240 New Policies 🛂

Bridgecrew added 240 new out of the box policies, across all supported providers, including Dockerfiles.

This release increases Bridgecrew's up-to-date CIS and other benchmarks coverage for IaC templates.

As part of this release, we added 50 context-aware policies. This capability checks the IaC state for connections between resources with specific attributes. For example, check to "Ensure that only encrypted EBS volumes are attached to EC2 instances", "Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible", "Ensure that IAM groups include at least one IAM user" and many more.

1671

List of new policies

BC IDPolicy Name
BC_AWS_GENERAL_44Ensure that Auto Scaling is enabled on your DynamoDB tables
BC_AWS_GENERAL_45Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
BC_AWS_GENERAL_46Ensure that RDS Instances Have Backup Policy
BC_AWS_GENERAL_47Ensure that Redshift clusters has backup plan of AWS Backup
BC_AWS_GENERAL_48Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
BC_AWS_GENERAL_49Ensure that RDS clusters has backup plan of AWS Backup
BC_AWS_GENERAL_50Ensure that EBS are added in the backup plans of AWS Backup
BC_AWS_GENERAL_51Ensure KMS have rotation policy
BC_AWS_GENERAL_52Ensure that DynamoDB Tables are encrypted
BC_AWS_GENERAL_53Ensure that ECR repositories are encrypted
BC_AWS_GENERAL_54Ensure that RDS global clusters are encrypted
BC_AWS_GENERAL_55Ensure that Redshift cluster is encrypted by KMS
BC_AWS_GENERAL_56Ensure that S3 buckets are encrypted with KMS by default
BC_AWS_GENERAL_6Ensure that that point in time recovery is enabled for Amazon DynamoDB tables
BC_AWS_GENERAL_60Ensure that only encrypted EBS volumes are attached to EC2 instances
BC_AWS_GENERAL_61Ensure that Load Balancer has deletion protection enabled
BC_AWS_GENERAL_62Ensure that EMR clusters have Kerberos Enabled
BC_AWS_GENERAL_63Ensure that AWS Lambda function is configured for function-level concurrent execution limit
BC_AWS_GENERAL_64Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
BC_AWS_GENERAL_65Ensure that AWS Lambda function is configured inside a VPC
BC_AWS_GENERAL_66Ensure GuardDuty is enbaled to specific org/region
BC_AWS_GENERAL_67Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager.
BC_AWS_GENERAL_68Ensure that EC2 is EBS optimized
BC_AWS_GENERAL_69Ensure that RDS clusters and Instances have deletion protection enabled
BC_AWS_GENERAL_70Ensured that redshift cluster allow version upgrade by default
BC_AWS_GENERAL_71Ensure that S3 bucket has lock configuration enabled by default
BC_AWS_GENERAL_72Ensure that S3 bucket has cross-region replication enabled
BC_AWS_IAM_54Ensure IAM policies does not allow credentials exposure
BC_AWS_IAM_55Ensure IAM policies does not allow data exfiltration
BC_AWS_IAM_56Ensure IAM policies does not allow permissions management / resource exposure without constraint
BC_AWS_IAM_57Ensure IAM policies does not allow write access without constraint
BC_AWS_IAM_59Ensure that an Amazon RDS Clusters and Instances have AWS Identity and Access Management (IAM) authentication enabled
BC_AWS_IAM_60Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
BC_AWS_IAM_61Ensure that IAM groups includes at least one IAM user
BC_AWS_IAM_62Ensure that all IAM users are members of at least one IAM group.
