Alibaba Cloud
AWS
Google Cloud
Google Workspace
Kubernetes
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
The NIS 2 Directive establishes a common cybersecurity baseline for essential and important entities operating in the European Union. This framework translates the Directive's governance, cybersecurity risk-management, and significant-incident reporting expectations into practical cloud, identity, workload, logging, resilience, and vulnerability controls.
This mapping is built around the core operational obligations in Directive (EU) 2022/2555:
- Article 20: governance, management accountability, oversight, and cybersecurity training.
- Article 21: risk-based technical, operational, and organisational cybersecurity risk-management measures.
- Article 22: supply-chain risk considerations for critical ICT services, systems, and products.
- Article 23: significant-incident reporting and communication readiness.
- Article 24: alignment with recognised cybersecurity certification schemes where required or appropriate.
The controls below are not a legal determination of NIS 2 applicability. They provide an operational evidence layer for cloud and identity environments so teams can demonstrate that proportionate measures are implemented, monitored, and continuously improved.
Coverage
References
- Directive (EU) 2022/2555, Articles 20-24: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
Procedures and mapped controls
Article 20 - Governance and management accountability
Management bodies should approve cybersecurity risk-management measures, oversee implementation, understand risk exposure, and ensure clear security roles, contacts, and escalation paths. These controls provide evidence for administrative ownership, privileged-account resilience, security contactability, and emergency support readiness.
Mapped controls
Maintain current contact details
Ensure security contact information is registered
Ensure a support role has been created to manage incidents with AWS Support
Ensure Essential Contacts is Configured for Organization
Ensure security alert emails for subscription owners are enabled
Ensure at least two Google Workspace Super Admins are configured
Ensure at least two Okta admins are configured
Identity Provider Super Administrators
Article 21(2)(a) - Risk analysis and information system security
Entities should maintain a risk-based information-system security baseline supported by inventory, configuration recording, exposure analysis, and security telemetry. These controls evidence that cloud and identity environments can be assessed, monitored, and governed consistently.
Mapped controls
Ensure that IAM Access analyzer is enabled for all regions
Ensure AWS Config is enabled in all regions
Ensure sinks are configured for all Log entries
Ensure Cloud Audit Logging is configured properly across all services and all users from a project
Ensure a 'Diagnostic Setting' exists for Subscription Activity Logs
Ensure Application Insights are Configured
Ensure Microsoft Defender for Containers is set to 'On'
Article 21(2)(b) - Incident handling
Incident handling requires timely detection, triage, containment, response, and recovery. The mapped controls focus on high-risk administrative changes, suspicious API activity, policy changes, network control changes, and alerting channels that support incident response teams.
Mapped controls
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure log metric filter and alerts exist for Custom Role changes
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Article 21(2)(c) - Business continuity, backup, disaster recovery, and crisis management
Continuity measures should preserve recoverability of systems, data, cryptographic material, and critical services. These controls support backup coverage, object versioning, soft delete, delete-protection, and protection against accidental or malicious key loss.
Mapped controls
Ensure buckets have versioning enabled
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure Cloud SQL database instances are configured with automated backups
Ensure databases have deletion protection enabled
Ensure Key Vaults are Recoverable
Ensure the Expiration Date is set for Key Vault Secrets
Ensure in-use encryption keys are not scheduled for deletion
Article 21(2)(d) and Article 22 - Supply chain security
Supply-chain security should cover direct suppliers, service providers, external identities, service identities, registries, and build/runtime dependencies. These controls help identify excessive trust, externally exposed principals, public registries, and unsafe service identity patterns.
Mapped controls
Identities allowing external access
Ensure that IAM Access analyzer is enabled for all regions
Ensure IAM Role can be assumed only by specific Principals
Ensure Service Account has no Admin privileges
Service Identities With Access to Everything
Minimize cluster access to read-only for Amazon ECR
Ensure Artifact Registry repositories are not publicly accessible
Article 21(2)(e) - Secure acquisition, development, maintenance, and vulnerability handling
Secure acquisition and maintenance should reduce exploitable vulnerabilities, unsupported runtimes, mutable artifacts, unsafe metadata services, and insecure secret handling across applications and infrastructure. These controls provide technical evidence for vulnerability management and secure lifecycle practices.
