Alibaba Cloud
AWS
Google Cloud
Google Workspace
Kubernetes
Microsoft Azure
Microsoft Entra ID
OktaOverview
#Statement
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
#Requirements
Procedures and mapped controls
1. Install and Maintain Network Security Controls
Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.
NSCs examine all network traffic entering (ingress) and leaving (egress) a segment and decide, based on the policies defined, whether the network traffic is allowed to pass or whether it should be rejected. Typically, NSCs are placed between environments with different security needs or levels of trust, however in some environments NSCs control the traffic to individual devices irrespective of trust boundaries. Policy enforcement generally occurs at layer 3 of the OSI model, but data present in higher layers is also frequently used to determine policy decisions.
Mapped controls
Ensure management ports are restricted from the internet
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Ensure Network policy is enabled on Kubernetes Engine Clusters
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
Ensure the default security group of every VPC restricts all traffic
Ensure UDP access from the Internet is evaluated and restricted
Ensure VMs are not publicly accessible
Ensure databases are not publicly accessible
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure disks are not publicly accessible
Ensure Cloud SQL database instances do not have public IPs
Ensure Compute instances do not have public IP addresses
2. Apply Secure Configurations to All System Components
Malicious individuals, both external and internal to an entity, often use default passwords and other vendor default settings to compromise systems. These passwords and settings are well known and are easily determined via public information.
Applying secure configurations to system components reduces the means available to an attacker to compromise the system. Changing default passwords, removing unnecessary software, functions, and accounts, and disabling or removing unnecessary services all help to reduce the potential attack surface
Mapped controls
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure the Cloud SQL database instances require all incoming connections to use SSL
Ensure instances are not configured to use the default service account
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure the default security group of every VPC restricts all traffic
Ensure Azure Key Vaults are used to store secrets
Make sure secrets are not passed as container environment variables
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure Cloud SQL Database Instances do not implicitly whitelist all public IP addresses
3. Protect Stored Account Data
Protection methods such as encryption, truncation, masking, and hashing are critical components of account data protection. If an intruder circumvents other security controls and gains access to encrypted account data, the data is unreadable without the proper cryptographic keys and is unusable to that intruder. Other effective methods of protecting stored data should also be considered as potential risk-mitigation opportunities. For example, methods for minimizing risk include not storing account data unless necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies such as e-mail and instant messaging.
If account data is present in non-persistent memory (for example, RAM, volatile memory), encryption of account data is not required. However, proper controls must be in place to ensure that memory maintains a non-persistent state. Data should be removed from volatile memory once the business purpose (for example, the associated transaction) is complete. In the case that data storage becomes persistent, all applicable PCI DSS Requirements will apply including encryption of stored data.
Mapped controls
Ensure EBS encryption by default is enabled
Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Ensure all S3 buckets employ encryption-at-rest
Ensure rotation for customer-created symmetric CMKs is enabled
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure KMS encryption keys are rotated within a period of 90 days
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure databases are encrypted
Ensure databases have deletion protection enabled
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure encryption keys are not expiring within the next 14 days
Ensure encryption keys are rotated
Ensure in-use encryption keys are not scheduled for deletion
Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)
Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)
Ensure Storage Account Access Keys are Periodically Regenerated
Ensure the Expiration Date is set for Key Vault Secrets
Ensure Cloud SQL database instances are configured with automated backups
Ensure Compute Instances have Confidential Computing Enabled
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
The use of strong cryptography provides greater assurance in preserving data confidentiality, integrity, and non-repudiation.
To protect against compromise, PAN (Primary Account Number) must be encrypted during transmission over networks that are easily accessed by malicious individuals, including untrusted and public networks. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targeted by malicious individuals aiming to exploit these vulnerabilities to gain privileged access to cardholder data environments (CDE). Any transmissions of cardholder data over an entity's internal network(s) will naturally bring that network into scope for PCI DSS since that network stores, processes, or transmits cardholder data. Any such networks must be evaluated and assessed against applicable PCI DSS requirements.
Mapped controls
Ensure S3 Bucket Policy is set to deny HTTP requests
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure oslogin is enabled for a Project
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Ensure databases have TLS 1.2 or newer enabled
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Ensure Web App is using the latest version of TLS encryption
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure weak TLS Protocols are not used for ELB
Ensure App Engine Applications Enforce HTTPS Connections
5. Protect All Systems and Networks from Malicious Software
Malicious software (malware) is software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner's data, applications, or operating system.