BC_AWS_KUBERNETES_6Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS
BC_AWS_LOGGING_25Ensure that CloudFormation stacks are sending event notifications to an SNS topic
BC_AWS_LOGGING_26Ensure that detailed monitoring is enabled for EC2 instances
BC_AWS_LOGGING_27Ensure CloudTrail trails are integrated with CloudWatch Logs
BC_AWS_LOGGING_28Ensure that enhanced monitoring is enabled for Amazon RDS instances
BC_AWS_LOGGING_29Ensure API Gateway stage have logging level defined as appropiate
BC_AWS_LOGGING_5Ensure AWS Config is enabled in all regions
BC_AWS_LOGGING_9Ensure VPC flow logging is enabled in all VPCs
BC_AWS_NETWORKING_38Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance
BC_AWS_NETWORKING_39Ensure that VPC Endpoint Service is configured for Manual Acceptance
BC_AWS_NETWORKING_4Ensure the default security group of every VPC restricts all traffic
BC_AWS_NETWORKING_40Ensure that Amazon EMR clusters' security groups are not open to the world
BC_AWS_NETWORKING_41Ensure that ALB drops HTTP headers
BC_AWS_NETWORKING_42Ensure that Elasticsearch is configured inside a VPC
BC_AWS_NETWORKING_43Ensure that ELB is cross-zone-load-balancing enabled
BC_AWS_NETWORKING_44Ensure that Amazon Redshift clusters are not publicly accessible
BC_AWS_NETWORKING_46Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
BC_AWS_NETWORKING_47Ensure that EC2 instances belong to a VPC
BC_AWS_NETWORKING_48Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
BC_AWS_NETWORKING_49Ensure that ALB redirects HTTP requests into HTTPS ones
BC_AWS_NETWORKING_50Ensure that all NACL are attached to subnets
BC_AWS_NETWORKING_51Ensure that Security Groups are attached to EC2 instances or elastic network interfaces (ENIs)
BC_AWS_NETWORKING_52S3 Bucket Should Have Public Access Blocks
BC_AZR_GENERAL_15Ensure FTP deployments are disabled
BC_AZR_GENERAL_16Ensure that PostgreSQL server enables geo-redundant backups
BC_AZR_GENERAL_17Ensure that key vault key is backed by HSM
BC_AZR_GENERAL_18Ensure that MariaDB server enables geo-redundant backups
BC_AZR_GENERAL_19Ensure that My SQL server enables geo-redundant backups
BC_AZR_GENERAL_20Ensure that virtual machines are backed up using Azure Backup
BC_AZR_GENERAL_21Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
BC_AZR_GENERAL_22Ensure that Data Lake Store accounts enables encryption
BC_AZR_GENERAL_24Ensure that PostgreSQL server enables infrastructure encryption
BC_AZR_GENERAL_25Ensure that Automation account variables are encrypted
BC_AZR_GENERAL_26Ensure that Azure Data Explorer uses disk encryption
BC_AZR_GENERAL_27Ensure that Azure Data Explorer uses double encryption
BC_AZR_GENERAL_28Ensure that Azure Batch account uses key vault to encrypt data
BC_AZR_GENERAL_29Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
BC_AZR_GENERAL_30Ensure that MySQL Server Enables Infrastructure Encryption
BC_AZR_GENERAL_31Ensure that Virtual machine scale sets have encryption at host enabled
BC_AZR_GENERAL_32Ensure storage for critical data are encrypted with Customer Managed Key
BC_AZR_GENERAL_33Ensure that Azure Data Explorer encryption at rest uses a customer-managed key
BC_AZR_GENERAL_34Ensure that Unattached disks are encrypted
BC_AZR_GENERAL_35Ensure that Azure data factories are encrypted with a customer-managed key
BC_AZR_GENERAL_36Ensure that MySQL server enables customer-managed key for encryption
BC_AZR_GENERAL_37Ensure that PostgreSQL server enables customer-managed key for encryption
BC_AZR_GENERAL_38Ensure that Storage Accounts use customer-managed key for encryption
BC_AZR_GENERAL_39Ensure that Azure Data Factory uses Git repository for source control
BC_AZR_GENERAL_40Ensure that key vault enables purge protection
BC_AZR_GENERAL_41Ensure that key vault enables soft delete
BC_AZR_GENERAL_42"Ensure that key vault secrets have ""content_type"" set"
BC_AZR_GENERAL_44Ensure that My SQL server enables Threat detection policy
BC_AZR_GENERAL_45Ensure that PostgreSQL server enables Threat detection policy
BC_AZR_GENERAL_46Ensure that Azure Defender is set to On for Servers
BC_AZR_GENERAL_47Ensure that function apps enables Authentication
BC_AZR_GENERAL_48Ensure that CORS disallows every resource to access app services
BC_AZR_GENERAL_49Ensure that 'Security contact emails' is set
BC_AZR_GENERAL_51Ensure that CORS disallows every resource to access function apps
