190 New Policies 🛂
5 months ago by Gilad Mark
Bridgecrew added 190 new out of the box policies across all supported providers.
| Policy ID | Policy name |
|---|---|
| BC_ALI_GENERAL_10 | Ensure Alibaba Cloud RDS instance is set to perform auto upgrades for minor versions |
| BC_ALI_GENERAL_11 | Ensure Alibaba Cloud RDS instance has log_duration enabled |
| BC_ALI_GENERAL_12 | Ensure Alibaba Cloud launch template data disks are encrypted |
| BC_ALI_GENERAL_13 | Ensure Alibaba Cloud RDS instance has log_disconnections enabled |
| BC_ALI_GENERAL_14 | Ensure Alibaba Cloud RDS log audit is enabled |
| BC_ALI_GENERAL_15 | Ensure Alibaba Cloud MongoDB has transparent data encryption enabled |
| BC_ALI_GENERAL_16 | Ensure Alibaba RDS instance has log_connections enabled |
| BC_ALI_GENERAL_8 | Ensure Alibaba Cloud KMS Key Rotation is enabled |
| BC_ALI_GENERAL_9 | Ensure Alibaba Cloud RAM enforces MFA |
| BC_ALI_IAM_10 | Ensure Alibaba Cloud RAM enforces MFA |
| BC_ALI_KUBERNETES_2 | Ensure Alibaba Cloud Kubernetes node pools are set to auto repair |
| BC_ALI_NETWORKING_5 | Ensure Alibaba cloud ALB ACL restricts public access |
| BC_ALI_NETWORKING_6 | Ensure Alibaba Cloud MongoDB instance uses SSL |
| BC_ALI_NETWORKING_7 | Ensure Alibaba Cloud MongoDB instance is not public |
| BC_ALI_NETWORKING_8 | Ensure Alibaba Cloud MongoDB is deployed inside a VPC |
| BC_ALI_NETWORKING_9 | Ensure Alibaba Cloud Cypher Policy is secured |
| BC_AWS_GENERAL_113 | Ensure AWS MQBroker's minor version updates are enabled |
| BC_AWS_GENERAL_114 | Ensure AWS Codecommit is associated with an approval rule |
| BC_AWS_GENERAL_115 | Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK |
| BC_AWS_GENERAL_116 | Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_117 | Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_118 | Ensure AWS RDS uses a modern CaCert |
| BC_AWS_GENERAL_119 | Ensure AWS Cloudsearch uses HTTPS |
| BC_AWS_GENERAL_120 | Ensure AWS MQBroker version is up to date |
| BC_AWS_GENERAL_121 | Ensure AWS DB instance gets all minor upgrades automatically |
| BC_AWS_GENERAL_122 | Ensure AWS Key Management Service (KMS) key is enabled |
| BC_AWS_GENERAL_123 | Ensure AWS AMI copying uses a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_124 | Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_125 | Ensure AWS Batch Job is not defined as a privileged container |
| BC_AWS_GENERAL_126 | Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs |
| BC_AWS_GENERAL_127 | Ensure AWS Code Artifact Domain is encrypted by KMS using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_128 | Ensure AWS API Gateway caching is enabled |
| BC_AWS_GENERAL_129 | Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP |
| BC_AWS_GENERAL_130 | Ensure AWS RDS PostgreSQL instances use a non-vulnerable version of log_fdw extension |
| BC_AWS_GENERAL_131 | Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_132 | Ensure AWS AuthType for your Lambda function URLs is defined |
| BC_AWS_GENERAL_133 | Ensure AWS Codecommit branch changes have at least 2 approvals |
| BC_AWS_GENERAL_134 | Ensure AWS CloudFront response header policy enforces Strict Transport Security |
| BC_AWS_GENERAL_135 | Ensure AWS Cloudsearch uses the latest (Transport Layer Security) TLS |
| BC_AWS_GENERAL_136 | Ensure AWS DLM-cross region schedules are encrypted |
| BC_AWS_GENERAL_137 | Ensure AWS Glue component is associated with a security configuration |
| BC_AWS_GENERAL_138 | Ensure AWS API Gateway Domain uses a modern security policy |
| BC_AWS_GENERAL_139 | Ensure AWS AppSync is protected by WAF |
| BC_AWS_GENERAL_140 | Ensure AWS Appsync API Cache is encrypted in transit |
| BC_AWS_GENERAL_141 | Ensure AWS DMS instance receives all minor updates automatically |
| BC_AWS_GENERAL_142 | Ensure AWS replicated backups are encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_143 | Ensure AWS SSM Parameter is encrypted |
