Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
The revised MAS Technology Risk Management Guidelines outline technology risk management principles and best practices for the financial sector. your organization uses the guidelines to support its activities for oversight and management of technology risk.
your organization has a defence-in-depth approach to strengthening cyber resilience, continuously improving its IT processes and controls in order to ensure confidentiality, integrity and availability of data and systems.
Recommendations
7. IT Service Management
7.3 Technology Refresh Management
8. IT Resilience
8.1 System Availability
8.4 System Backup and Recovery
9. Access Control
9.1 User Access Management
9.2 Privileged Access Management
10. Cryptography
10.1 Cryptographic Algorithm and Protocol
10.2 Cryptographic Key Management
11. Data and Infrastructure Security
11.1 Data Security
11.2 Network Security
11.3 System Security
11.4 Virtualisation Security
12 Cyber Security Operations
12.2 Cyber Event Monitoring and Detection
13 Cyber Security Assessment
13.1 Vulnerability Assessment
Procedures and mapped controls
7.3.1 Outdated and unsupported hardware or software
Avoid using outdated and unsupported hardware or software.
Mapped controls
Ensure no databases have outdated engine versions
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
Ensure that 'Java version' is currently supported (if in use)
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
8.1.1 System availability
Maintain system availability according to business needs.
8.4.1 System and data backup strategy
Perform regular backups so that systems and data can be recovered if needed.
Mapped controls
Ensure buckets have versioning enabled
Ensure Cloud SQL database instances are configured with automated backups
Ensure that object versioning is enabled on log-buckets
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure Key Vaults are Recoverable
9.1.1 Principles of 'never alone', 'segregation of duties' and 'least privilege'. Roles and responsibilities
Access rights and system privileges should be granted according to roles and responsibilities.
Mapped controls
Do not setup access keys during initial user setup for all IAM users that have a console password
Eliminate use of the "root" user for administrative and daily tasks
Ensure no "root" user account access key exists
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure IAM Users receive permissions only through Groups
Ensure IAM Role can be assumed only by specific Principals
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure a support role has been created to manage incidents with AWS Support
Ensure that IAM Access analyzer is enabled for all regions
Ensure that AWS Lambda functions do not share the same AWS IAM execution role
Ensure RAM policies are attached only to groups or roles
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure application assignments are configured through groups
Ensure at least two Okta admins are configured
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure basic/primitive roles are not used
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure No Custom Subscription Administrator Roles Exist
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
9.1.3 Ensure proper accountability for user access through logging
Records of user access and user management activities should be uniquely identified and logged.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure log metric filter and alerts exist for Custom Role changes
Ensure that corporate login credentials are used instead of Gmail accounts
9.1.4 Password policy
Enforce strong password controls for users' access to IT systems.
Mapped controls
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy prevents password reuse
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure credentials unused for 45 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure access keys are rotated every 90 days or less
Ensure RAM password policy prevents password reuse
Ensure RAM password policy requires a minimum length of 14 or greater
Ensure RAM password policy requires at least one lowercase letter
Ensure RAM password policy requires at least one number
Ensure RAM password policy requires at least one symbol
Ensure RAM password policy requires at least one uppercase letter
Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Ensure RAM password policy expires passwords within 90 days or less
Ensure there are no weak password policies
9.1.5 Multi-factor authentication
MFA should be implemented for users with access to sensitive system functions.
9.1.6 User access review
Identity dormant and redundant user accounts, as well as inappropriate access rights.
Mapped controls
9.2.1 Privileged system access
Access to privileged accounts should be granted with care and activities of these accounts should be monitored.
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure that IAM Access analyzer is enabled for all regions
Ensure RAM policies that allow full '*:*'' administrative privileges are not created
Ensure No Custom Subscription Administrator Roles Exist
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure a log metric filter and alarm exist for usage of "root" account
9.2.2 Service accounts
Manage and monitor the use of system and service accounts.
10.1.2 Use appropriate cryptographic algorithms
Cryptographic algorithms from well-established international standards should be used.
