Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra ID
OktaOverview
Statement
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process.
The PCI Standards Council (SSC) is responsible for the development of the standards for PCI compliance. It is an independent body created by Visa, MasterCard, American Express, Discover, and JCB.
Scope
Infrastructure, software, people, procedures, and data.
Requirements and Security Assessment Procedures
Procedures and mapped controls
1. Install and maintain a firewall configuration to protect cardholder data
Firewalls are devices that control computer traffic allowed between an entity's networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity's internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity's trusted network.
A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources.
Mapped controls
Ensure management ports are restricted from the internet
Ensure VPC flow logging is enabled in all VPCs
Ensure the default security group of every VPC restricts all traffic
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure Network Watchers are 'Enabled' for in-use Azure regions
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. Ensuring compliance in this area includes keeping a list of all devices and software which require a password (or other security to access).
Mapped controls
Ensure the default security group of every VPC restricts all traffic
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure Kubernetes Clusters are configured with Labels
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure instances are not configured to use the default service account
3. Protect stored cardholder data
Arguably, this is the most important requirement of the PCI standard. Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Regular maintenance and scanning of primary account numbers (PAN) are needed to ensure no unencrypted data exists.
More information can be found in the Data Management and Data Protection policies.
Mapped controls
Ensure rotation for customer-created symmetric CMKs is enabled
Ensure all S3 buckets employ encryption-at-rest
Ensure EBS encryption by default is enabled
Ensure "Block Project-wide SSH keys" is enabled for VM instances
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure logging for Azure Key Vault is 'Enabled'
Ensure Key Vaults are Recoverable
4. Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks (in transit) that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
Mapped controls
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure oslogin is enabled for a Project
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure App Engine Applications Enforce HTTPS Connections
5. Protect all systems against malware and regularly update anti-virus software or programs
Malicious software commonly referred to as "malware"—including viruses, worms, and Trojans—enters the network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.
6. Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by the vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software. Refer to the SDLC Policy for more info.
Organizations must limit the potential for exploits by deploying critical patches on time. Patch all systems in the card data environment, including:
- Cloud accounts
- Operating systems
- Firewalls, Routers, Switches
- Application software
- Databases
- POS/POI terminals
7. Restrict access to cardholder data by business need to know
To ensure Protected (critical) data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on the need to know and according to job responsibilities. The roles that do need sensitive data should be well-documented and regularly updated - as required by PCI DSS.
"Need to know" - access rights are granted to only the least amount of data and privileges needed to perform a job.
Mapped controls
Ensure IAM Users receive permissions only through Groups
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that IAM Access analyzer is enabled for all regions
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure application assignments are configured through groups
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
8. Identify and authenticate access to system components
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure credentials unused for 45 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy expires passwords within 90 days or less
Ensure no "root" user account access key exists
Ensure MFA is enabled for the "root" account
Ensure hardware MFA is enabled for the "root" account (Hardware MFA)
Maintain current contact details
Ensure security contact information is registered
Ensure security questions are registered in the AWS account
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure there is only one active access key available for any single IAM user
Ensure IAM Users receive permissions only through Groups
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure IAM instance roles are used for AWS resource access from instances
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that IAM Access analyzer is enabled for all regions
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure Kubernetes Cluster is created with Client Certificate enabled
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure API keys are not created for a project
Ensure API Keys are restricted to use by only specified hosts and apps
Ensure API Keys are restricted to use only APIs that application needs access to
Ensure API Keys Are Rotated Every 90 Days
Ensure Microsoft Entra authentication is Configured for SQL Servers
Ensure Key Vaults are Recoverable
Ensure the Expiration Date is set for Key Vault Secrets
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
9. Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For Requirement 9, "onsite personnel" refers to full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity's premises. A "visitor" refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. "Media" refers to all paper and electronic media containing cardholder data.
10. Track and monitor all access to network resources and cardholder data
All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
For more info, please refer to the Systems Audit Policy.
Mapped controls
Ensure no "root" user account access key exists
Ensure MFA is enabled for the "root" account
Ensure CloudTrail is enabled in all regions
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure AWS Config is enabled in all regions
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure VPC flow logging is enabled in all VPCs
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure that logging is enabled for Cloud Storage buckets
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
11. Regularly test security systems and processes
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Following periodic activities are required:
- Wireless analyzer scan to detect and identify all authorized and unauthorized wireless access points quarterly;
- All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly;
- Internal vulnerability scan must be conducted at least quarterly;
- All external IPs and domains must go through exhaustive Application penetration test and Network penetration test at least yearly or after any significant change.
12. Maintain a policy that addresses information security for all personnel
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For Requirement 12, "personnel" refers to full-time and part-time employees, temporary employees, contractors, and consultants who are "resident" on the entity's site or otherwise have access to the cardholder data environment.
This requirement also requires you to perform:
- An annual, formal risk assessment that identifies critical assets, threats, and vulnerabilities;
- User awareness training;
- Employee background checks;
- Incident management.
your organization uses an asset inventory solution to track equipment, software, and employees that have access to your organization cloud environment and other resources.
Mapped controls
Ensure no "root" user account access key exists
Ensure AWS Config is enabled in all regions
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
Query logic
These are the stored checks tied to this framework.
Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}Network policy is enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{networkPolicyEnabled:false}){...AssetFragment}Kubernetes Cluster is created with Alias IP ranges enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{ipAllocationPolicy_SOME:{useIPAliases:false}}){...AssetFragment}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}Do not setup access keys during initial user setup for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Kubernetes Clusters are configured with Labels
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{tags:null}){...AssetFragment}Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where: {nodePools_SOME: {nodeConfig_NOT: { imageType_MATCHES: "(?i).*cos.*" }}}) {...AssetFragment}}Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}Rotation for customer created CMKs is enabled
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}"Block Project-wide SSH keys" is enabled for VM instances
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"block-project-ssh-keys" value:"false"}}){...AssetFragment}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{legacyAbacEnabled_NOT:false}){...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}Kubernetes web UI / Dashboard is disabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{kubernetesDashboardDisabled:false}){...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}IAM Access analyzer is enabled for all regions
Connectors
Covered asset types
Expected check: eq []
AWS140IAM20{...AssetFragment}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Application assignments are configured through groups
Connectors
Covered asset types
Expected check: eq []
users(where: { applicationsConnection_SOME: {edge: {scope_NOT: "GROUP"}}}) {...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}Credentials unused for 45 days or greater are disabled
Connectors
Covered asset types
Expected check: eq []
AWSIAM3(days: 45){...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}A log metric filter and alarm exist for Management Console sign-in without MFA
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for usage of "root" account
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}Kubernetes Cluster is created with Client Certificate enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthClientKey:""}){...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}GCP API Keys are restricted based on hosts and apps
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
clientRestrictions: []
}
) {
...AssetFragment
}
}GCP API Keys are restricted based on APIs
Connectors
Covered asset types
Expected check: eq []
{
apiKeys(
where: {
apiRestrictions: []
}
) {
...AssetFragment
}
}API Keys rotation
Connectors
Covered asset types
Expected check: eq []
{
APIKeysRotation(days: 90) {...AssetFragment}
}Azure SQL Servers without Entra admin
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
}
) {
...AssetFragment
}
}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Management Console authentication failures
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}A log metric filter and alarm exist for AWS Organizations changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{loggingService_NOT:"logging.googleapis.com"}){...AssetFragment}Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{monitoringService_NOT:"monitoring.googleapis.com"}){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}
