires restricting and controlling privileged access rights.
Mapped controls
Ensure no "root" user account access key exists
Eliminate use of the "root" user for administrative and daily tasks
Ensure there is only one active access key available for any single IAM user
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure basic/primitive roles are not used
Avoid the use of the 'root' account
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Ensure No Custom Subscription Administrator Roles Exist
Ensure 'Additional email addresses' is configured with a security contact email
Ensure security alert emails for subscription owners are enabled
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure Amazon ECS task definitions include secure networking modes and user definitions
Ensure ECS task definitions do not share the host's process namespace
A.8.3: Information access restriction
Requires making sure access to systems and applications is restricted.
Mapped controls
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure IAM Role can be assumed only by specific Principals
Ensure that AWS Lambda functions do not share the same AWS IAM execution role
Ensure basic/primitive roles are not used
Make sure secrets are not passed as container environment variables
Ensure ECS services don't have public IP addresses assigned to them automatically
A.8.5: Secure authentication
Requires establishing a secure log-on procedure where necessary.
Mapped controls
Ensure there is only one active access key available for any single IAM user
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure No Custom Subscription Administrator Roles Exist
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure MFA is configured with strong factors
Ensure there are no weak password policies
A.8.7: Protection against malware
Requires ensuring protection against malware.
Mapped controls
Ensure Microsoft Defender for Servers is set to 'On'
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure 'Endpoint protection' component status is set to 'On'
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
A.8.8: Management of technical vulnerabilities
Requires addressing the risk posed by technical vulnerabilities in the information systems being used by the organization.
Mapped controls
Ensure AWS Inspector is configured for EC2 Instances
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure security alert emails for subscription owners are enabled
A.8.9: Configuration management
A.8.12: Data leakage prevention
A.8.13: Information backup
Requires defining a backup policy and making sure backups are created.
Mapped controls
A.8.15: Logging
Requires producing and storing logs of information security events.
Mapped controls
Ensure IAM password policy requires a minimum length of 14 or greater
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure access keys are rotated every 90 days or less
Ensure IAM Users receive permissions only through Groups
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure rotation for customer-created symmetric CMKs is enabled
Ensure VPC flow logging is enabled in all VPCs
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure Access Logs is Enabled for ELB
Ensure that there are only GCP-managed service account keys for each service account
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure sinks are configured for all Log entries
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure oslogin is enabled for a Project
Ensure the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy expires passwords within 90 days or less
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM policies are attached only to groups or roles
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure that logging is enabled for OSS buckets
Ensure Microsoft Defender for Servers is set to 'On'
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure 'Endpoint protection' component status is set to 'On'
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Ensure Diagnostic Setting captures appropriate categories
Ensure logging for Azure Key Vault is 'Enabled'
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure there is only one active access key available for any single IAM user
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure a support role has been created to manage incidents with AWS Support
Ensure that IAM Access analyzer is enabled for all regions
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure Anti-DDoS access and security log service is enabled
Ensure Web Application Firewall access and security log service is enabled
Ensure No Custom Subscription Administrator Roles Exist
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure ECS clusters use Container Insights
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
A.8.16: Monitoring activities
Mapped controls
A.8.18: Use of privileged utility programs
Requires controlling the use of certain utility programs.
Mapped controls
Ensure there is only one active access key available for any single IAM user
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure No Custom Subscription Administrator Roles Exist
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
A.8.20: Networks security
Requires ensuring the protection of networks.
Mapped controls
Ensure databases have TLS 1.2 or newer enabled
Ensure management ports are restricted from the internet
Ensure databases are not publicly accessible
Ensure disks are not publicly accessible
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure Application Load Balancer uses HTTPS Listener
Ensure Network Load Balancer uses TLS Listener
Ensure weak TLS Protocols are not used for ELB
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure oslogin is enabled for a Project
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Cloud SQL database instances do not have public IPs
Ensure the default firewall does not have any default rules besides http and https
Ensure RDS instances require all incoming connections to use SSL
Ensure that RDS instances are not open to the world
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure Key Vaults are Recoverable
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure Web App Uses HTTP 2.0
Ensure ECS services don't have public IP addresses assigned to them automatically
Ensure App Engine Applications Enforce HTTPS Connections
A.8.22: Segregation of networks
Requires ensuring proper network segregation.