Mapped controls
Ensure weak TLS Protocols are not used for ELB
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Ensure RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Ensure Web App is using the latest version of TLS encryption
10.2.2 Protect cryptographic keys
Cryptographic keys should be securely generated and protected from unauthorised disclosure.
Mapped controls
Ensure encryption keys don't have permissive access policies
Ensure encryption keys are not publicly accessible
Ensure KMSKeys are not exposed through publicly accessible VMs
Ensure rotation for customer-created symmetric CMKs is enabled
Ensure that there are only GCP-managed service account keys for each service account
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure Azure Key Vaults are used to store secrets
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure Key Vaults are Recoverable
10.2.3 Appropriate key lifespan
Determine the appropriate lifespan of each key. The key should be replaced before it expires at the end of its lifespan.
Mapped controls
Ensure encryption keys are rotated
Ensure in-use encryption keys are not scheduled for deletion
Ensure encryption keys are not expiring within the next 14 days
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure Azure Key Vaults are used to store secrets
Ensure Key Vaults are Recoverable
Ensure the Expiration Date is set for Key Vault Secrets
10.2.8 Revoked/expired keys
Ensure revoked or expired keys are not recoverable.
11.1.1 Protect confidential data
Detect and prevent unauthorised access, modification, copying or transmission of confidential data, considering data in motion, at rest and in use.
Mapped controls
Ensure buckets are not publicly accessible
Ensure buckets are not accessible from functions with http trigger unauthenticated
Ensure buckets don't have permissive access policies
Ensure queues are not publicly accessible
Ensure databases have deletion protection enabled
Ensure all S3 buckets employ encryption-at-rest
Ensure EBS encryption by default is enabled
Ensure RDS instances use encrypted volumes
Ensure data stored in SNS Topics is encrypted
Ensure Kinesis Data Streams use encryption at rest
Ensure S3 bucket policy does not grant Allow permission to everyone
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure buckets have versioning enabled
Ensure MFA Delete is enabled on S3 buckets
Ensure S3 bucket ACL grants permissions only to specific AWS accounts
Ensure encrypted storage is used for VMs that might host a database
Ensure that encryption is enabled for RDS Instances
Ensure databases are encrypted
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure that Separation of duties is enforced while assigning KMS related roles to users
Ensure the 'local_infile' database flag for a Cloud SQL MySQL instance is set to 'Off'
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure Cloud Storage buckets have uniform bucket-level access enabled
Ensure the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Ensure the 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'Off'
Ensure that IP forwarding is not enabled on Instances
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
Ensure Virtual Machines are utilizing Managed Disks
Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)
Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure Microsoft Entra authentication is Configured for SQL Servers
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure server-side encryption is set to 'Encrypt with Service Key'
Ensure server-side encryption is set to 'Encrypt with BYOK'
Ensure RDS instances require all incoming connections to use SSL
Ensure that 'TDE' is set to 'Enabled' for applicable database instances
Ensure that 'Unattached disks' are encrypted
Ensure that 'Virtual Machine's disk' are encrypted
Ensure the OSS used to store ActionTrail logs is not publicly accessible
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
11.2.1 Network security devices
Install network security devices such as firewalls.