Mapped controls
Ensure there are no workloads with exploitable vulnerabilities
Ensure container images do not contain exploitable vulnerabilities
Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider
Ensure Artifact Registry Docker repositories enforce immutable tags
Ensure AWS Lambda functions use a supported runtime
Ensure Function App runtime version is currently supported
Ensure Google Cloud Functions use a supported runtime
Ensure no databases have outdated engine versions
EC2 Instances Should Only Allow IMDSv2
Launch Templates Should Only Allow IMDSv2
SageMaker Notebooks Should Only Allow IMDSv2
Article 21(2)(f) - Assessing effectiveness of cybersecurity measures
Effectiveness assessment requires evidence that cybersecurity measures are operating and auditable. These controls focus on audit logging, validation, retention, log sinks, security activity visibility, and policy-change monitoring.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure VPC flow logging is enabled in all VPCs
Ensure sinks are configured for all Log entries
Ensure that object versioning is enabled on log-buckets
Ensure log metric filter and alerts exist for Project Ownership assignments/changes
Ensure log metric filter and alerts exist for Audit Configuration Changes
Ensure logging for Azure Key Vault is 'Enabled'
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure Network Security Group Flow Log retention period is 'greater than 90 days'
Article 21(2)(g) - Cyber hygiene and cybersecurity training
Cyber hygiene includes secure authentication, credential rotation, password quality, privileged-account discipline, and baseline hardening. Training and awareness should reinforce these practices and make insecure exceptions visible to accountable owners.
Mapped controls
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure administrators have multi-factor authentication enabled
Ensure access keys are rotated every 90 days or less
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
Identity Provider Users With Old Password
Ensure there are no weak password policies
Ensure a Custom Bad Password List is set to 'Enforce' for your Organization
Article 21(2)(h) - Cryptography and encryption
Cryptography and encryption policies should protect data at rest and in transit, prevent public exposure of keys, require managed key rotation, and preserve control over regulated workloads. These controls map directly to encryption and key-management evidence across cloud services.
Mapped controls
Ensure databases are encrypted
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure Artifact Registry repositories use customer-managed encryption keys
Ensure SageMaker Notebooks Are Encrypted
Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS
Ensure encryption keys are rotated
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure encryption keys are not publicly accessible
Article 21(2)(i) - Human resources security, access control, and asset management
Access control and asset management should enforce least privilege, restrict privileged roles, minimise exposed assets, and maintain visibility over cloud resources and identities. These controls cover IAM policy quality, privileged-role constraints, Kubernetes access, public exposure, and object-store access.
Mapped controls
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure IAM Users receive permissions only through Groups
Ensure Managed IAM Policies are used instead of Inline Policies
Ensure IAM Role can be assumed only by specific Principals
Ensure basic/primitive roles are not used
Ensure that the cluster-admin role is only used where required
Minimize access to secrets
Enable Role Based Access Control for Azure Key Vaults
Ensure Fewer Than 5 Users Have Global Administrator Assignment
Ensure No Custom Subscription Administrator Roles Exist
Ensure buckets are not publicly accessible
Ensure VMs are not publicly accessible
Ensure databases are not publicly accessible
Ensure buckets are not publicly readable
Ensure buckets are not publicly writable
Article 21(2)(j) - Multi-factor authentication and secure communications
Where appropriate, entities should use multi-factor or continuous authentication and secure communications. These controls map to tenant-wide MFA, privileged-user MFA, admin-portal MFA, risky-sign-in MFA, modern TLS, and encrypted ingress.
Mapped controls
Ensure A Multi-factor Authentication Policy Exists for Administrative Groups
Ensure A Multi-factor Authentication Policy Exists for All Users
Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
Ensure Multifactor Authentication is Required for Windows Azure Service Management API
Ensure Multi-factor Authentication is Required for Risky Sign-ins
Ensure 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Ensure 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure Web App is using the latest version of TLS encryption
Ensure Function App is using the latest version of TLS encryption
Ensure 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure databases have TLS 1.2 or newer enabled
Ensure weak TLS Protocols are not used for ELB
Encrypt traffic to HTTPS load balancers with TLS certificates
Article 23 - Significant-incident reporting and communication readiness
Significant-incident reporting depends on detection, evidence preservation, internal escalation, and current contact information. These controls support readiness for early warning, incident notification, ongoing updates, final reporting, and communication with affected service recipients where needed.