Mapped controls
Ensure management ports are restricted from the internet
Ensure a support role has been created to manage incidents with AWS Support
Ensure that IAM Access analyzer is enabled for all regions
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure AMIs Are Private
Ensure RDS Instances accept traffic only from the Application Servers
Ensure EC2 Instances are deployed in a VPC
Ensure RDS instances are not publicly reachable
Ensure S3 bucket policy does not grant Allow permission to everyone
Ensure unencrypted LDAP port (389) is not exposed to the internet
Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on port 80
Ensure firewall rule does not allow all traffic on all ports
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Ensure UDP access from the Internet is evaluated and restricted
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
A.8.24: Use of cryptography
Requires defining a policy regarding the use of cryptographic controls for information security.
Mapped controls
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure all S3 buckets employ encryption-at-rest
Ensure EBS encryption by default is enabled
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure data stored in SNS Topics is encrypted
Ensure Kinesis Data Streams use encryption at rest
Ensure RDS instances use encrypted volumes
Ensure databases are encrypted
Ensure encryption keys don't have permissive access policies
Ensure encryption keys are not publicly accessible
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure in-use encryption keys are not scheduled for deletion
Ensure encryption keys are not expiring within the next 14 days
Ensure encryption keys are rotated
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure oslogin is enabled for a Project
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure that 'Unattached disks' are encrypted
Ensure that 'Virtual Machine's disk' are encrypted
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure RDS instances require all incoming connections to use SSL
Ensure that 'TDE' is set to 'Enabled' for applicable database instances
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure Virtual Machines are utilizing Managed Disks
Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)
Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)
Ensure the Expiration Date is set for Key Vault Secrets
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure Web App is using the latest version of TLS encryption
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
Ensure Azure Key Vaults are used to store secrets
Ensure Compute Instances have Confidential Computing Enabled
A.8.27: Secure system architecture and engineering principles
A.8.32: Change management
Requires controlling how changes that affect information security may happen in the organization.
Mapped controls
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
ECS Fargate services should run on the latest Fargate platform version
Query logic
These are the stored checks tied to this framework.
Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}Do not setup access keys during initial user setup for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}AWS IAMPolicies with support role
Connectors
Covered asset types
Expected check: eq []
{
AWSIAM16 {...AssetFragment}
}
IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}A log metric filter and alarm exist for Management Console sign-in without MFA
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Management Console authentication failures
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}There are only GCP-managed service account keys for each service account
Connectors
Covered asset types
Expected check: eq []
{iamServiceAccounts(where:{hasIAMServiceAccountKeys_SOME:{keyType: "USER_MANAGED"}}){...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Separation of duties is enforced while assigning KMS related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.admin" }
{ name: "roles/owner" }
{ name: "roles/editor" }
]
}
}
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.cryptoKeyEncrypterDecrypter" }
{ name: "roles/cloudkms.cryptoKeyEncrypter" }
{ name: "roles/cloudkms.cryptoKeyDecrypter" }
]
}
}
]
}
) {
...AssetFragment
}
}
Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}Google Cloud Projects Without Asset Inventory
Connectors
Covered asset types
Expected check: eq []
{
projects(
where: { NOT: { enabledServices_INCLUDES: "cloudasset.googleapis.com" } }
) {
...AssetFragment
}
}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM6 {...AssetFragment}RAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireUppercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireLowercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireSymbols: false}) {...AssetFragment}RAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireNumbers: false}) {...AssetFragment}RAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { minimumPasswordLength_LT: 14}) {...AssetFragment}RAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxPasswordAge_GT: 90 }) {...AssetFragment}RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxLoginAttempts_LT: 5 }) {...AssetFragment}RAM policies are attached only to groups or roles
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { iamPolicies_SOME: { idFromProvider_NOT: null } }) {...AssetFragment}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}Azure App Services without authentication
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { authSettings: { enabled: true } }) {
...AssetFragment
}
}The web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Connectors