Mapped controls
Ensure databases have TLS 1.2 or newer enabled
Ensure management ports are restricted from the internet
Ensure databases are not publicly accessible
Ensure disks are not publicly accessible
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure Application Load Balancer uses HTTPS Listener
Ensure Network Load Balancer uses TLS Listener
Ensure weak TLS Protocols are not used for ELB
Ensure RDS Instances accept traffic only from the Application Servers
Ensure the default security group of every VPC restricts all traffic
Ensure unencrypted LDAP port (389) is not exposed to the internet
Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure Compute instances do not have public IP addresses
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure that MySql database instances do not allow root login from any Host
Ensure Cloud SQL database instances do not have public IPs
Ensure the default firewall does not have any default rules besides http and https
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure firewall rule does not allow all traffic for MongoDB (port 27017)
Ensure firewall rule does not allow all traffic for MySQL (port 3306)
Ensure firewall rule does not allow all traffic for Oracle DB (port 1521)
Ensure firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Ensure firewall rule does not allow all traffic on all ports
Ensure firewall rule does not allow all traffic on port 80
Ensure that RDS instances are not open to the world
Ensure RDS instances require all incoming connections to use SSL
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure Web App is using the latest version of TLS encryption
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure UDP access from the Internet is evaluated and restricted
Ensure App Engine Applications Enforce HTTPS Connections
11.2.2 Security mechanisms to protect information assets
Deploy effective security mechanisms to protect information assets. Segment the network.
Mapped controls
Ensure EC2 Instances are deployed in a VPC
Ensure RDS instances are not publicly reachable
Ensure VPC flow logging is enabled in all VPCs
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure legacy networks do not exist for a project
Ensure DNSSEC is enabled for Cloud DNS
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Ensure that IP forwarding is not enabled on Instances
Ensure the default network does not exist in a project
11.3.1 Security standards for hardware and software
Use hardware and software configurations that will minimise the exposure to cyber threats.
Mapped controls
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure Kubernetes Clusters are created with limited service account Access scopes for Project access
Ensure Kubernetes Engine uses HTTP load balancing
Ensure Kubernetes web UI / Dashboard is disabled
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure Managed Identities Are Used for App Service
11.3.5 Monitor systems for early detection of suspicious or malicious activities
Monitor systems', including endpoint systems' processes for anomalies and suspicious activities.
11.4.1 Ensure security standards for virtualisation
Ensure security standards are established for all the components of a virtualisation solution.
11.4.3 Protect virtual images and snapshots
Protect virtual images and snapshots against unauthorized access or modifications.
Mapped controls
12.2.1 Monitoring, detection and response
Monitor and analyze cyber events and ensure prompt detection and response to cyber incidents.
Mapped controls
Ensure 'Additional email addresses' is configured with a security contact email
Ensure security alert emails for subscription owners are enabled
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure Network Watchers are 'Enabled' for in-use Azure regions
12.2.2 Collect, process, review and retain system logs
Collect, process, review and retain system logs and protect them against unauthorized access.
Mapped controls
Ensure AWS Config is enabled in all regions
Ensure Access Logs is Enabled for ELB
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure VPC flow logging is enabled in all VPCs
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure VPC Flow logs is enabled for every subnet in a VPC Network
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes
Ensure log metric filter and alerts exist for Custom Role changes
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for SQL instance configuration changes
Ensure log metric filter and alerts exist for VPC Network Firewall rule changes
Ensure log metric filter and alerts exist for VPC network changes
Ensure log metric filter and alerts exist for VPC network route changes
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure that logging is enabled for Cloud Storage buckets
Ensure that object versioning is enabled on log-buckets
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure sinks are configured for all Log entries
Ensure the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'On'
Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)
Ensure Anti-DDoS access and security log service is enabled
Ensure Web Application Firewall access and security log service is enabled
Ensure that ActionTrail is configured to export copies of all Log entries
Ensure that logging is enabled for OSS buckets
Ensure Diagnostic Setting captures appropriate categories
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure logging for Azure Key Vault is 'Enabled'
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
12.2.4 Behavioural analytics
Use behavioural analytics to enhance the effectiveness of security monitoring.
Mapped controls
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Servers is set to 'On'
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
13.1.1 Vulnerability assessment
Conduct regular vulnerability assessment to identify security vulnerabilities and ensure risk is appropriately addressed.
Query logic
These are the stored checks tied to this framework.
Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{nodePools_SOME:{managementAutoUpgrade_NOT:true}}){...AssetFragment}Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }Automatic node repair is enabled for Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{nodePools_SOME:{managementAutoRepair_NOT:true}}){...AssetFragment}Kubernetes Cluster is created with Alias IP ranges enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{ipAllocationPolicy_SOME:{useIPAliases:false}}){...AssetFragment}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: false}) {...AssetFragment} } Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Object versioning is enabled on log-buckets
Connectors
Covered asset types
Expected check: eq []
GCPLogging3{...AssetFragment}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}Do not setup access keys during initial user setup for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}IAM Role can be assumed only by specific Principals
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value:"*"}}}){...AssetFragment}}Managed IAM Policies are used instead of Inline Policies
Connectors
Covered asset types
Expected check: eq []
{AWSIAM8{...AssetFragment}}AWS IAMPolicies with support role
Connectors
Covered asset types
Expected check: eq []
{
AWSIAM16 {...AssetFragment}
}
IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}AWS Lambda functions do not share the same AWS IAM execution role
Connectors
Covered asset types
Expected check: eq []
{AWSIAM21{...AssetFragment}}RAM policies are attached only to groups or roles
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { iamPolicies_SOME: { idFromProvider_NOT: null } }) {...AssetFragment}RAM policies that allow full '*:*'' administrative privileges are not created
Connectors
Covered asset types
Expected check: eq []
iamPolicies(where: { policyType: "Custom", iamPolicyStatements_SOME: { effect: "Allow", actions_INCLUDES: "*" } }) {...AssetFragment}
Application assignments are configured through groups
Connectors
Covered asset types
Expected check: eq []
users(where: { applicationsConnection_SOME: {edge: {scope_NOT: "GROUP"}}}) {...AssetFragment}At least two Okta admins are configured
Connectors
Covered asset types
Expected check: eq []
Okta1{...AssetFragment}Separation of duties is enforced while assigning KMS related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.admin" }
{ name: "roles/owner" }
{ name: "roles/editor" }
]
}
}
{
hasIAMRole_SOME: {
OR: [
{ name: "roles/cloudkms.cryptoKeyEncrypterDecrypter" }
{ name: "roles/cloudkms.cryptoKeyEncrypter" }
{ name: "roles/cloudkms.cryptoKeyDecrypter" }
]
}
}
]
}
) {
...AssetFragment
}
}
Basic/primitive roles are not used
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
name_IN: ["roles/viewer", "roles/editor", "roles/owner"]
}
}
) {
...AssetFragment
}
}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for usage of "root" account
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Corporate login credentials are used instead of Gmail accounts
Connectors
Covered asset types
Expected check: eq []
GCPIAM1{...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } IAM password policy prevents password reuse (24 times)
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}Credentials unused for 45 days or greater are disabled
Connectors
Covered asset types
Expected check: eq []
AWSIAM3(days: 45){...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM6 {...AssetFragment}RAM password policy prevents password reuse
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { passwordReusePrevention_NOT: 24 }) {...AssetFragment}RAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { minimumPasswordLength_LT: 14}) {...AssetFragment}RAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireLowercaseCharacters: false}) {...AssetFragment}RAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireNumbers: false}) {...AssetFragment}RAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireSymbols: false}) {...AssetFragment}RAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { requireUppercaseCharacters: false}) {...AssetFragment}RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxLoginAttempts_LT: 5 }) {...AssetFragment}RAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies( where: { maxPasswordAge_GT: 90 }) {...AssetFragment}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}IAM Users that are inactive for 30 days or more are deactivated
Connectors
Covered asset types
Expected check: eq []
{AWSIAM20{...AssetFragment}}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}Users not logged on for 90 days or longer are disabled for console logon
Connectors
Covered asset types
Expected check: eq []
AlibabaIAM5 {...AssetFragment}There are only GCP-managed service account keys for each service account
Connectors
Covered asset types
Expected check: eq []