Mapped controls
Ensure Essential Contacts is Configured for Organization
Ensure security contact information is registered
Ensure security alert emails for subscription owners are enabled
Ensure 'Additional email addresses' is configured with a security contact email
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure log metric filter and alerts exist for Custom Role changes
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Ensure a 'Diagnostic Setting' exists for Subscription Activity Logs
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure sinks are configured for all Log entries
Query logic
These are the stored checks tied to this framework.
AWS IAMPolicies with support role
Connectors
Covered asset types
Expected check: eq []
{
AWSIAM16 {...AssetFragment}
}
Essential Contacts Set
Connectors
Covered asset types
Expected check: eq []
EssentialContactsSetOnConnector{...AssetFragment}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: { eq: "Off" } } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}At least two admins are configured Google Workspace
Connectors
Covered asset types
Expected check: eq []
GWTwoAdmins{...AssetFragment}At least two Okta admins are configured
Connectors
Covered asset types
Expected check: eq []
Okta1{...AssetFragment}Okta Super Administrator Users
Connectors
Covered asset types
Expected check: eq []
{
users(where: {isSuperAdmin: { eq: true }}) {...AssetFragment}
}IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Cloud Audit Logging is configured properly across all services and all users from a project
Connectors
Covered asset types
Expected check: eq []
GCPLogging1{...AssetFragment}Azure subscriptions without diagnostic settings
Connectors
Covered asset types
Expected check: eq []
{
subscriptionDiagnosticSettings(
where: {
OR: [
{ logSettings_SOME: null }
{
logSettings_SOME: {
category_IN: ["Administrative", "Alert", "Policy", "Security"]
enabled: { eq: false }
}
}
]
}
) {
...AssetFragment
}
}Azure Connectors without Application Insights
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { cloudProvider: { eq: "azure" }, applicationInsights_SOME: null }) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Containers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: { eq: "Containers" }, pricingTier: { eq: "Free" } } }
) {
...AssetFragment
}
}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern: ".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern: ".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern: ".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern: ".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern: ".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: { eq: false } } }
]
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.security/securitysolutions/delete"){...AssetFragment}}Buckets without versioning enabled
Connectors
Covered asset types
Expected check: eq []
{ objectContainers (where: {versioningEnabled: { eq: false }}) {...AssetFragment} } Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: { eq: false } }
{ blobServiceDeletePolicyDays: { eq: 0 } }
{ containerDeleteRetentionPolicyEnabled: { eq: false } }
{ containerDeleteRetentionPolicyDays: { eq: 0 } }
]
}
) {
...AssetFragment
}
}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled: { eq: false }}){...AssetFragment}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: { eq: "disabled" } }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: { eq: "disabled" }}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: { eq: "disabled" } } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: { eq: false } }}]}]}) {...AssetFragment} }The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{NOT: { enableSoftDelete: { eq: true } } }
{NOT: { enablePurgeProtection: { eq: true } } }
] }
) {...AssetFragment}
}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: { eq: "0000-01-01T00:00:00.000Z" } }) {
...AssetFragment
}
}Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: { eq: true }, dataStores_SOME: {}}) {...AssetFragment} }AWS Roles allowing external access
Connectors
Covered asset types
Expected check: eq []
{
AWSRolesWithExternalAccess {
...AssetFragment
}
}Google Cloud Service Accounts allowing external access
Connectors
Covered asset types
Expected check: eq []
{
GCPServiceAccountsWithExternalAccess{
...AssetFragment
}
}IAM Role can be assumed only by specific Principals
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{hasIAMAssumeRolePolicyStatement_SOME:{hasIAMAssumeRolePolicyPrincipal_SOME:{value: { eq: "*" }}}}){...AssetFragment}}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: { eq: "roles/owner" } }