BC_AZR_GENERAL_52Ensure that 'HTTP Version' is the latest if used to run the function app
BC_AZR_GENERAL_53Ensure that Azure Defender is set to On for Azure SQL database servers
BC_AZR_GENERAL_54Ensure that Managed identity provider is enabled for app services
BC_AZR_GENERAL_55Ensure that remote debugging is not enabled for app services
BC_AZR_GENERAL_56Ensure that Azure Defender is set to On for SQL servers on machines
BC_AZR_GENERAL_57"Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
BC_AZR_GENERAL_58"Ensure that 'PHP version' is the latest, if used to run the web app"
BC_AZR_GENERAL_59"Ensure that 'Python version' is the latest, if used to run the web app"
BC_AZR_GENERAL_60"Ensure that 'Java version' is the latest, if used to run the web app"
BC_AZR_GENERAL_61Ensure that Azure Defender is set to On for Storage
BC_AZR_GENERAL_62Ensure that Azure Defender is set to On for Kubernetes
BC_AZR_GENERAL_63Ensure that Azure Defender is set to On for Container Registries
BC_AZR_GENERAL_64Ensure that Azure Defender is set to On for Key Vault
BC_AZR_GENERAL_65Ensure that app services use Azure Files
BC_AZR_GENERAL_66Ensure that Virtual Machines use managed disks
BC_AZR_GENERAL_67Ensure that automatic OS image patching is enbaled for Virtual Machine Scale Sets
BC_AZR_GENERAL_68Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines
BC_AZR_GENERAL_69Ensure that sql servers enables data security policy
BC_AZR_GENERAL_70Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
BC_AZR_GENERAL_71Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
BC_AZR_GENERAL_72Ensure that VA setting Send scan reports to is configured for a SQL server
BC_AZR_GENERAL_73Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
BC_AZR_GENERAL_74Ensure that Azure Active Directory Admin is configured
BC_AZR_GENERAL_75Ensure Virtual Machines are utilizing Managed Disks
BC_AZR_KUBERNETES_6Ensure that AKS enables private clusters
BC_AZR_KUBERNETES_7Ensure that AKS uses Azure Policies Add-on
BC_AZR_KUBERNETES_8Ensure that AKS uses disk encryption set
BC_AZR_LOGGING_10Ensure that App service enables failed request tracing
BC_AZR_LOGGING_11Ensure Storage logging is enabled for Blob service for read requests
BC_AZR_LOGGING_12Ensure the storage container storing the activity logs is not publicly accessible
BC_AZR_LOGGING_7Ensure Storage logging is enabled for Table service for read requests
BC_AZR_LOGGING_8Ensure that App service enables HTTP logging
BC_AZR_LOGGING_9Ensure that App service enables detailed error messages
BC_AZR_NETWORKING_18Ensure that Storage accounts disallow public access
BC_AZR_NETWORKING_19Ensure that storage account enables secure transfer
BC_AZR_NETWORKING_20Ensure that PostgreSQL server disables public network access
BC_AZR_NETWORKING_21Ensure that Function apps is only accessible over HTTPS
BC_AZR_NETWORKING_22Ensure that UDP Services are restricted from the Internet
BC_AZR_NETWORKING_23Ensure that Azure Cache for Redis disables public network access
BC_AZR_NETWORKING_24Ensure that only SSL are enabled for Cache for Redis
BC_AZR_NETWORKING_25Ensure that Azure Container Container group is deployed into virtual network
BC_AZR_NETWORKING_26Ensure Cosmos DB accounts have restricted access
BC_AZR_NETWORKING_27Ensure that Azure Synapse workspaces have no IP firewall rules attached
BC_AZR_NETWORKING_28Ensure that Azure Cosmos DB disables public network access
BC_AZR_NETWORKING_29Ensure that Azure Data factory public network access is disabled
BC_AZR_NETWORKING_30Ensure that Azure Event Grid Domain public network access is disabled
BC_AZR_NETWORKING_31Ensure that API management services uses virtual networks
BC_AZR_NETWORKING_32Ensure that Azure IoT Hub disables public network access
BC_AZR_NETWORKING_33Ensure that key vault allows firewall rules settings
BC_AZR_NETWORKING_34Ensure that SQL server disables public network access
BC_AZR_NETWORKING_35Ensure that Network Interfaces disable IP forwarding
BC_AZR_NETWORKING_36Ensure that Network Interfaces don't use public IPs
BC_AZR_NETWORKING_37Ensure that Application Gateway enables WAF
BC_AZR_NETWORKING_38Ensure that Azure Front Door enables WAF
BC_AZR_NETWORKING_39"Ensure that Application Gateway uses WAF in ""Detection"" or ""Prevention"" modes"
BC_AZR_NETWORKING_40"Ensure that Azure Front Door uses WAF in ""Detection"" or ""Prevention"" modes"