{iamServiceAccounts(where:{hasIAMServiceAccountKeys_SOME:{keyType: "USER_MANAGED"}}){...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"keySigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{hasDNSKeySpec_SOME:{keyType:"zoneSigning",algorithm_MATCHES:"(?i)rsasha1"}}){...AssetFragment}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}AWS Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { OR: [ { AND: {policyDocument_MATCHES: ".*arn:aws:iam::[0-9*]+:root.*", managementType: "CustomerManaged"} } { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment}}Google Cloud Keys With Permissive Access Policy
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { OR: [ { policyDocument_MATCHES: ".*domain:.*" } { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ] } ) {...AssetFragment} } Publicly Accessible AWS Keys
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: "Allow" conditions: [] principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} } Publicly Accessible Google Cloud Keys
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}AWS KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } iamRoles_SOME: { iamPolicies_SOME: { iamPolicyStatements_SOME: { effect: "Allow" } } } } ) { iamRoles { iamPolicies { iamPolicyStatements { permissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } } }Google Cloud KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
vms( where: { firewalls_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } ) { serviceAccount { serviceAccountRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Alibaba KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{
alibabaKMSKeysExposedThroughVMs {...AssetFragment}
}Azure KMSKeys Exposed Through Vulnerable VMs
Connectors
Covered asset types
Expected check: eq []
{ vms( where: { networkInterfaces_SOME: { securityGroups_SOME: { rules_SOME: { direction: "Inbound" action: "Allow" AND: [ { OR: [ { sources_INCLUDES: "cidr:0.0.0.0/0" } { sources_INCLUDES: "cidr:::/0" } { sources_INCLUDES: "tag:Internet" } { sources: [] } ] } { destFromPort_LTE: 22, destToPort_GTE: 22 } ] } } } } ) { vmRoles { hasIAMPermissions { isOwnedByIAMAssetType { includesKMSKey {...AssetFragment} } } } } }Rotation for customer created CMKs is enabled
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}FunctionApps with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}Sites with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}
Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
AWS Buckets accessible from functions with http trigger unauthenticated
Connectors
Covered asset types
Expected check: eq []
{
accessibleBucketsFromAWSFunctions {...AssetFragment}
}Google Cloud Buckets accessible from functions with http trigger unauthenticated
Connectors
Covered asset types
Expected check: eq []
{
accessibleBucketsFromGCPFunctions {...AssetFragment}
}Azure Blob Containers accessible from functions with http trigger unauthenticated
Connectors
Covered asset types
Expected check: eq []
{
accessibleBlobContainersFromAzureFunctions {...AssetFragment}
}Alibaba Buckets accessible from functions with http trigger unauthenticated and system policy
Connectors
Covered asset types
Expected check: eq []
{
accessibleBucketsFromAlibabaFunctionsWithSystemPolicy {...AssetFragment}
}Alibaba Buckets accessible from functions with http trigger unauthenticated and custom policy
Connectors
Covered asset types
Expected check: eq []
{
accessibleBucketsFromAlibabaFunctionsWithCustomPolicy {...AssetFragment}
}AWS buckets with permissive access policy
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
OR: [
{ policyDocument_MATCHES: ".*arn:aws:iam::[0-9]+:root.*" }
{
bucketPolicy: {
statements_SOME: { effect: "Allow", principals_INCLUDES: "AWS|*" }
}
}
{ hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{ granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" }
]
}}]
}
) {...AssetFragment}
}Google Cloud buckets with permissive access policy
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
OR: [
{ iamPolicyDocument_MATCHES: ".*domain:.*" }
{
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allAuthenticatedUsers" }
{ members_INCLUDES: "allUsers" }
]
}
}
]
}
) {...AssetFragment}
}Publicly accessible SQS queues
Connectors
Covered asset types
Expected check: eq []
{ sqsQueues(where: { policyDocument: { statements_SOME: { AND: [ { effect: "Allow" }, { OR: [ { principals_INCLUDES: "" }, { principals_INCLUDES: "*" }, { principals_INCLUDES: "AWS|*" }, ] } ] } } }) {...AssetFragment} }Publicly Accessible PubSub Subscriptions
Connectors
Covered asset types
Expected check: eq []
{ pubSubSubscriptions( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } Publicly Accessible PubSub Topics
Connectors
Covered asset types
Expected check: eq []
{ pubSubTopics( where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" } { members_INCLUDES: "allUsers" } ] } } ) {...AssetFragment} } All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}RDS instances use encrypted volumes
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}Data stored in SNS Topics is encrypted
Connectors
Covered asset types
Expected check: eq []
{snsTopics(where:{hasSNSTopicAttribute_NONE:{key:"KmsMasterKeyId",OR:[{value_NOT:null},{value_NOT:""}]}}){...AssetFragment}}Kinesis Data Streams use encryption at rest
Connectors
Covered asset types
Expected check: eq []