Covered asset types
Expected check: eq []
{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}Entra with permissive guest user restrictions
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: { guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b" }
}
}
) {
...AssetFragment
}
}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}The 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "mysql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "local_infile" } } { dbFlags_SOME: { name: "local_infile", value: "on" } } ] } ) { ...AssetFragment }}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}Server-side encryption is set to 'Encrypt with Service Key'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}RDS instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
AlibabaRDS2{...AssetFragment}RDS instances are not open to the world
Connectors
Expected check: eq []
dbInstances(where: { netInfo_SOME: { ipAddress: "0.0.0.0" } }) {...AssetFragment}Azure VMs with unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { diskAttachments_SOME: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}FunctionApps with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}Sites with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}
Kubernetes Clusters are configured with Labels
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{tags:null}){...AssetFragment}AMIs Are Private
Connectors
Covered asset types
Expected check: eq []
{amis(where:{isPublic:true}){...AssetFragment}}RDS Instances accept traffic only from the Application Servers
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: {securityGroups_SOME: {rules_SOME: {direction: "Inbound", OR: [{destToPort_NOT_IN: [3306, 5432, 1521, 1433, 27017]}, {OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}]}}}) {...AssetFragment}}EC2 Instances are deployed in a VPC
Connectors
Covered asset types
Expected check: eq []
{vms(where:{OR:[{vpcID:null},{vpcID:""}]}){...AssetFragment}}RDS instances are not publicly reachable
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{publicAccessBlocked:false}){...AssetFragment}}S3 bucket policy does not grant Allow permission to everyone
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{AND:[{policyDocument_CONTAINS:"\"Effect\":\"Allow\""},{policyDocument_CONTAINS:"\"Principal\":\"*\""}]}){...AssetFragment}}Unencrypted LDAP port (389) is not exposed to the internet
Connectors
Covered asset types
Expected check: eq []
{securityGroups(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 389, destToPort_GTE: 389, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Potential Elasticsearch database exposed to the internet (ports 9200 and/or 9300)
Connectors
Covered asset types
Expected check: eq []
{ securityGroups(where: {vms_NOT: null, rules_SOME: {direction: "Inbound", AND: [{OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}, {OR: [{destFromPort_LTE: 9200, destToPort_GTE: 9200}, {destFromPort_LTE: 9300, destToPort_GTE: 9300}]}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for Oracle DB (port 1521)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 1521, destToPort_GTE: 1521, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for MongoDB (port 27017)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 27017, destToPort_GTE: 27017, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for MySQL (port 3306)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 3306, destToPort_GTE: 3306, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 5432, destToPort_GTE: 5432, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic on port 80
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 80, destToPort_GTE: 80, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic on all ports
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 0, destToPort_GTE: 65535, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly accessible SQS queues
Connectors
Covered asset types
Expected check: eq []
{ sqsQueues(where: { policyDocument: { statements_SOME: { AND: [ { effect: "Allow" }, { OR: [ { principals_INCLUDES: "" }, { principals_INCLUDES: "*" }, { principals_INCLUDES: "AWS|*" }, ] } ] } } }) {...AssetFragment} }Publicly Accessible PubSub Subscriptions
Connectors
Covered asset types
Expected check: eq []
{ pubSubSubscriptions( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible PubSub Topics
Connectors
Covered asset types
Expected check: eq []
{ pubSubTopics( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Organizations changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}IAM Users that are inactive for 30 days or more are deactivated
Connectors
Covered asset types
Expected check: eq []
{AWSIAM20{...AssetFragment}}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}The 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "cross db ownership chaining" } } { dbFlags_SOME: { name: "cross db ownership chaining", value: "on" } } ] } ) { ...AssetFragment }}The 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "contained database authentication" } } { dbFlags_SOME: { name: "contained database authentication" value: "on" } } ] } ) { ...AssetFragment }}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}Check if Amazon ECS task definitions should have secure networking modes and user definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
networkMode: "host", task_NOT: null,
OR:[
{containerSpecs_SOME: { privileged: true }},
{containerSpecs_SOME: { user_CONTAINS: "root" }}
] }
) {...AssetFragment}
}
ECS services should not have public IP addresses assigned to them automatically
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {hasECSServiceNetworkConfigurations_SOME: { assignPublicIP: true}}) {...AssetFragment}