Examples include viruses, worms, Trojans, spyware, ransomware, keyloggers, and rootkits, malicious code, scripts, and links.
Malware can enter the network during many business-approved activities, including employee e-mail (for example, via phishing) and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities.
Using anti-malware solutions that address all types of malware helps to protect systems from current and evolving malware threats.
Mapped controls
Ensure 'Endpoint protection' component status is set to 'On'
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure there are no workloads with exploitable vulnerabilities
Ensure Compute instances are launched with Shielded VM enabled
6. Develop and Maintain Secure Systems and Software
Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.
Mapped controls
Ensure that the latest OS Patches for all Virtual Machines are applied
ECS Fargate services should run on the latest Fargate platform version
Ensure no databases have outdated engine versions
Ensure Web App Uses HTTP 2.0
Ensure that 'Java version' is currently supported (if in use)
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
Ensure Web App is using the latest version of TLS encryption
Ensure weak TLS Protocols are not used for ELB
Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Ensure Compute Instances have Confidential Computing Enabled
Ensure Instance IP assignment is set to private
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
7. Restrict Access to System Components and Cardholder Data by Business Need to Know
Unauthorized individuals may gain access to critical data or systems due to ineffective access control rules and definitions. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
Mapped controls
Ensure IAM Users receive permissions only through Groups
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure Separation of duties is enforced while assigning Service Account related roles to users
Ensure IAM instance roles are used for AWS resource access from instances
Eliminate use of the "root" user for administrative and daily tasks
Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
8. Identify Users and Authenticate Access to System Components
Two fundamental principles of identifying and authenticating users are to 1) establish the identity of an individual or process on a computer system, and 2) prove or verify the user associated with the identity is who the user claims to be.
Mapped controls
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure MFA is enabled for the "root" account
Ensure credentials unused for 45 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure hardware MFA is enabled for the "root" account (Hardware MFA)
Users Should Have Multi-Factor Authentication (MFA/2SV)
Ensure no "root" user account access key exists
Ensure Microsoft Entra authentication is Configured for SQL Servers
Ensure there is only one active access key available for any single IAM user
Ensure MFA is configured with strong factors
Ensure administrators have multi-factor authentication enabled
Ensure Managed Identities Are Used for App Service
Ensure Functions are not publicly accessible
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
Ensure buckets are not publicly accessible
Ensure BigQuery Datasets Are Not Anonymously or Publicly Accessible
9. Restrict Physical Access to Cardholder Data
Any physical access to cardholder data or systems that store, process, or transmit cardholder data provides the opportunity for individuals to access and/or remove systems or hardcopies containing cardholder data; therefore, physical access should be appropriately restricted.
10. Log and Monitor All Access to System Components and Cardholder Data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs on all system components and in the cardholder data environment (CDE) allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is difficult, if not impossible, without system activity logs.
This requirement applies to user activities, including those by employees, contractors, consultants, and internal and external vendors, and other third parties (for example, those providing support or maintenance services).
These requirements do not apply to user activity of consumers (cardholders)
Mapped controls
Ensure AWS Config is enabled in all regions
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure VPC flow logging is enabled in all VPCs
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for AWS Organizations changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for usage of "root" account
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that logging is enabled for Cloud Storage buckets
Ensure Retention Policies on Cloud Storage Buckets used for exporting logs are configured using Bucket Lock
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure that Activity Log Alert exists for Delete Public IP Address rule
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure logging for Azure Key Vault is 'Enabled'
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure Diagnostic Setting captures appropriate categories
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for Containers is set to 'On'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Servers is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
[Deprecated] Ensure Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging
Ensure Cloud DNS Logging Is Enabled for All VPC Networks
Ensure Logging is enabled for HTTP(S) Load Balancers
11. Test Security of Systems and Networks Regularly
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Mapped controls
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure 'Endpoint protection' component status is set to 'On'
Ensure AWS Config is enabled in all regions
Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
12. Support Information Security with Organizational Policies and Programs
The organization's overall information security policy sets the tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.
