190 New Policies 🛂

Bridgecrew added 190 new out of the box policies across all supported providers.

Policy IDPolicy name
BC_ALI_GENERAL_10Ensure Alibaba Cloud RDS instance is set to perform auto upgrades for minor versions
BC_ALI_GENERAL_11Ensure Alibaba Cloud RDS instance has log_duration enabled
BC_ALI_GENERAL_12Ensure Alibaba Cloud launch template data disks are encrypted
BC_ALI_GENERAL_13Ensure Alibaba Cloud RDS instance has log_disconnections enabled
BC_ALI_GENERAL_14Ensure Alibaba Cloud RDS log audit is enabled
BC_ALI_GENERAL_15Ensure Alibaba Cloud MongoDB has transparent data encryption enabled
BC_ALI_GENERAL_16Ensure Alibaba RDS instance has log_connections enabled
BC_ALI_GENERAL_8Ensure Alibaba Cloud KMS Key Rotation is enabled
BC_ALI_GENERAL_9Ensure Alibaba Cloud RAM enforces MFA
BC_ALI_IAM_10Ensure Alibaba Cloud RAM enforces MFA
BC_ALI_KUBERNETES_2Ensure Alibaba Cloud Kubernetes node pools are set to auto repair
BC_ALI_NETWORKING_5Ensure Alibaba cloud ALB ACL restricts public access
BC_ALI_NETWORKING_6Ensure Alibaba Cloud MongoDB instance uses SSL
BC_ALI_NETWORKING_7Ensure Alibaba Cloud MongoDB instance is not public
BC_ALI_NETWORKING_8Ensure Alibaba Cloud MongoDB is deployed inside a VPC
BC_ALI_NETWORKING_9Ensure Alibaba Cloud Cypher Policy is secured
BC_AWS_GENERAL_113Ensure AWS MQBroker's minor version updates are enabled
BC_AWS_GENERAL_114Ensure AWS Codecommit is associated with an approval rule
BC_AWS_GENERAL_115Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK
BC_AWS_GENERAL_116Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_117Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)
BC_AWS_GENERAL_118Ensure AWS RDS uses a modern CaCert
BC_AWS_GENERAL_119Ensure AWS Cloudsearch uses HTTPS
BC_AWS_GENERAL_120Ensure AWS MQBroker version is up to date
BC_AWS_GENERAL_121Ensure AWS DB instance gets all minor upgrades automatically
BC_AWS_GENERAL_122Ensure AWS Key Management Service (KMS) key is enabled
BC_AWS_GENERAL_123Ensure AWS AMI copying uses a Customer Managed Key (CMK)
BC_AWS_GENERAL_124Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK)
BC_AWS_GENERAL_125Ensure AWS Batch Job is not defined as a privileged container
BC_AWS_GENERAL_126Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs
BC_AWS_GENERAL_127Ensure AWS Code Artifact Domain is encrypted by KMS using a Customer Managed Key (CMK)
BC_AWS_GENERAL_128Ensure AWS API Gateway caching is enabled
BC_AWS_GENERAL_129Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP
BC_AWS_GENERAL_130Ensure AWS RDS PostgreSQL instances use a non-vulnerable version of log_fdw extension
BC_AWS_GENERAL_131Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_132Ensure AWS AuthType for your Lambda function URLs is defined
BC_AWS_GENERAL_133Ensure AWS Codecommit branch changes have at least 2 approvals
BC_AWS_GENERAL_134Ensure AWS CloudFront response header policy enforces Strict Transport Security
BC_AWS_GENERAL_135Ensure AWS Cloudsearch uses the latest (Transport Layer Security) TLS
BC_AWS_GENERAL_136Ensure AWS DLM-cross region schedules are encrypted
BC_AWS_GENERAL_137Ensure AWS Glue component is associated with a security configuration
BC_AWS_GENERAL_138Ensure AWS API Gateway Domain uses a modern security policy
BC_AWS_GENERAL_139Ensure AWS AppSync is protected by WAF
BC_AWS_GENERAL_140Ensure AWS Appsync API Cache is encrypted in transit
BC_AWS_GENERAL_141Ensure AWS DMS instance receives all minor updates automatically
BC_AWS_GENERAL_142Ensure AWS replicated backups are encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_143Ensure AWS SSM Parameter is encrypted