{ name: { eq: "roles/editor" } }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}AWS/Alibaba roles granting access to everything
Connectors
Covered asset types
Expected check: eq []
{
iamRoles(
where: {
cloudProvider_IN: ["alibaba", "aws"]
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
) {
...AssetFragment
}
}Google Cloud Service Accounts with access to everything
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: { hasIAMRole_SOME: { name_IN: ["roles/owner", "roles/editor"] } }
) {
...AssetFragment
}
}K8s Service Accounts granting access to everything
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
OR: [
{
podIdentityAssociations_SOME: {
role: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
}
}
{
annotations_SOME: {
awsRole: {
iamPolicies_SOME: {
iamPolicyStatements_SOME: {
actions_INCLUDES: "*"
resources_INCLUDES: "*"
}
}
}
}
}
]
}
) {
...AssetFragment
}
}Azure Managed Identities with access to everything
Connectors
Covered asset types
Expected check: eq []
{
managedIdentities(
where: {
servicePrincipals_SOME: { roles_SOME: { permissions_INCLUDES: "*" } }
}
) {
...AssetFragment
}
}EKSNodeGroup roles with write access to ECR
Connectors
Covered asset types
Expected check: eq []
{
EKSNodeGroupRolesWithWriteAccessToECR {
...AssetFragment
}
}
Publicly accessible Artifact Registry repositories
Connectors
Covered asset types
Expected check: eq []
{ artifactRegistryRepositories(where: { iamBindings_SOME: { OR: [ { members_INCLUDES: "allAuthenticatedUsers" }, { members_INCLUDES: "allUsers" } ] } }) { ...AssetFragment } }Ensure there are no Compute with exploitable vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ComputeWithExploitableVulnerabilities {...AssetFragment}}CloudRun revisions with high severity vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
cloudRunRevisions(
where: {
image: {
findings_SOME: {
vulnerability: {
exploitAvailable: { eq: true }
}
}
}
}) {
...AssetFragment
}
}Containers with exploitable high/critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
ContainersWithExploitableVulnerabilities {
...AssetFragment
}
}
GCP container images with exploitable high or critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ ContainerImagesWithExploitableVulnerabilities { ...AssetFragment } }ECR Repositories without scan on push enabled
Connectors
Covered asset types
Expected check: eq []
{
ECRRepositoriesWithoutAutomaticScanning {
...AssetFragment
}
}
Artifact Registry Docker repositories with mutable tags
Connectors
Covered asset types
Expected check: eq []
{ artifactRegistryRepositories(where: { format: { eq: "DOCKER" }, dockerImmutableTags: { eq: false } }) { ...AssetFragment } }AWS Lambda functions with deprecated runtimes
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "aws" }
runtime_IN: [
"dotnet6"
"dotnetcore3.1"
"dotnetcore2.1"
"dotnetcore2.0"
"dotnetcore1.0"
"go1.x"
"java8"
"nodejs18.x"
"nodejs16.x"
"nodejs14.x"
"nodejs12.x"
"nodejs10.x"
"nodejs8.10"
"nodejs6.10"
"nodejs4.3"
"nodejs4.3-edge"
"python3.9"
"python3.8"
"python3.7"
"python3.6"
"python2.7"
"ruby2.7"
"ruby2.5"
"provided"
]
}
) {
...AssetFragment
}
}Azure Function Apps with unsupported runtime
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
configs_SOME: {
isDeprecated: { eq: true }
OR: [
{ NOT: { nodeVersion: { eq: "" } } }
{ NOT: { pythonVersion: { eq: "" } } }
{ NOT: { javaVersion: { eq: "" } } }
{ NOT: { powerShellVersion: { eq: "" } } }
{ NOT: { netFrameworkVersion: { eq: "" } } }
{ NOT: { linuxFxVersion: { eq: "" } } }
]
}
}
) {
...AssetFragment
}
}Google Cloud Functions using deprecated or decommissioned runtimes
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "gcp" }
runtime_IN: [
"nodejs18"
"nodejs16"
"nodejs14"
"nodejs12"
"nodejs10"
"nodejs8"
"nodejs6"
"python39"
"python38"
"python37"
"go123"
"go122"
"go121"
"go120"
"go119"
"go118"
"go116"
"go113"
"go111"
"java11"
"ruby32"
"ruby30"
"ruby27"
"ruby26"
"php81"
"php74"
"dotnet6"
"dotnet3"
]
}
) {
...AssetFragment
}
}Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: { eq: true }
}
) {
...AssetFragment
}
}
Retrieve AWS VMs without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: { NOT: { metadataOptionHTTPTokens: { eq: "required" } } }
) {...AssetFragment}
}
Retrieve AWS Launch Templates without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
launchTemplateVersions(
where: { NOT: { metadataOptionHTTPTokens: { eq: "required" } } }
) {...AssetFragment}
}
Retrieve SageMaker notebooks without IMDSv2 required
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
NOT: { minimumInstanceMetadataServiceVersion: { eq: "2" } }
}
) {...AssetFragment}
}
AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail log file validation is enabled
Connectors
Covered asset types