Query logic
These are the stored checks tied to this framework.
Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Kubernetes Cluster is created with Alias IP ranges enabled
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{ipAllocationPolicy_SOME:{useIPAliases:false}}){...AssetFragment}Master authorized networks is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{masterAuthorizedNetworksConfigEnabled_NOT:true}){...AssetFragment}Network policy is enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{networkPolicyEnabled:false}){...AssetFragment}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
networkSettings_SOME: {
authorizedNetworks_SOME: {
OR: [{ cidrValue: "0.0.0.0/0" }, { cidrValue: "::/0" }]
}
}
}
) {
...AssetFragment
}
}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}Azure NSGs allowing UDP traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "UDP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 53, destToPort_GTE: 53 }
{ destFromPort_LTE: 123, destToPort_GTE: 123 }
{ destFromPort_LTE: 161, destToPort_GTE: 161 }
{ destFromPort_LTE: 389, destToPort_GTE: 389 }
{ destFromPort_LTE: 1900, destToPort_GTE: 1900 }
]
}
]
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}Publicly Accessible Disks for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
diskAttachments {
disk {...AssetFragment}
}
}
}
Publicly Accessible Disks for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
diskAttachments {
disk {
...AssetFragment
}
}
}
}Cloud SQL database instances do not have public IPs
Connectors
Covered asset types
Expected check: eq []
{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}Cloud SQL database instances require all incoming connections to use SSL
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsIPConfigurationRequireSsl:false}){...AssetFragment}Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}FunctionApps with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}Sites with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}
Check if secrets are passed as ENV vars on ECS Task Definitions
Connectors
Covered asset types
Expected check: eq []
{
ecsTaskDefinitions(
where: {
task_NOT: null,
containerSpecs_SOME: {
envEntries_SOME: {
key_IN: [
"AWS_ACCESS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"ECS_ENGINE_AUTH_DATA"
]
}
}
}
) {...AssetFragment}
}
Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "remote access" }}, {dbFlags_SOME: {name: "remote access", value: "on"}}]
}
) {
...AssetFragment
}
}EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
Connectors
Covered asset types
Expected check: eq []
disks(where:{encryptedWithCustomerSuppliedKey: false }){...AssetFragment}All S3 buckets employ encryption-at-rest
Connectors
Covered asset types
Expected check: eq []
buckets(where: { encrypted: false}) {...AssetFragment}Rotation for customer created CMKs is enabled
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}Cloud KMS cryptokeys are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
kmsKeys(where:{OR:[{policyDocument_CONTAINS:"allUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}Azure MySQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers (where: {encrypted: false}) {...AssetFragment} }Azure MySQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers (where: {encrypted: false}) {...AssetFragment} }Azure PostgreSQL Flexible Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers (where: {encrypted: false}) {...AssetFragment} }AWS RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "aws" encrypted: false }) {...AssetFragment} }ApsaraDB RDS with no encryption
Connectors
Covered asset types
Expected check: eq []
{ dbInstances (where: { cloudProvider: "alibaba", encrypted: false }) {...AssetFragment} }Google Cloud Cloud SQL with no encryption
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: { encrypted: false }) {...AssetFragment} }Azure MariaDB Servers with no encryption
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(where: { encrypted: false }) {...AssetFragment}
}Databases without delete protection Azure
Connectors
Covered asset types
Expected check: eq []
{ databases(where: { deletionPrevention: "disabled" }) {...AssetFragment} } Databases without delete protection Google Cloud Cloud SQL
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances (where: {deletionPrevention: "disabled"}) {...AssetFragment} }Databases without delete protection aws and alibaba
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: { AND: [ {deletionPrevention: "disabled" } {OR: [{ dbCluster: null }{ dbCluster: { deletionProtection: false }}]}]}) {...AssetFragment} }Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}Encryption Keys expiring within the next 14 days
Connectors
Covered asset types
Expected check: eq []
{ EncryptionKeysExpiration(days: 14) {...AssetFragment} }Encryption Keys haven't been rotated in more than 90 days for AWS
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotationAWS(days: 90) {...AssetFragment}
}Encryption Keys haven't been rotated in more than 90 days
Connectors
Covered asset types
Expected check: eq []
{
EncryptionKeysRotation(days: 90) {...AssetFragment}
}Encryption Keys scheduled for deletion
Connectors
Covered asset types
Expected check: eq []
{ kmsKeys(where: {scheduleForDeletion: true, dataStores_SOME: { identifier_NOT: null }}) {...AssetFragment} }'OS and Data' disks are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}'Unattached disks' are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}Storage account access keys are periodically regenerated