BC_AWS_GENERAL_144Ensure AWS DAX cluster endpoint uses (Transport Layer Security) TLS
BC_AWS_GENERAL_145Ensure AWS API deployments enable Create before Destroy
BC_AWS_GENERAL_146Ensure AWS GuardDuty detector is enabled
BC_AWS_GENERAL_147Ensure AWS EBS Volume is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_148Ensure AWS Cloudfront distribution is enabled
BC_AWS_GENERAL_149Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_150Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
BC_AWS_GENERAL_151Ensure AWS Elasticsearch domain uses an updated TLS policy
BC_AWS_GENERAL_152Ensure AWS API GATEWAY enables Create before Destroy
BC_AWS_GENERAL_153Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
BC_AWS_GENERAL_154Ensure AWS Kinesis Firehose's delivery stream is encrypted
BC_AWS_GENERAL_155Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)
BC_AWS_GENERAL_156Ensure AWS Appsync API Cache is encrypted at rest
BC_AWS_GENERAL_157Ensure AWS copied AMIs are encrypted
BC_AWS_GENERAL_158Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK)
BC_AWS_GENERAL_159Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_160Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
BC_AWS_GENERAL_161Ensure AWS DLM cross-region events are encrypted
BC_AWS_GENERAL_162Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)
BC_AWS_GENERAL_163Ensure AWS API Gateway method settings enable caching
BC_AWS_GENERAL_164Ensure AWS MemoryDB data is encrypted in transit
BC_AWS_GENERAL_165Ensure AWS AMI launch permissions are limited
BC_AWS_GENERAL_166Ensure AWS AppSync has field-level logs enabled
BC_AWS_GENERAL_167Ensure AWS MWAA environment has worker logs enabled
BC_AWS_GENERAL_168Ensure AWS MWAA environment has scheduler logs enabled
BC_AWS_GENERAL_169Ensure AWS AppSync's logging is enabled
BC_AWS_GENERAL_170Ensure AWS MWAA environment has webserver logs enabled
BC_AWS_GENERAL_171Ensure AWS ECS Cluster enables logging of ECS Exec
BC_AWS_GENERAL_172Ensure AWS CloudTrail logging is enabled
BC_AWS_GENERAL_173Ensure AWS ACM certificates has logging preference
BC_AWS_GENERAL_174Ensure AWS MQBroker audit logging is enabled
BC_AWS_GENERAL_175Ensure AWS CloudTrail defines an SNS Topic
BC_AWS_GENERAL_176Ensure AWS App Flow flow uses Customer Managed Keys (CMKs)
BC_AWS_GENERAL_177Ensure AWS HTTP and HTTPS target groups define health check
BC_AWS_GENERAL_178Ensure AWS Kendra index server side encryption uses Customer Managed Keys (CMKs)
BC_AWS_GENERAL_179Ensure AWS App Flow connector profile uses Customer Managed Keys (CMKs)
BC_AWS_GENERAL_180Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)
BC_AWS_GENERAL_181Ensure AWS Keyspace Table uses Customer Managed Keys (CMKs)
BC_AWS_IAM_68Ensure the AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions
BC_AWS_NETWORKING_67Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
BC_AWS_NETWORKING_68Ensure AWS Elasticache security groups are defined
BC_AWS_NETWORKING_69Ensure AWS ACM certificate enables Create before Destroy
BC_AWS_NETWORKING_70Ensure AWS Elasticsearch does not use the default security group
BC_AWS_NETWORKING_71Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21
BC_AWS_NETWORKING_72Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389
BC_AWS_NETWORKING_73Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 22
BC_AWS_NETWORKING_74Ensure AWS RDS security groups are defined
BC_AWS_NETWORKING_75Ensure AWS ELB Policy uses only secure protocols
BC_AWS_NETWORKING_76Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20
BC_AWS_NETWORKING_77Ensure AWS NAT Gateways are utilized for the default route
BC_AZR_GENERAL_82Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption
BC_AZR_GENERAL_83Ensure Azure Client Certificates are enforced for API management
BC_AZR_GENERAL_84Ensure Azure Virtual machine does not enable password authentication
BC_AZR_GENERAL_85Ensure Azure "Secure transfer required" feature is set to Enabled
BC_AZR_GENERAL_86Ensure Azure data exfiltration protection for Azure Synapse workspace is enabled
BC_AZR_GENERAL_87Ensure Azure PostgreSQL Flexible Server enables geo-redundant backups
BC_AZR_GENERAL_88Ensure Azure Machine Learning Compute Cluster Minimum Nodes is set to 0
BC_AZR_GENERAL_89Ensure Azure Windows VM enables encryption
BC_AZR_GENERAL_90Ensure Azure built-in logging for Azure function app is enabled
BC_AZR_GENERAL_91Ensure Azure SQL Server has default auditing policy configured
BC_AZR_GENERAL_92Ensure Azure PostgreSQL Database Server has log retention enabled
BC_AZR_IAM_3Ensure Azure Kubernetes Service (AKS) local admin account is disabled
BC_AZR_IAM_4Ensure Azure ACR admin account is disabled
BC_AZR_IAM_5Ensure Azure CosmosDB has Local Authentication disabled
BC_AZR_IAM_6Ensure Azure Machine Learning Compute Cluster Local Authentication is disabled
BC_AZR_IAM_7Ensure Azure ACR disables anonymous image pulling
BC_AZR_NETWORKING_49Ensure Azure Databricks workspace is not public
BC_AZR_NETWORKING_50Ensure Azure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
BC_AZR_NETWORKING_51Ensure Azure App's service slot uses the latest version of TLS encryption
BC_AZR_NETWORKING_52Ensure Azure PostgreSQL uses the latest version of TLS encryption
BC_AZR_NETWORKING_53Ensure Azure Machine Learning Workspace is not publicly accessible
BC_AZR_NETWORKING_54Ensure Azure ACR is set to disable public networking
BC_AZR_NETWORKING_55Ensure Azure Function app uses the latest version of TLS encryption
BC_AZR_NETWORKING_56Ensure Azure Cognitive Services accounts disable public network access
BC_AZR_NETWORKING_57Ensure Azure HTTP (port 80) access from the internet is restricted
BC_AZR_NETWORKING_58Ensure Azure App service slot has debugging disabled
BC_AZR_NETWORKING_59Ensure Azure Redis Cache uses the latest version of TLS encryption
BC_AZR_NETWORKING_60Ensure Azure AKS cluster nodes do not have public IP addresses
BC_AZR_NETWORKING_61Ensure Azure Spring Cloud API Portal Public Access is disabled
BC_AZR_NETWORKING_62Ensure Azure Spring Cloud API Portal is enabled for HTTPS
BC_DOCKER_GENERAL_10Ensure Docker WORKDIR values are absolute paths
BC_DOCKER_GENERAL_9Ensure Docker From alias is unique for multistage builds
BC_DOCKER_NETWORKING_1Ensure Docker APT is not used
BC_GCP_GENERAL_11Ensure GCP Memorystore for Redis uses intransit encryption
BC_GCP_GENERAL_12Ensure GCP BigQuery Tables are not anonymously or publicly accessible
BC_GCP_GENERAL_13Ensure GCP SQL database uses the latest Major version
BC_GCP_GENERAL_14Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs)
BC_GCP_GENERAL_15Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible
BC_GCP_GENERAL_16Ensure GCP Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEKs)
BC_GCP_GENERAL_17Ensure GCP Container Registry repositories are not anonymously or publicly accessible
BC_GCP_GENERAL_18Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible
BC_GCP_GENERAL_19Ensure GCP Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEKs)
BC_GCP_GENERAL_20Ensure GCP Dataproc clusters are not anonymously or publicly accessible
BC_GCP_GENERAL_21Ensure GCP Pub/Sub Topics are not anonymously or publicly accessible
BC_GCP_GENERAL_22Ensure GCP Vertex AI datasets use a Customer Manager Key (CMK)
BC_GCP_GENERAL_23Ensure GCP Vertex AI instances are private