{kinesisDataStreams(where:{encryptionType:"NONE"}){...AssetFragment}}S3 bucket policy does not grant Allow permission to everyone
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{AND:[{policyDocument_CONTAINS:"\"Effect\":\"Allow\""},{policyDocument_CONTAINS:"\"Principal\":\"*\""}]}){...AssetFragment}}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}MFA Delete is enabled on S3 buckets
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{bucketVersioningMFADelete:false}){...AssetFragment}}S3 bucket ACL grants permissions only to specific AWS accounts
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{hasBucketACLGrant_SOME: {granteeType_NOT:"CanonicalUser"}}){...AssetFragment}}Encrypted storage is used for VMs that might host a database
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}Encryption is enabled for RDS Instances
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{encrypted:false}){...AssetFragment}}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}The 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "mysql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "local_infile" } } { dbFlags_SOME: { name: "local_infile", value: "on" } } ] } ) { ...AssetFragment }}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}The 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "contained database authentication" } } { dbFlags_SOME: { name: "contained database authentication" value: "on" } } ] } ) { ...AssetFragment }}The 'cross db ownership chaining' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "cross db ownership chaining" } } { dbFlags_SOME: { name: "cross db ownership chaining", value: "on" } } ] } ) { ...AssetFragment }}IP forwarding is not enabled on Instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{canIPForward:true}){...AssetFragment}'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Connectors
Covered asset types
Expected check: eq []
{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}Azure App Services without authentication
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { authSettings: { enabled: true } }) {
...AssetFragment
}
}The web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Connectors
Covered asset types
Expected check: eq []
{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}Azure App Services allowing plain FTP deployments
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { ftpsState: "AllAllowed" } }) {
...AssetFragment
}
}Azure VMs with unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { diskAttachments_SOME: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}'OS and Data' disks are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}'Unattached disks' are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}Azure SQL Servers without Entra admin
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
}
) {
...AssetFragment
}
}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Server-side encryption is set to 'Encrypt with Service Key'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:null}]}){...AssetFragment}Server-side encryption is set to 'Encrypt with BYOK'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { OR:[{encryptionKeyIDFromProvider: "" },{encryptionKeyIDFromProvider: null }, {encryptionKey:{managementType:"ProviderManaged"}}]}){...AssetFragment}RDS instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
AlibabaRDS2{...AssetFragment}'TDE' is set to 'Enabled' for applicable database instances
Connectors
Covered asset types
Expected check: eq []
dbInstances(where: { tdeStatus_NOT: "Enabled" }) {...AssetFragment}'Unattached disks' are encrypted
Connectors
Covered asset types
Expected check: eq []
disks(where: { status_NOT: "In_use", encrypted: false }) {...AssetFragment}'Virtual Machine's disk' are encrypted
Connectors
Covered asset types
Expected check: eq []
vms(where:{diskAttachments_SOME:{disk: {encrypted:false}}}) {...AssetFragment}The OSS used to store ActionTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets(where: {OR: [ {acl: "public-read"}, {acl: "public-read-write"}], trails_NOT: null}){...AssetFragment}}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "" } { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: false }
{
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
{
OR: [
{ tlsStatus: "" }
{ tlsStatus: "disabled" }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: false }
{
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: false }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Disks for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {
...AssetFragment
}
}
}
}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Application Load Balancer uses HTTPS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}Network Load Balancer uses TLS Listener
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"network",listensOnHTTPListener_NONE:{hasCertificate:true}}){...AssetFragment}}RDS Instances accept traffic only from the Application Servers