Connectors
Covered asset types
Expected check: eq []
{StorageAccountsWithOldKeys{...AssetFragment}}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Cloud SQL database instances are configured with automated backups
Connectors
Covered asset types
Expected check: eq []
cloudSqlInstances(where:{settingsBackupConfigurationEnabled:false}){...AssetFragment}Ensure That Compute Instances Have Confidential Computing Enabled
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { cloudProvider: "gcp", NOT:{enableConfidentialCompute: true} }) {
...AssetFragment
}
}
S3 Bucket Policy is set to deny HTTP requests
Connectors
Covered asset types
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}No HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: {OR: [
{httpsProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
{sslProxies_SOME: {OR: [
{sslPolicy: ""},
{hasSSLPolicy: {OR: [
{profile: "COMPATIBLE"},
{AND: [{profile: "MODERN"}, {NOT: {minTlsVersion: "TLS_1_2"}}]},
{AND: [
{profile: "CUSTOM"},
{OR: [
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_GCM_SHA256"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_GCM_SHA38"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_128_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_AES_256_CBC_SHA"},
{enabledFeatures_INCLUDES: "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
]
}
]}
]}
}
]}},
]}){
...AssetFragment
}
}
Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}All the expired SSL/TLS certificates stored in AWS IAM are removed
Connectors
Covered asset types
Expected check: eq []
AWS130IAM19 {...AssetFragment}Publicly Accessible Alibaba ApsaraDB Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible RDS with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { AND: [ { publicAccessBlocked: false } { securityGroups_SOME: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } { OR: [ { tlsStatus: "" } { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Google Cloud Cloud SQL Instances with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
AND: [
{ publicAccessBlocked: false }
{
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
{
OR: [
{ tlsStatus: "" }
{ tlsStatus: "disabled" }
{ tlsMinimumVersion_LT: 1.2 }
]
}
]
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} }Publicly Accessible Azure PostgreSQL Flexible Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { AND: [ { publicAccessBlocked: false } { firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } { OR: [ { tlsStatus: "disabled" } { tlsMinimumVersion_LT: 1.2 } ] } ] } ) {...AssetFragment} } Publicly Accessible Azure MariaDB Servers with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers (
where: {
AND: [
{ publicAccessBlocked: false }
{
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}Publicly Accessible Azure SQL Databases with no/old TLS
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
AND: [
{ publicAccessBlocked: false }
{
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
{ OR: [{ tlsStatus: "disabled" }, { tlsMinimumVersion_LT: 1.2 }] }
]
}
) {...AssetFragment}
}The web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Connectors
Covered asset types
Expected check: eq []
{sites(where:{clientCertEnabled_NOT:true}){...AssetFragment}}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Weak TLS Protocols are not used for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers( where: { scheme: "internet-facing", listensOnHTTPListener_SOME: { sslPolicy_IN: ["ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-2015-03", "ELBSecurityPolicy-2015-02"] } } ) {...AssetFragment}}App Engine Allowing Plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
appEngineServices(
where: {
serviceVersions_NONE: {
urlHandlers_SOME: {
urlRegex_IN: ["/.*", ".*"]
securityLevel_IN: ["SECURE_ALWAYS"]
}
}
}
) {
...AssetFragment
}
}Azure subscriptions with WDATP (endpoint protection) disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
) {
...AssetFragment
}
}Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}Ensure there are no Compute with exploitable vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{ComputeWithExploitableVulnerabilities {...AssetFragment}}CloudRun revisions with high severity vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
cloudRunRevisions(
where: {
image: {
findings_SOME: {
vulnerability: {
exploitAvailable: true
}
}
}
}) {
...AssetFragment
}
}Containers with exploitable high/critical vulnerabilities
Connectors
Covered asset types
Expected check: eq []
{
ContainersWithExploitableVulnerabilities {
...AssetFragment
}
}
GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}ECS Services should use the latest platform version
Connectors
Covered asset types
Expected check: eq []
{
ecsServices(where: {NOT: { platformVersion_IN: ["LATEST", ""] }}) {...AssetFragment}
}Azure MySQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure MySQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure PostgreSQL Flexible servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
DBInstances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
dbInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Cloud SQL Instances with outdated engines
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}Azure MariaDB servers with outdated engine