Expected check: eq []
trails(where:{logFileValidationEnabled: { eq: false }}){...AssetFragment}CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID: { eq: "" }}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog_NONE: {}}, {hasFlowLog_NONE: {flowLogStatus: { eq: "ACTIVE" }}}]}){...AssetFragment}Object versioning is enabled on log-buckets
Connectors
Covered asset types
Expected check: eq []
GCPLogging3{...AssetFragment}Log metric filter and alerts exist for Project Ownership assignments/changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging4{...AssetFragment}Log metric filter and alerts exist for Audit Configuration Changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging5{...AssetFragment}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: { eq: false } }
{
diagnosticSettings_SOME: {
resourceType: { eq: "Microsoft.KeyVault/vaults" }
logs_SOME: {
enabled: { eq: false }
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: { eq: "Enabled" } } }) {
...AssetFragment
}
}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: { eq: "Enabled" }
OR: [{ retentionDays: { eq: 0 } }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Azure NSG Flow Logs with retention shorter than 90 days
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
retentionPolicyDays_LT: 90
}
) {
...AssetFragment
}
}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled: { eq: true },mfaActive: { eq: false }}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: { eq: true } } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: { eq: false }, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired: { eq: false }}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: { eq: false } }) {
...AssetFragment
}
}Alibaba & AWS Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: {
cloudProvider_IN: ["alibaba", "aws"],
OR: [
{
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
},
{
hasIAMGroup_SOME: {
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
}
}
],
mfaSerialNumbers: { eq: [] }
}) {
...AssetFragment
}
}Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: { eq: false }
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: { eq: true } }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: { eq: true } }
]
}
}
}
]
}
) {
...AssetFragment
}
}Okta Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
applications_SOME: {
name: { eq: "Okta Admin Console" }
hasPolicy_SOME: { mfaEnabled: { eq: false } }
}
OR: [
{ roles_INCLUDES: "Super Administrator" }
{ roles_INCLUDES: "API Access Management Administrator" }
{ roles_INCLUDES: "Application Administrator" }
{ roles_INCLUDES: "Group Membership Administrator" }
{ roles_INCLUDES: "Help Desk Administrator" }
{ roles_INCLUDES: "Mobile Administrator" }
{ roles_INCLUDES: "Organizational Administrator" }
{ roles_INCLUDES: "Read-only Administrator" }
{ roles_INCLUDES: "Report Administrator" }
{ roles_INCLUDES: "Group Administrator" }
]
}
) {
...AssetFragment
}
}
Google Workspace Admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { isAdmin: { eq: true }, NOT: { isEnrolledIn2Sv: { eq: true } } }) {
...AssetFragment
}
}Google Cloud Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
OR: [
{ name_IN: ["roles/owner", "roles/editor"] }
{ name_CONTAINS: "admin" }
]
}
NOT: { user: { isEnrolledIn2Sv: { eq: true } } }
}
) {
...AssetFragment
}
}Entra admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { cloudProvider: { eq: "entra" }, isAdmin: { eq: true }, mfaActive: { eq: false } }) {
...AssetFragment
}
}
Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters: { eq: false }}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters: { eq: false }}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols: { eq: false }}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers: { eq: false }}){...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy prevents password reuse (24 times)
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{passwordReusePrevention_LT:24}){...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: { eq: 0 } }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } Okta Users with old password
Connectors
Covered asset types
Expected check: eq []
{
OktaUsersWithOldPassword {...AssetFragment}
}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}Entra Tenants without custom password policies
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { passwordRuleSettings: { enableBannedPasswordCheck: { eq: false } } }
) {
...AssetFragment
}