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: {securityGroups_SOME: {rules_SOME: {direction: "Inbound", OR: [{destToPort_NOT_IN: [3306, 5432, 1521, 1433, 27017]}, {OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}]}}}) {...AssetFragment}}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}Unencrypted LDAP port (389) is not exposed to the internet
Connectors
Covered asset types
Expected check: eq []
{securityGroups(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 389, destToPort_GTE: 389, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Potential Elasticsearch database exposed to the internet (ports 9200 and/or 9300)
Connectors
Covered asset types
Expected check: eq []
{ securityGroups(where: {vms_NOT: null, rules_SOME: {direction: "Inbound", AND: [{OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}, {OR: [{destFromPort_LTE: 9200, destToPort_GTE: 9200}, {destFromPort_LTE: 9300, destToPort_GTE: 9300}]}]}}) {...AssetFragment}}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}MySql database instances do not allow root login from any Host
Connectors
Covered asset types
Expected check: eq []
sqlUsers(where:{name:"root"OR:[{host:"%"},{host:"0.0.0.0"},{host:""}]}){...AssetFragment}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}The default firewall does not have any default rules besides http and https
Connectors
Covered asset types
Expected check: eq []
{GCPNetworking7{...AssetFragment}}'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}Kubernetes Cluster is created with Private cluster enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{privateClusterConfig:null}){...AssetFragment}Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}Network policy is enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{networkPolicyEnabled:false}){...AssetFragment}Firewall rule does not allow all traffic for MongoDB (port 27017)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 27017, destToPort_GTE: 27017, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for MySQL (port 3306)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 3306, destToPort_GTE: 3306, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for Oracle DB (port 1521)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 1521, destToPort_GTE: 1521, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic for PostgreSQL DB (port 5432)
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 5432, destToPort_GTE: 5432, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic on all ports
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 0, destToPort_GTE: 65535, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}Firewall rule does not allow all traffic on port 80
Connectors
Covered asset types
Expected check: eq []
{firewalls(where: {rules_SOME: {direction: "Inbound", destFromPort_LTE: 80, destToPort_GTE: 80, OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}}) {...AssetFragment}}RDS instances are not open to the world
Connectors
Expected check: eq []
dbInstances(where: { netInfo_SOME: { ipAddress: "0.0.0.0" } }) {...AssetFragment}Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}'Allow access to Azure services' for PostgreSQL Database Server is disabled
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers (where: {
firewallRules_SOME: {
OR: [
{ name_MATCHES: "(?i)allowallwindowsazureips" }
{ name_MATCHES: "(?i)allowallazureips" }
{ AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
]
}
}) {...AssetFragment}
}
No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Azure NSGs allowing UDP traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "UDP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 53, destToPort_GTE: 53 }
{ destFromPort_LTE: 123, destToPort_GTE: 123 }
{ destFromPort_LTE: 161, destToPort_GTE: 161 }
{ destFromPort_LTE: 389, destToPort_GTE: 389 }
{ destFromPort_LTE: 1900, destToPort_GTE: 1900 }
]
}
]
}
}
) {
...AssetFragment
}
}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}EC2 Instances are deployed in a VPC
Connectors
Covered asset types
Expected check: eq []
{vms(where:{OR:[{vpcID:null},{vpcID:""}]}){...AssetFragment}}RDS instances are not publicly reachable
Connectors
Covered asset types
Expected check: eq []
{dbInstances(where:{publicAccessBlocked:false}){...AssetFragment}}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}Legacy networks do not exist for a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{IPv4Range_NOT:"" gatewayIPv4_NOT:""}){...AssetFragment}DNSSEC is enabled for Cloud DNS
Connectors
Covered asset types
Expected check: eq []
managedZones(where:{dnsSecConfigState_NOT:"on"}){...AssetFragment}Private Google Access is set on Kubernetes Engine Cluster Subnets
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{subnetworks_SOME:{privateIpGoogleAccess:false}}){...AssetFragment}The default network does not exist in a project
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{name:"default"}){...AssetFragment}Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where: {nodePools_SOME: {nodeConfig_NOT: { imageType_MATCHES: "(?i).*cos.*" }}}) {...AssetFragment}}Kubernetes Clusters are created with limited service account Access scopes for Project access