| BC_AWS_GENERAL_144 | Ensure AWS DAX cluster endpoint uses (Transport Layer Security) TLS |
| BC_AWS_GENERAL_145 | Ensure AWS API deployments enable Create before Destroy |
| BC_AWS_GENERAL_146 | Ensure AWS GuardDuty detector is enabled |
| BC_AWS_GENERAL_147 | Ensure AWS EBS Volume is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_148 | Ensure AWS Cloudfront distribution is enabled |
| BC_AWS_GENERAL_149 | Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_150 | Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_151 | Ensure AWS Elasticsearch domain uses an updated TLS policy |
| BC_AWS_GENERAL_152 | Ensure AWS API GATEWAY enables Create before Destroy |
| BC_AWS_GENERAL_153 | Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_154 | Ensure AWS Kinesis Firehose's delivery stream is encrypted |
| BC_AWS_GENERAL_155 | Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_156 | Ensure AWS Appsync API Cache is encrypted at rest |
| BC_AWS_GENERAL_157 | Ensure AWS copied AMIs are encrypted |
| BC_AWS_GENERAL_158 | Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_159 | Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_160 | Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_161 | Ensure AWS DLM cross-region events are encrypted |
| BC_AWS_GENERAL_162 | Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK) |
| BC_AWS_GENERAL_163 | Ensure AWS API Gateway method settings enable caching |
| BC_AWS_GENERAL_164 | Ensure AWS MemoryDB data is encrypted in transit |
| BC_AWS_GENERAL_165 | Ensure AWS AMI launch permissions are limited |
| BC_AWS_GENERAL_166 | Ensure AWS AppSync has field-level logs enabled |
| BC_AWS_GENERAL_167 | Ensure AWS MWAA environment has worker logs enabled |
| BC_AWS_GENERAL_168 | Ensure AWS MWAA environment has scheduler logs enabled |
| BC_AWS_GENERAL_169 | Ensure AWS AppSync's logging is enabled |
| BC_AWS_GENERAL_170 | Ensure AWS MWAA environment has webserver logs enabled |
| BC_AWS_GENERAL_171 | Ensure AWS ECS Cluster enables logging of ECS Exec |
| BC_AWS_GENERAL_172 | Ensure AWS CloudTrail logging is enabled |
| BC_AWS_GENERAL_173 | Ensure AWS ACM certificates has logging preference |
| BC_AWS_GENERAL_174 | Ensure AWS MQBroker audit logging is enabled |
| BC_AWS_GENERAL_175 | Ensure AWS CloudTrail defines an SNS Topic |
| BC_AWS_GENERAL_176 | Ensure AWS App Flow flow uses Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_177 | Ensure AWS HTTP and HTTPS target groups define health check |
| BC_AWS_GENERAL_178 | Ensure AWS Kendra index server side encryption uses Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_179 | Ensure AWS App Flow connector profile uses Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_180 | Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs) |
| BC_AWS_GENERAL_181 | Ensure AWS Keyspace Table uses Customer Managed Keys (CMKs) |
| BC_AWS_IAM_68 | Ensure the AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions |
| BC_AWS_NETWORKING_67 | Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80 |
| BC_AWS_NETWORKING_68 | Ensure AWS Elasticache security groups are defined |
| BC_AWS_NETWORKING_69 | Ensure AWS ACM certificate enables Create before Destroy |
| BC_AWS_NETWORKING_70 | Ensure AWS Elasticsearch does not use the default security group |
| BC_AWS_NETWORKING_71 | Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21 |
| BC_AWS_NETWORKING_72 | Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389 |
| BC_AWS_NETWORKING_73 | Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 22 |
| BC_AWS_NETWORKING_74 | Ensure AWS RDS security groups are defined |
| BC_AWS_NETWORKING_75 | Ensure AWS ELB Policy uses only secure protocols |
| BC_AWS_NETWORKING_76 | Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20 |
| BC_AWS_NETWORKING_77 | Ensure AWS NAT Gateways are utilized for the default route |
| BC_AZR_GENERAL_82 | Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption |
| BC_AZR_GENERAL_83 | Ensure Azure Client Certificates are enforced for API management |
| BC_AZR_GENERAL_84 | Ensure Azure Virtual machine does not enable password authentication |
| BC_AZR_GENERAL_85 | Ensure Azure "Secure transfer required" feature is set to Enabled |
| BC_AZR_GENERAL_86 | Ensure Azure data exfiltration protection for Azure Synapse workspace is enabled |
| BC_AZR_GENERAL_87 | Ensure Azure PostgreSQL Flexible Server enables geo-redundant backups |
| BC_AZR_GENERAL_88 | Ensure Azure Machine Learning Compute Cluster Minimum Nodes is set to 0 |
| BC_AZR_GENERAL_89 | Ensure Azure Windows VM enables encryption |
| BC_AZR_GENERAL_90 | Ensure Azure built-in logging for Azure function app is enabled |
| BC_AZR_GENERAL_91 | Ensure Azure SQL Server has default auditing policy configured |
| BC_AZR_GENERAL_92 | Ensure Azure PostgreSQL Database Server has log retention enabled |
| BC_AZR_IAM_3 | Ensure Azure Kubernetes Service (AKS) local admin account is disabled |
| BC_AZR_IAM_4 | Ensure Azure ACR admin account is disabled |
| BC_AZR_IAM_5 | Ensure Azure CosmosDB has Local Authentication disabled |
| BC_AZR_IAM_6 | Ensure Azure Machine Learning Compute Cluster Local Authentication is disabled |
| BC_AZR_IAM_7 | Ensure Azure ACR disables anonymous image pulling |
| BC_AZR_NETWORKING_49 | Ensure Azure Databricks workspace is not public |
| BC_AZR_NETWORKING_50 | Ensure Azure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
| BC_AZR_NETWORKING_51 | Ensure Azure App's service slot uses the latest version of TLS encryption |
| BC_AZR_NETWORKING_52 | Ensure Azure PostgreSQL uses the latest version of TLS encryption |
| BC_AZR_NETWORKING_53 | Ensure Azure Machine Learning Workspace is not publicly accessible |
| BC_AZR_NETWORKING_54 | Ensure Azure ACR is set to disable public networking |
| BC_AZR_NETWORKING_55 | Ensure Azure Function app uses the latest version of TLS encryption |
| BC_AZR_NETWORKING_56 | Ensure Azure Cognitive Services accounts disable public network access |
| BC_AZR_NETWORKING_57 | Ensure Azure HTTP (port 80) access from the internet is restricted |
| BC_AZR_NETWORKING_58 | Ensure Azure App service slot has debugging disabled |
| BC_AZR_NETWORKING_59 | Ensure Azure Redis Cache uses the latest version of TLS encryption |
| BC_AZR_NETWORKING_60 | Ensure Azure AKS cluster nodes do not have public IP addresses |
| BC_AZR_NETWORKING_61 | Ensure Azure Spring Cloud API Portal Public Access is disabled |
| BC_AZR_NETWORKING_62 | Ensure Azure Spring Cloud API Portal is enabled for HTTPS |
| BC_DOCKER_GENERAL_10 | Ensure Docker WORKDIR values are absolute paths |
| BC_DOCKER_GENERAL_9 | Ensure Docker From alias is unique for multistage builds |
| BC_DOCKER_NETWORKING_1 | Ensure Docker APT is not used |
| BC_GCP_GENERAL_11 | Ensure GCP Memorystore for Redis uses intransit encryption |
| BC_GCP_GENERAL_12 | Ensure GCP BigQuery Tables are not anonymously or publicly accessible |
| BC_GCP_GENERAL_13 | Ensure GCP SQL database uses the latest Major version |
| BC_GCP_GENERAL_14 | Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs) |
| BC_GCP_GENERAL_15 | Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible |
| BC_GCP_GENERAL_16 | Ensure GCP Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEKs) |
| BC_GCP_GENERAL_17 | Ensure GCP Container Registry repositories are not anonymously or publicly accessible |
| BC_GCP_GENERAL_18 | Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible |
| BC_GCP_GENERAL_19 | Ensure GCP Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEKs) |
| BC_GCP_GENERAL_20 | Ensure GCP Dataproc clusters are not anonymously or publicly accessible |
| BC_GCP_GENERAL_21 | Ensure GCP Pub/Sub Topics are not anonymously or publicly accessible |
| BC_GCP_GENERAL_22 | Ensure GCP Vertex AI datasets use a Customer Manager Key (CMK) |
| BC_GCP_GENERAL_23 | Ensure GCP Vertex AI instances are private |
| BC_GCP_GENERAL_24 | Ensure GCP Memorystore for Redis has AUTH enabled |