}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: { eq: false }}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: { eq: false }}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: { eq: false }}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: { eq: false }}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: { eq: "aws" } encrypted: { eq: false } }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: { eq: "alibaba" }, encrypted: { eq: false } }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: { eq: false } }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: { eq: false } }) {...AssetFragment}
}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: { eq: false }}){...AssetFragment}}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{NOT: { byokEncrypted: { eq: true } }}){...AssetFragment}}Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: { eq: "ServiceManaged" } } }
]
}
) {
...AssetFragment
}
}Artifact Registry repositories without customer-managed encryption keys
Connectors
Covered asset types
Expected check: eq []
{ artifactRegistryRepositories(where: { NOT: { encryptionKey: { managementType: { eq: "CustomerManaged" } } } }) { ...AssetFragment } }Get unencrypted SageMaker notebooks
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
kmsKey: null
}
) {...AssetFragment}
}
EKS Clusters without secrets encryption
Connectors
Covered asset types
Expected check: eq []
{
eksClusters(where:{
OR:[{encryptionConfig: null}, {encryptionConfig: {providerKeyARN: { eq: "" }}}]
}) {
...AssetFragment
}
}Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Publicly Accessible AWS Keys
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys( where: { keyPolicy: { statements_SOME: { effect: { eq: "Allow" } conditions: { eq: [] } principals_INCLUDES: "AWS|*" } } } ) {...AssetFragment} } Publicly Accessible Google Cloud Keys
Connectors
Covered asset types
Expected check: eq []
{kmsKeys( where: { iamBindings_SOME: { OR: [{ members_INCLUDES: "allAuthenticatedUsers"}, { members_INCLUDES: "allUsers" }] } } ) {...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect: { eq: "Allow" },actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect: { eq: "Allow" },actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect: { eq: "Allow" },actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: { eq: "aws" }, iamPolicies_SOME: {} }) {...AssetFragment}Managed IAM Policies are used instead of Inline Policies
Connectors
Covered asset types
Expected check: eq []
{AWSIAM8{...AssetFragment}}Basic/primitive roles are not used
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
name_IN: ["roles/viewer", "roles/editor", "roles/owner"]
}
}
) {
...AssetFragment
}
}Kubernetes RoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: { eq: "cluster-admin" }}) {
roleBindings(where: {subjects_SOME: {NOT: { name: { eq: "" } }}}) {
...AssetFragment
}
}
}Kubernetes ClusterRoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: { eq: "cluster-admin" }}) {
clusterRoleBindings(where: {subjects_SOME: {NOT: { name: { eq: "system:masters" } }}}) {
...AssetFragment
}
}
}Kubernetes RoleBindings to Roles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {NOT: { idFromProvider: { eq: "" } }}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {NOT: { idFromProvider: { eq: "" } }}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {NOT: { idFromProvider: { eq: "" } }}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Azure key vaults not using RBAC
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { enableRbacAuthorization: { eq: false } }) {
...AssetFragment
}
}Entra Tenants with too many global administrators
Connectors
Covered asset types
Expected check: eq []
{
EntraMultipleGlobalAdministrators {
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: { eq: "CustomRole" }
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: { eq: "aws" }
publicAccessBlocked: { eq: false }
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AllUsers" } }
{
granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" }
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: { eq: "Allow" }
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: { eq: "azure" }
publicAccessBlocked: { eq: false }
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: { eq: "gcp" }
publicAccessBlocked: { eq: false }
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: { eq: "alibaba" }
publicAccessBlocked: { eq: false }
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: { eq: "Allow" }
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
NOT: { publicIpAddress: { eq: null } }
securityGroups_SOME: {
rules_SOME: {
direction: { eq: "Inbound" }
action: { eq: "Allow" }
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
NOT: { publicIp: null }
securityGroups_SOME: {
rules_SOME: {
direction: { eq: "Inbound" }
action: { eq: "Allow" }