BC_GCP_GENERAL_24Ensure GCP Memorystore for Redis has AUTH enabled
BC_GCP_GENERAL_25Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK)
BC_GCP_GENERAL_26Ensure GCP Pub/Sub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
BC_GCP_GENERAL_27Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
BC_GCP_GENERAL_28Ensure GCP data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
BC_GCP_GENERAL_29Ensure GCP Artifact Registry repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
BC_GCP_GENERAL_30Ensure GCP Cloud Run services are not anonymously or publicly accessible
BC_GCP_GENERAL_31Ensure GCP subnet has a private IP Google access
BC_GCP_GENERAL_32Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
BC_GCP_GENERAL_33Ensure GCP Dataflow jobs are private
BC_GCP_GENERAL_34Ensure GCP KMS keys are protected from deletion
BC_GCP_GENERAL_35Ensure GCP data fusion instances are private
BC_GCP_GENERAL_36Ensure GCP cloud build workers are private
BC_GCP_GENERAL_37Ensure GCP Dataproc Clusters do not have public IPs
BC_GCP_GENERAL_38Ensure GCP DataFusion has stack driver monitoring enabled
BC_GCP_GENERAL_39Ensure GCP Cloud storage has versioning enabled
BC_GCP_GENERAL_40Ensure GCP DataFusion has stack driver logging enabled
BC_GCP_NETWORKING_15Ensure GCP compute firewall ingress does not allow unrestricted MySQL access
BC_GCP_NETWORKING_16Ensure GCP Private Google Access is enabled for IPV6
BC_GCP_NETWORKING_17Ensure GCP Google compute firewall ingress does not allow unrestricted HTTP port 80 access
BC_GCP_NETWORKING_18Ensure GCP Google compute firewall ingress does not allow FTP port (20) access
BC_GCP_NETWORKING_19Ensure GCP Google compute firewall ingress does not allow unrestricted FTP access
BC_OCI_NETWORKING_3Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 3389
BC_OCI_NETWORKING_4Ensure OCI security groups rules do not allow ingress from 0.0.0.0/0 to port 22
BC_OCI_NETWORKING_5Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 22
BC_OCI_NETWORKING_6Ensure OCI security group has stateless ingress security rules
BC_OPENSTACK_NETWORKING_3Ensure OpenStack firewall rule has destination IP configured
BC_OPENSTACK_SECRETS_2Ensure OpenStack instance does not use basic credentials
BC_ORG_GITHUB_4Ensure GitHub organization webhooks use HTTPS
BC_REPO_BITBUCKET_1Ensure BitBucket pull requests require at least 2 approvals
BC_REPO_GITHUB_3Ensure GitHub repository webhooks use HTTPS
BC_REPO_GITHUB_4Ensure GitHub branch protection rules require linear history
BC_REPO_GITHUB_5Ensure the GitHub repository has at least 2 admins set
BC_REPO_GITHUB_6Ensure GitHub branch protection rules are enforced on administrators
BC_REPO_GITHUB_ACTION_5Ensure GitHub Actions artifact build has cosign - sign execution in pipeline
BC_REPO_GITHUB_ACTION_6Ensure GitHub Actions artifact build has SBOM attestation in pipeline
BC_REPO_GITHUB_ACTION_7Ensure GitHub Actions does not contain workflow_dispatch inputs parameters
BC_REPO_GITHUB_TF_1Ensure GitHub repository webhook uses a secure SSL
BC_REPO_GITHUB_TF_2Ensure GitHub repository is private
BC_REPO_GITHUB_TF_3Ensure GitHub repository has vulnerability alerts enabled
BC_REPO_GITHUB_TF_4Ensure Github repository has GPG signatures for all commits
BC_REPO_GITHUB_TF_5Ensure GitHub pull requests have at least 2 approvals
BC_REPO_GITHUB_TF_6Ensure GitHub Actions secrets are encrypted
BC_REPO_GITLAB_TF_1Ensure Gitlab branch protection rules do not allow force pushes
BC_REPO_GITLAB_TF_2Ensure Gitlab project merge has at least 2 approvals
BC_REPO_GITLAB_TF_3Ensure Gitlab project prevents secrets
BC_REPO_GITLAB_TF_4Ensure Gitlab project commits are signed