}ECS containers should run as non-privileged
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {AND: [
{
task_NOT: null
},
{
containerSpecs_SOME: {
privileged: true
}
}
]}) {...AssetFragment}
}ECS containers should be limited to read-only access to root filesystems
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {task_NOT: null, containerSpecs_SOME: { readOnlyRootFS: false }}) {...AssetFragment}
}Check if secrets are passed as ENV vars on ECS Task Definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
task_NOT: null,
containerSpecs_SOME: {
envEntries_SOME: {
key_IN: [
"AWS_ACCESS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"ECS_ENGINE_AUTH_DATA"
]
}
}
}
) {...AssetFragment}
}
Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}Managed IAM Policies are used instead of Inline Policies
Connectors
Covered asset types
Expected check: eq []
{AWSIAM8{...AssetFragment}}IAM Role can be assumed only by specific Principals
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value:"*"}}}){...AssetFragment}}AWS Lambda functions do not share the same AWS IAM execution role
Connectors
Covered asset types
Expected check: eq []
{AWSIAM21{...AssetFragment}}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}IAM password policy prevents password reuse (24 times)
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}RAM policies that allow full '*:*'' administrative privileges are not created
Connectors
Covered asset types
Expected check: eq []
iamPolicies(where: { policyType: "Custom", iamPolicyStatements_SOME: { effect: "Allow", actions_INCLUDES: "*" } }) {...AssetFragment}
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "mysql"
cloudProvider: "gcp"
OR: [
{ dbFlags_NONE: { name: "skip_show_database" } }
{ dbFlags_SOME: { name: "skip_show_database", value: "off" } }
]
}
) {
...AssetFragment
}}Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "user options" }
}
) {
...AssetFragment
}
}Data stored in SNS Topics is encrypted
Connectors
Covered asset types
Expected check: eq []
{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}Kinesis Data Streams use encryption at rest
Connectors
Covered asset types
Expected check: eq []
{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } MFA Delete is enabled on S3 buckets
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{bucketVersioningMFADelete:false}){...AssetFragment}}S3 bucket ACL grants permissions only to specific AWS accounts
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{hasBucketACLGrant_SOME: {granteeType_NOT:"CanonicalUser"}}){...AssetFragment}}The default firewall does not have any default rules besides http and https
Connectors
Covered asset types
Expected check: eq []
{GCPNetworking7{...AssetFragment}}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
Basic/primitive roles are not used
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
name_IN: ["roles/viewer", "roles/editor", "roles/owner"]
}
}
) {
...AssetFragment
}
}Avoid the use of the 'root' account
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM1{...AssetFragment}Entra with permissive guest invite restrictions
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: { allowInvitesFrom: "adminsAndGuestInviters" }
}
}
) {
...AssetFragment
}
}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}ECS task definitions should not share the host's process namespace
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(where: {pidMode_MATCHES: "host", task_NOT: null}) {...AssetFragment}
}A log metric filter and alarm exist for usage of "root" account
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}Azure subscriptions without Microsoft Defender for Servers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for App Services
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Azure SQL
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for SQL Servers on Machines
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Storage
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Cosmos DB
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "CosmosDbs", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Key Vault
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for DNS
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Dns", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Resource Manager
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Arm", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure subscriptions with WDATP (endpoint protection) disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
) {
...AssetFragment
}
}Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "external scripts enabled",value: "on" }
}
) {
...AssetFragment
}
}AWS Inspector is configured for EC2 Instances
Connectors
Covered asset types
Expected check: eq []
{vms(where:{inspectorEnabled:false}){...AssetFragment}}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled:false}){...AssetFragment}CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}Rotation for customer created CMKs is enabled
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}Access Logs is Enabled for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}The 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_connections" } } { dbFlags_SOME: { name: "log_connections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_disconnections" } } { dbFlags_SOME: { name: "log_disconnections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}Logging is enabled for OSS buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{ loggingEnabled: false }){...AssetFragment}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"log_checkpoints",value_MATCHES:"(?i)on"}},){...AssetFragment}}Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