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where: {nodePools_SOME: {nodeConfig: { oauthScopes_INCLUDES:"https://www.googleapis.com/auth/cloud-platform"}}}) {...AssetFragment}}Kubernetes Engine uses HTTP load balancing
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{httpLoadBalancingEnabled:false}){...AssetFragment}}Kubernetes web UI / Dashboard is disabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{kubernetesDashboardDisabled:false}){...AssetFragment}Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{legacyAbacEnabled_NOT:false}){...AssetFragment}Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}Azure App Service apps without managed identity
Connectors
Covered asset types
Expected check: eq true
{
sites(where: { managedIdentities_SOME: null }) {
...AssetFragment
}
}Azure subscriptions with WDATP (endpoint protection) disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
) {
...AssetFragment
}
}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}AMIs Are Private
Connectors
Covered asset types
Expected check: eq []
{amis(where:{isPublic:true}){...AssetFragment}}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}Access Logs is Enabled for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled:false}){...AssetFragment}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Management Console authentication failures
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for Management Console sign-in without MFA
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Organizations changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{loggingService_NOT:"logging.googleapis.com"}){...AssetFragment}Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{monitoringService_NOT:"monitoring.googleapis.com"}){...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Log metric filter and alerts exist for Cloud Storage IAM permission changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging10{...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for SQL instance configuration changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging11{...AssetFragment}Log metric filter and alerts exist for VPC Network Firewall rule changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging7{...AssetFragment}Log metric filter and alerts exist for VPC network changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging9{...AssetFragment}Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}The 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_connections" } } { dbFlags_SOME: { name: "log_connections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "log_disconnections" } } { dbFlags_SOME: { name: "log_disconnections", value: "off" } } ] } ) { ...AssetFragment }}The 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "postgresql" cloudProvider: "gcp" dbFlags_SOME: { name: "log_min_duration_statement", NOT: { value: "-1" } } } ) { ...AssetFragment }}Alibaba IAM account summaries with Anti-DDos log service enabled
Connectors
Covered asset types
Expected check: eq []
{
iamAccountSummaries(
where: {
hasIAMAccountSummaryItem_SOME: { key: "antiDDoSHasLogStore", value: 1 }
}
) {
connector {...AssetFragment}
}
}
Web Application Firewall access and security log service is enabled
Connectors
Covered asset types
Expected check: eq []
domains(where: { OR: [ {slsLogActive: false}, {wafActive: false} ] }) {...AssetFragment}Alibaba ActionTrails that export copies of all log entries
Connectors
Covered asset types
Expected check: eq []
{
AlibabaLogging1 {...AssetFragment}
}Logging is enabled for OSS buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{ loggingEnabled: false }){...AssetFragment}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"connection_throttling", value_MATCHES:"(?i)on"}}){...AssetFragment}}Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"log_checkpoints",value_MATCHES:"(?i)on"}},){...AssetFragment}}Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
}
) {
...AssetFragment
}
}Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: {
name: "log_disconnections"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_SOME:{name:"log_retention_days", value_MATCHES:"[0-3]"}}){...AssetFragment}}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for App Services
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Azure SQL
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Storage
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Cosmos DB
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "CosmosDbs", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Key Vault
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for DNS
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Dns", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Resource Manager
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Arm", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for SQL Servers on Machines
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
}
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Servers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}AWS Inspector is configured for EC2 Instances
Connectors
Covered asset types
Expected check: eq []
{vms(where:{inspectorEnabled:false}){...AssetFragment}}