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers
(
where: {
cyscaleEngineIsOutdated: true
}
) {
...AssetFragment
}
}
Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Ensure Secrets are not stored in Cloud Functions environment variables by using Secret Manager
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
envVars_SOME: {
key_MATCHES: "(?i).*(api|key|secret|token|password|access|id|auth|app|client|credential|security|private|public|authorization|confidential|encryption|hmac|signature|passphrase|session|authentication|verify|oauth|ssl|tls|jwt|service_account|code|secure|sudo).*"
}
}
) {
...AssetFragment
}
}Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "external scripts enabled",value: "on" }
}
) {
...AssetFragment
}
}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}Separation of duties is enforced while assigning service account related roles to users
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
AND: [
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountAdmin"
}
}
{
hasIAMRole_SOME: {
name: "roles/iam.serviceAccountUser"
}
}
]
}
) {
...AssetFragment
}
}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}Ensure 'skip_show_database' database flag for Cloud SQL MySQL instance is set to 'On'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "mysql"
cloudProvider: "gcp"
OR: [
{ dbFlags_NONE: { name: "skip_show_database" } }
{ dbFlags_SOME: { name: "skip_show_database", value: "off" } }
]
}
) {
...AssetFragment
}}Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "user options" }
}
) {
...AssetFragment
}
}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Credentials unused for 45 days or greater are disabled
Connectors
Covered asset types
Expected check: eq []
AWSIAM3(days: 45){...AssetFragment}Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
Azure SQL Servers without Entra admin
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
}
) {
...AssetFragment
}
}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}Alibaba & AWS Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: {
cloudProvider_IN: ["alibaba", "aws"],
OR: [
{
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
},
{
hasIAMGroup_SOME: {
iamPolicies_SOME: {
OR: [{
internalName_CONTAINS: "Administrator"
}, {
internalName_CONTAINS: "FullAccess"
}]
}
}
}
],
mfaSerialNumbers: []
}) {
...AssetFragment
}
}Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}Okta Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
applications_SOME: {
name: "Okta Admin Console"
hasPolicy_SOME: { mfaEnabled: false }
}
OR: [
{ roles_INCLUDES: "Super Administrator" }
{ roles_INCLUDES: "API Access Management Administrator" }
{ roles_INCLUDES: "Application Administrator" }
{ roles_INCLUDES: "Group Membership Administrator" }
{ roles_INCLUDES: "Help Desk Administrator" }
{ roles_INCLUDES: "Mobile Administrator" }
{ roles_INCLUDES: "Organizational Administrator" }
{ roles_INCLUDES: "Read-only Administrator" }
{ roles_INCLUDES: "Report Administrator" }
{ roles_INCLUDES: "Group Administrator" }
]
}
) {
...AssetFragment
}
}
Google Workspace Admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { isAdmin: true, NOT: { isEnrolledIn2Sv: true } }) {
...AssetFragment
}
}Google Cloud Admins Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(
where: {
hasIAMRole_SOME: {
OR: [
{ name_IN: ["roles/owner", "roles/editor"] }
{ name_CONTAINS: "admin" }
]
}
NOT: { user: { isEnrolledIn2Sv: true } }
}
) {
...AssetFragment
}
}Entra admins without MFA
Connectors
Covered asset types
Expected check: eq []
{
users(where: { cloudProvider: "entra", isAdmin: true, mfaActive: false }) {
...AssetFragment
}
}
Azure App Service apps without managed identity
Connectors
Covered asset types
Expected check: eq true
{
sites(where: { managedIdentities_SOME: null }) {
...AssetFragment
}
}Publicly Accessible Functions for AWS
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
OR: [
{
securityRules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
},
{
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
]
}
) {
...AssetFragment
}
}
Publicly Accessible Functions for Azure
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
bindings_SOME: {
direction: "in",
type: "httpTrigger"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Alibaba
Connectors
Covered asset types
Expected check: eq []
{
functions(where: {
triggers_SOME: {
triggerType: "http"
}
}) {
...AssetFragment
}
}Publicly Accessible Functions for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
functions(
where: {
NOT: {
httpsRequired: true
}
}
) {
...AssetFragment
}
}
Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}BigQuery datasets are not anonymously or publicly accessible
Connectors
Covered asset types
Expected check: eq []
bigQueryTables(where:{OR:[{policyDocument_CONTAINS:"AllUsers"},{policyDocument_CONTAINS:"allAuthenticatedUsers"}]}){...AssetFragment}Publicly Accessible AWS Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "aws"
publicAccessBlocked: false
OR: [
{
hasBucketACLGrant_SOME: {
OR: [
{ granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" }
{
granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
]
permission_IN: ["READ", "WRITE", "WRITE_ACP", "FULL_CONTROL"]
}
}
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "s3:GetObject" }
{ actions_INCLUDES: "s3:ListObjects" }
{ actions_INCLUDES: "s3:ListObjectsV2" }
{ actions_INCLUDES: "s3:PutObject" }