}
) {
...AssetFragment
}
}Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: {
name: "log_disconnections"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"connection_throttling", value_MATCHES:"(?i)on"}}){...AssetFragment}}Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_SOME:{name:"log_retention_days", value_MATCHES:"[0-3]"}}){...AssetFragment}}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
Web Application Firewall access and security log service is enabled
Connectors
Covered asset types
Expected check: eq []
domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}ECS clusters should use Container Insights
Connectors
Covered asset types
Expected check: eq []
{
ecsClusters(where: {hasECSSettings_NONE: {
key: "containerInsights",
value: "enabled"
}}) {...AssetFragment}
}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "3625" }}, {dbFlags_SOME: {name: "3625", value: "off"}}]
}
) {
...AssetFragment
}
}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "" } { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: false }
{
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
{
OR: [
{ tlsStatus: "" }
{ tlsStatus: "disabled" }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: false }
{
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: false }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Disks for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {
...AssetFragment
}
}
}
}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Application Load Balancer uses HTTPS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Network Load Balancer uses TLS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"network",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}'Allow access to Azure services' for PostgreSQL Database Server is disabled
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers (where: {
firewallRules_SOME: {
OR: [
{ name_MATCHES: "(?i)allowallwindowsazureips" }
{ name_MATCHES: "(?i)allowallazureips" }
{ AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
]
}
}) {...AssetFragment}
}
Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}Storage accounts not allowing access from trusted Azure Services
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ AND: [{ networkRuleSetDefaultAction_CONTAINS: "Allow" }] }
{
AND: [
{ networkRuleSetDefaultAction_CONTAINS: "Deny" }
{ NOT: { networkRuleSetBypass_CONTAINS: "AzureServices" } }
]
}
]
}
) {
...AssetFragment
}
}Azure NSGs allowing UDP traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "UDP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 53, destToPort_GTE: 53 }
{ destFromPort_LTE: 123, destToPort_GTE: 123 }
{ destFromPort_LTE: 161, destToPort_GTE: 161 }
{ destFromPort_LTE: 389, destToPort_GTE: 389 }
{ destFromPort_LTE: 1900, destToPort_GTE: 1900 }
]
}
]
}
}
) {
...AssetFragment
}
}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}RDS instances use encrypted volumes
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Publicly Accessible AWS Keys
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} } Publicly Accessible Google Cloud Keys
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } iamRoles_SOME: { iamPolicies_SOME: { iamPolicyStatements_SOME: { effect: "Allow" } } } } ) { iamRoles { iamPolicies { iamPolicyStatements { permissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } } }Google Cloud KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { firewalls_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } ) { serviceAccount { serviceAccountRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Alibaba KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaKMSKeysExposedThroughVMs {...AssetFragment}
}Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{ vms( where: { networkInterfaces_SOME: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } { sources_INCLUDES: "tag:Internet" } { sources: [] } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } } ) { vmRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}'Unattached disks' are encrypted
Connectors
Covered asset types
Expected check: eq []
disks(where: { status_NOT: "In_use", encrypted: false }) {...AssetFragment}'Virtual Machine's disk' are encrypted
Connectors
Covered asset types
Expected check: eq []
vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}'TDE' is set to 'Enabled' for applicable database instances
Connectors
Covered asset types
Expected check: eq []
dbInstances(where: { tdeStatus_NOT: "Enabled" }) {...AssetFragment}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Connectors
Covered asset types
Expected check: eq []
{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}'OS and Data' disks are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}'Unattached disks' are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}Azure App Services allowing plain FTP deployments
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { ftpsState: "AllAllowed" } }) {
...AssetFragment
}
}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
envVars_SOME: {
key_MATCHES: "(?i).*(api|key|secret|token|password|access|id|auth|app|client|credential|security|private|public|authorization|confidential|encryption|hmac|signature|passphrase|session|authentication|verify|oauth|ssl|tls|jwt|service_account|code|secure|sudo).*"
}
}
) {
...AssetFragment
}
}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}ECS Services should use the latest platform version
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {NOT: { platformVersion_IN: ["LATEST", ""] }}) {...AssetFragment}
}