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: { eq: [] } }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: { eq: "Inbound" }
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: { eq: "PRIMARY" } }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: { eq: "0.0.0.0/0" } }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: { eq: false } firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: { eq: false } firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: { eq: false } firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: { eq: false } firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: { eq: false } whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: { eq: "0.0.0.0" }
endIpAddress: { eq: "255.255.255.255" }
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: { eq: false }
securityGroups_SOME: {
rules_SOME: {
direction: { eq: "Inbound" }
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: { eq: false }
firewallRules_SOME: {
startIPAddress: { eq: "0.0.0.0" }
endIPAddress: { eq: "255.255.255.255" }
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: { eq: false }
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: { eq: "Inbound" }
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Publicly Readable AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "aws" } publicAccessBlocked: { eq: false } OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AllUsers" } } { granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } } ] permission_IN: ["READ", "FULL_CONTROL"] } } { bucketPolicy: { statements_SOME: { effect: { eq: "Allow" } OR: [ { actions_INCLUDES: "s3:GetObject" } { actions_INCLUDES: "s3:ListObjects" } { actions_INCLUDES: "s3:ListObjectsV2" } { actions_INCLUDES: "s3:*" } { actions_INCLUDES: "*" } ] principals_INCLUDES: "AWS|*" } } } ] } ) {...AssetFragment} } Publicly Readable Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "alibaba" } publicAccessBlocked: { eq: false } OR: [ { acl_IN: ["public-read"] } { bucketPolicy: { statements_SOME: { effect: { eq: "Allow" } OR: [ { actions_INCLUDES: "oss:GetObject" } { actions_INCLUDES: "oss:ListObjects" } { actions_INCLUDES: "oss:GetObjectVersion" } { actions_INCLUDES: "oss:*" } { actions_INCLUDES: "*" } ] principals_INCLUDES: "*" } } } ] } ) {...AssetFragment} } Publicly Readable Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "gcp" } publicAccessBlocked: { eq: false } iamBindings_SOME: { OR: [ { members_INCLUDES: "allUsers" } { members_INCLUDES: "allAuthenticatedUsers" } ] role: { OR: [ { permissions_INCLUDES: "storage.objects.get" } { permissions_INCLUDES: "storage.objects.list" } { permissions_INCLUDES: "storage.objects.*" } ] } } } ) {...AssetFragment} } Publicly Writable AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "aws" } publicAccessBlocked: { eq: false } OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AllUsers" } } { granteeURI: { eq: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } } ] permission_IN: ["WRITE", "WRITE_ACP", "FULL_CONTROL"] } } { bucketPolicy: { AND: [ { statements_SOME: { effect: { eq: "Allow" } OR: [ { actions_INCLUDES: "s3:PutObject" } { actions_INCLUDES: "s3:PutObjectAcl" } { actions_INCLUDES: "s3:CreateMultipartUpload" } { actions_INCLUDES: "s3:UploadPart" } { actions_INCLUDES: "s3:DeleteObject" } { actions_INCLUDES: "s3:DeleteObjects" } { actions_INCLUDES: "s3:*" } { actions_INCLUDES: "*" } ] principals_INCLUDES: "AWS|*" } } ] } } ] } ) {...AssetFragment} } Publicly Writable Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "gcp" } publicAccessBlocked: { eq: false } iamBindings_SOME: { OR: [ { members_INCLUDES: "allUsers" } { members_INCLUDES: "allAuthenticatedUsers" } ] role: { OR: [ { permissions_INCLUDES: "storage.objects.create" } { permissions_INCLUDES: "storage.objects.delete" } { permissions_INCLUDES: "storage.objects.update" } { permissions_INCLUDES: "storage.objects.setIamPolicy" } { permissions_INCLUDES: "storage.multipartUploads.create" } { permissions_INCLUDES: "storage.objects.*" } { permissions_INCLUDES: "storage.multipartUploads.*" } ] } } } ) {...AssetFragment} } Publicly Writable Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{ buckets( where: { cloudProvider: { eq: "alibaba" } publicAccessBlocked: { eq: false } OR: [ { acl_IN: ["public-read-write"] } { bucketPolicy: { statements_SOME: { effect: { eq: "Allow" } OR: [ { actions_INCLUDES: "oss:PutObject" } { actions_INCLUDES: "oss:PutObjectAcl" } { actions_INCLUDES: "oss:*" } { actions_INCLUDES: "*" } ] principals_INCLUDES: "*" } } } ] } ) {...AssetFragment} } Entra Conditional Access Policies - Admin MFA
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
cloudProvider: { eq: "entra" }
conditionalAccessPolicies_NONE: {
conditions: {
NOT: {