{ actions_INCLUDES: "s3:PutObjectAcl" }
{ actions_INCLUDES: "s3:CreateMultipartUpload" }
{ actions_INCLUDES: "s3:UploadPart" }
{ actions_INCLUDES: "s3:DeleteObject" }
{ actions_INCLUDES: "s3:DeleteObjects" }
{ actions_INCLUDES: "s3:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "AWS|*"
}
}
}
]
}
) {...AssetFragment}
}
Publicly Readable Azure Blob Containers
Connectors
Covered asset types
Expected check: eq []
{
blobContainers(
where: {
cloudProvider: "azure"
publicAccessBlocked: false
publicAccess_IN: ["Blob", "Container"]
}
) {...AssetFragment}
}
Publicly Accessible Google Cloud Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "gcp"
publicAccessBlocked: false
iamBindings_SOME: {
OR: [
{ members_INCLUDES: "allUsers" }
{ members_INCLUDES: "allAuthenticatedUsers" }
]
role: {
OR: [
{ permissions_INCLUDES: "storage.objects.get" }
{ permissions_INCLUDES: "storage.objects.list" }
{ permissions_INCLUDES: "storage.objects.create" }
{ permissions_INCLUDES: "storage.objects.delete" }
{ permissions_INCLUDES: "storage.objects.update" }
{ permissions_INCLUDES: "storage.objects.*" }
{ permissions_INCLUDES: "storage.objects.setIamPolicy" }
{
permissions_INCLUDES: "storage.multipartUploads.create"
}
{ permissions_INCLUDES: "storage.multipartUploads.*" }
]
}
}
}
) {...AssetFragment}
}
Publicly Accessible Alibaba Buckets
Connectors
Covered asset types
Expected check: eq []
{
buckets(
where: {
cloudProvider: "alibaba"
publicAccessBlocked: false
OR: [
{ acl_IN: ["public-read", "public-read-write"] }
{
bucketPolicy: {
statements_SOME: {
effect: "Allow"
OR: [
{ actions_INCLUDES: "oss:GetObject" }
{ actions_INCLUDES: "oss:PutObject" }
{ actions_INCLUDES: "oss:PutObjectAcl" }
{ actions_INCLUDES: "oss:ListObjects" }
{ actions_INCLUDES: "oss:GetObjectVersion" }
{ actions_INCLUDES: "oss:*" }
{ actions_INCLUDES: "*" }
]
principals_INCLUDES: "*"
}
}
}
]
}
) {...AssetFragment}
}
AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail logs are encrypted at rest
Connectors
Covered asset types
Expected check: eq []
trails(where:{kmsKeyID:""}){...AssetFragment}CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{loggingService_NOT:"logging.googleapis.com"}){...AssetFragment}Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{monitoringService_NOT:"monitoring.googleapis.com"}){...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}A log metric filter and alarm exist for AWS Config configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?config\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopConfigurationRecorder[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutDeliveryChannel[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutConfigurationRecorder[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Management Console authentication failures
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.errorMessage\\s*=\\s*[\"]?Failed authentication[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for AWS Organizations changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?organizations\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeclineHandshake[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteOrganizationalUnit[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnablePolicyType[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?InviteAccountToOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?LeaveOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?MoveAccount[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RemoveAccountFromOrganization[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateOrganizationalUnit[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for CloudTrail configuration changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?UpdateTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteTrail[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StartLogging[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?StopLogging[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for IAM policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreatePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeletePolicyVersion[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachRolePolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachUserPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachGroupPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachGroupPolicy[\"]?\\s*\\)\\s*\\s*.*"){...AssetFragment}A log metric filter and alarm exist for Management Console sign-in without MFA
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ConsoleLogin[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\$\\.additionalEventData\\.MFAUsed\\s*!=\\s*[\"]?Yes[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for S3 bucket policy changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?s3\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?PutBucketReplication[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketPolicy[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketCors[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketLifecycle[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteBucketReplication[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for VPC changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ModifyVpcAttribute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AcceptVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RejectVpcPeeringConnection[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachClassicLinkVpc[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableVpcClassicLink[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?EnableVpcClassicLink[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to network gateways