| BC_GCP_GENERAL_25 | Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK) |
| BC_GCP_GENERAL_26 | Ensure GCP Pub/Sub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) |
| BC_GCP_GENERAL_27 | Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) |
| BC_GCP_GENERAL_28 | Ensure GCP data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) |
| BC_GCP_GENERAL_29 | Ensure GCP Artifact Registry repositories are encrypted with Customer Supplied Encryption Keys (CSEK) |
| BC_GCP_GENERAL_30 | Ensure GCP Cloud Run services are not anonymously or publicly accessible |
| BC_GCP_GENERAL_31 | Ensure GCP subnet has a private IP Google access |
| BC_GCP_GENERAL_32 | Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) |
| BC_GCP_GENERAL_33 | Ensure GCP Dataflow jobs are private |
| BC_GCP_GENERAL_34 | Ensure GCP KMS keys are protected from deletion |
| BC_GCP_GENERAL_35 | Ensure GCP data fusion instances are private |
| BC_GCP_GENERAL_36 | Ensure GCP cloud build workers are private |
| BC_GCP_GENERAL_37 | Ensure GCP Dataproc Clusters do not have public IPs |
| BC_GCP_GENERAL_38 | Ensure GCP DataFusion has stack driver monitoring enabled |
| BC_GCP_GENERAL_39 | Ensure GCP Cloud storage has versioning enabled |
| BC_GCP_GENERAL_40 | Ensure GCP DataFusion has stack driver logging enabled |
| BC_GCP_NETWORKING_15 | Ensure GCP compute firewall ingress does not allow unrestricted MySQL access |
| BC_GCP_NETWORKING_16 | Ensure GCP Private Google Access is enabled for IPV6 |
| BC_GCP_NETWORKING_17 | Ensure GCP Google compute firewall ingress does not allow unrestricted HTTP port 80 access |
| BC_GCP_NETWORKING_18 | Ensure GCP Google compute firewall ingress does not allow FTP port (20) access |
| BC_GCP_NETWORKING_19 | Ensure GCP Google compute firewall ingress does not allow unrestricted FTP access |
| BC_OCI_NETWORKING_3 | Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 3389 |
| BC_OCI_NETWORKING_4 | Ensure OCI security groups rules do not allow ingress from 0.0.0.0/0 to port 22 |
| BC_OCI_NETWORKING_5 | Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 22 |
| BC_OCI_NETWORKING_6 | Ensure OCI security group has stateless ingress security rules |
| BC_OPENSTACK_NETWORKING_3 | Ensure OpenStack firewall rule has destination IP configured |
| BC_OPENSTACK_SECRETS_2 | Ensure OpenStack instance does not use basic credentials |
| BC_ORG_GITHUB_4 | Ensure GitHub organization webhooks use HTTPS |
| BC_REPO_BITBUCKET_1 | Ensure BitBucket pull requests require at least 2 approvals |
| BC_REPO_GITHUB_3 | Ensure GitHub repository webhooks use HTTPS |
| BC_REPO_GITHUB_4 | Ensure GitHub branch protection rules require linear history |
| BC_REPO_GITHUB_5 | Ensure the GitHub repository has at least 2 admins set |
| BC_REPO_GITHUB_6 | Ensure GitHub branch protection rules are enforced on administrators |
| BC_REPO_GITHUB_ACTION_5 | Ensure GitHub Actions artifact build has cosign - sign execution in pipeline |
| BC_REPO_GITHUB_ACTION_6 | Ensure GitHub Actions artifact build has SBOM attestation in pipeline |
| BC_REPO_GITHUB_ACTION_7 | Ensure GitHub Actions does not contain workflow_dispatch inputs parameters |
| BC_REPO_GITHUB_TF_1 | Ensure GitHub repository webhook uses a secure SSL |
| BC_REPO_GITHUB_TF_2 | Ensure GitHub repository is private |
| BC_REPO_GITHUB_TF_3 | Ensure GitHub repository has vulnerability alerts enabled |
| BC_REPO_GITHUB_TF_4 | Ensure Github repository has GPG signatures for all commits |
| BC_REPO_GITHUB_TF_5 | Ensure GitHub pull requests have at least 2 approvals |
| BC_REPO_GITHUB_TF_6 | Ensure GitHub Actions secrets are encrypted |
| BC_REPO_GITLAB_TF_1 | Ensure Gitlab branch protection rules do not allow force pushes |
| BC_REPO_GITLAB_TF_2 | Ensure Gitlab project merge has at least 2 approvals |
| BC_REPO_GITLAB_TF_3 | Ensure Gitlab project prevents secrets |
| BC_REPO_GITLAB_TF_4 | Ensure Gitlab project commits are signed |