excludeUsers: { eq: [] }
OR: [
{ includeUsers: { eq: [] } }
{ includeGroups: { eq: [] } }
{ includeRoles: { eq: [] } }
]
}
includeApplications_INCLUDES: "All"
clientAppTypes_INCLUDES: "all"
}
grantControls: { builtInControls_INCLUDES: "mfa" }
}
}
) {
...AssetFragment
}
}Entra Conditional Access Policies - MFA For All Users
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers_INCLUDES: "All"
NOT: { excludeUsers: { eq: [] } }
includeApplications_INCLUDES: "All"
clientAppTypes_INCLUDES: "all"
}
grantControls: { builtInControls_INCLUDES: "mfa" }
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Microsoft Admin Portals
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers_INCLUDES: "All"
NOT: {
OR: [
{ excludeUsers: { eq: [] } }
{ excludeGroups: { eq: [] } }
{ excludeRoles: { eq: [] } }
]
}
includeApplications_INCLUDES: "MicrosoftAdminPortals"
clientAppTypes_INCLUDES: "all"
}
grantControls: { builtInControls_INCLUDES: "mfa" }
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Windows Azure Service Management API
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers_INCLUDES: "All"
NOT: {
OR: [
{ excludeUsers: { eq: [] } }
{ excludeGroups: { eq: [] } }
{ excludeRoles: { eq: [] } }
]
}
includeApplications_INCLUDES: "797f4846-ba00-4fd7-ba43-dac1f8f63013"
clientAppTypes_INCLUDES: "all"
}
grantControls: { builtInControls_INCLUDES: "mfa" }
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Risky Sign-Ins
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers_INCLUDES: "All"
NOT: { excludeUsers: { eq: [] } }
includeApplications_INCLUDES: "All"
clientAppTypes_INCLUDES: "all"
signInRiskLevels_INCLUDES: "high"
}
grantControls: { builtInControls_INCLUDES: "mfa" }
sessionControls: {
signInFrequencyIsEnabled: { eq: true }
signInFrequencyInterval: { eq: "everytime" }
}
}
}
) {
...AssetFragment
}
}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}Azure Function Apps allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: { configs_SOME: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }
) {
...AssetFragment
}
}Azure Storage Accounts Without Minimum TLS 1.2
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { minimumTlsVersion_IN: ["TLS1_0", "TLS1_1"] }) {
...AssetFragment
}
}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: { eq: "" }},
{hasSSLPolicy: {OR: [
{profile: { eq: "COMPATIBLE" }},
{AND: [{profile: { eq: "MODERN" }}, {NOT: {minTlsVersion: { eq: "TLS_1_2" }}}]},
{AND: [
{profile: { eq: "CUSTOM" }},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: { eq: "" }},
{hasSSLPolicy: {OR: [
{profile: { eq: "COMPATIBLE" }},
{AND: [{profile: { eq: "MODERN" }}, {NOT: {minTlsVersion: { eq: "TLS_1_2" }}}]},
{AND: [
{profile: { eq: "CUSTOM" }},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl: { eq: false }}){...AssetFragment}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: { eq: false } } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: { eq: false } } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: { eq: "" } } { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: { eq: false } }
{
ipAddresses_SOME: { type: { eq: "PRIMARY" } }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: { eq: "0.0.0.0/0" } }
}
}
{
OR: [
{ tlsStatus: { eq: "" } }
{ tlsStatus: { eq: "disabled" } }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: { eq: false } } { firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } { OR: [ { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: { eq: false } } { firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } { OR: [ { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: { eq: false } } { firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } { OR: [ { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: { eq: false } } { firewallRules_SOME: { startIPAddress: { eq: "0.0.0.0" } endIPAddress: { eq: "255.255.255.255" } } } { OR: [ { tlsStatus: { eq: "disabled" } } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: { eq: false } }
{
firewallRules_SOME: {
startIPAddress: { eq: "0.0.0.0" }
endIPAddress: { eq: "255.255.255.255" }
}
}
{ OR: [{ tlsStatus: { eq: "disabled" } }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: { eq: false } }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: { eq: "0.0.0.0" }
endIpAddress: { eq: "255.255.255.255" }
}
}
}
{ OR: [{ tlsStatus: { eq: "disabled" } }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: { eq: "internet-facing" }, listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}Ingresses without TLS config
Connectors
Covered asset types
Expected check: eq []
{
EKSIngressesWithoutTLSConfig {
...AssetFragment
}
}
Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: { eq: "" } } }
]
}
) {
...AssetFragment
}
}