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteCustomerGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AttachInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteInternetGateway[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DetachInternetGateway[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventSource\\s*=\\s*[\"]?kms\\.amazonaws\\.com[\"]?\\s*\\)\\s*\\&\\&\\s*\\(\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisableKey[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ScheduleKeyDeletion[\"]?\\s*\\)\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for route table changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceRouteTableAssociation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRouteTable[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteRoute[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DisassociateRouteTable[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for security group changes
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?AuthorizeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupIngress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?RevokeSecurityGroupEgress[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateSecurityGroup[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteSecurityGroup[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for unauthorized API calls
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?\\*UnauthorizedOperation[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.errorCode\\s*=\\s*[\"]?AccessDenied\\*[\"]?\\s*\\)\\s*.*"){...AssetFragment}A log metric filter and alarm exist for usage of "root" account
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\$\\.userIdentity\\.type\\s*=\\s*[\"]?Root[\"]?\\s*\\&\\&\\s*\\s*\\$\\.userIdentity\\.invokedBy\\s*NOT\\s*EXISTS\\s*\\&\\&\\s*\\$\\.eventType\\s*!=\\s*[\"]?AwsServiceEvent\\s*[\"]?\\s*.*"){...AssetFragment}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}Retention policies on log buckets are configured using Bucket Lock
Connectors
Covered asset types
Expected check: eq []
logBuckets(where:{locked:false}){...AssetFragment}The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}Activity Log Alert exists for Delete Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/delete") {
...AssetFragment
}
}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/write") {
...AssetFragment
}
}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Azure Subscriptions without Microsoft Defender for App Services
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Cosmos DB
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "CosmosDbs", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Azure SQL
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Containers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Containers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for DNS
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Dns", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Key Vault
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Resource Manager
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Arm", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for SQL Servers on Machines
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
}
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Servers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Storage
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
) {
...AssetFragment
}
}Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"connection_throttling", value_MATCHES:"(?i)on"}}){...AssetFragment}}Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_NONE:{name:"log_checkpoints",value_MATCHES:"(?i)on"}},){...AssetFragment}}Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
}
) {
...AssetFragment
}
}Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{configurations_SOME:{name:"log_retention_days", value_MATCHES:"[0-3]"}}){...AssetFragment}}Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: {
name: "log_disconnections"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_error_verbosity", value: "verbose" }
}
) {
...AssetFragment
}
}Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_NONE: { name: "log_statement" }
}
) {
...AssetFragment
}
}Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
dbFlags_SOME: { name: "log_min_error_statement", NOT: {value_IN: ["error", "log", "fatal", "panic"]} }
}
) {
...AssetFragment
}
}Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}Google Cloud VPCs without DNS logging
Connectors
Covered asset types
Expected check: eq []
{
vpcs(where: { dnsPolicy_NONE: { NOT: { enableLogging_IN: ["true"] } } }) {
...AssetFragment
}
}Google Cloud Load Balancers without logging
Connectors
Covered asset types
Expected check: eq []
{
loadBalancers(
where: { backendServices_ALL: { NOT: { logConfigEnabled: true } } }
) {
...AssetFragment
}
}Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "3625" }}, {dbFlags_SOME: {name: "3625", value: "off"}}]
}
) {
...AssetFragment
}
}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}