BC_AZR_NETWORKING_41Ensure that Azure Cognitive Search disables public network access
BC_AZR_NETWORKING_42Ensure that Azure File Sync disables public network access
BC_AZR_NETWORKING_43Ensure that Azure Synapse workspaces enables managed virtual networks
BC_AZR_NETWORKING_44Ensure that MySQL server disables public network access
BC_DKR_1Ensure port 22 is not exposed
BC_DKR_2Ensure that HEALTHCHECK instructions have been added to container images
BC_DKR_3Ensure that a user for the container has been created
BC_DKR_4Ensure update instructions are not use alone in the Dockerfile
BC_DKR_5Ensure that COPY is used instead of ADD in Dockerfiles
BC_GCP_GENERAL_8Ensure that there are only GCP-managed service account keys for each service account
BC_GCP_GENERAL_9Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
BC_GCP_IAM_11Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
BC_GCP_KUBERNETES_16Ensure GKE clusters are not running using the Compute Engine default service account
BC_GCP_KUBERNETES_17Ensure Secure Boot for Shielded GKE Nodes is Enabled
BC_GCP_KUBERNETES_18Enable VPC Flow Logs and Intranode Visibility
BC_GCP_KUBERNETES_19Ensure clusters are created with Private Nodes
BC_GCP_KUBERNETES_20Manage Kubernetes RBAC users with Google Groups for GKE
BC_GCP_KUBERNETES_21Ensure use of Binary Authorization
BC_GCP_KUBERNETES_22Ensure legacy Compute Engine instance metadata APIs are Disabled
BC_GCP_KUBERNETES_23Ensure the GKE Metadata Server is Enabled
BC_GCP_KUBERNETES_24Ensure Shielded GKE Nodes are Enabled
BC_GCP_KUBERNETES_25Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
BC_GCP_LOGGING_4Ensure that retention policies on log buckets are configured using Bucket Lock
BC_GCP_LOGGING_5Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
BC_GCP_NETWORKING_13Ensure legacy networks do not exist for a project
BC_K8S_100Ensure that the --protect-kernel-defaults argument is set to true
BC_K8S_101Ensure that the --make-iptables-util-chains argument is set to true
BC_K8S_102Ensure that the --hostname-override argument is not set
BC_K8S_103Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
BC_K8S_104Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate for Kubelet
BC_K8S_105Ensure that the --rotate-certificates argument is not set to false
BC_K8S_106Ensure that the RotateKubeletServerCertificate argument is set to true for kubelet
BC_K8S_46Ensure that the --anonymous-auth argument is set to false
BC_K8S_47Ensure that the --basic-auth-file argument is not set
BC_K8S_48Ensure that the --token-auth-file parameter is not set
BC_K8S_49Ensure that the --kubelet-https argument is set to true
BC_K8S_50Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
BC_K8S_51Ensure that the --kubelet-certificate-authority argument is set as appropriate
BC_K8S_52Ensure that the --authorization-mode argument is not set to AlwaysAllow
BC_K8S_53Ensure that the --authorization-mode argument includes Node
BC_K8S_54Ensure that the --authorization-mode argument includes RBAC
BC_K8S_55Ensure that the admission control plugin EventRateLimit is set
BC_K8S_56Ensure that the admission control plugin AlwaysAdmit is not set
BC_K8S_57Ensure that the admission control plugin AlwaysPullImages is set
BC_K8S_58Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
BC_K8S_59Ensure that the admission control plugin ServiceAccount is set
BC_K8S_60Ensure that the admission control plugin NamespaceLifecycle is set
BC_K8S_61Ensure that the admission control plugin PodSecurityPolicy is set
BC_K8S_62Ensure that the admission control plugin NodeRestriction is set
BC_K8S_63Ensure that the --insecure-bind-address argument is not set
BC_K8S_64Ensure that the --insecure-port argument is set to 0
BC_K8S_65Ensure that the --secure-port argument is not set to 0
BC_K8S_66Ensure that the --profiling argument is set to false
BC_K8S_67Ensure that the --audit-log-path argument is set
BC_K8S_68Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
BC_K8S_69Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
BC_K8S_70Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
BC_K8S_71Ensure that the --request-timeout argument is set as appropriate
BC_K8S_72Ensure that the --service-account-lookup argument is set to true
BC_K8S_73Ensure that the --service-account-key-file argument is set as appropriate
BC_K8S_74Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
BC_K8S_75Ensure that the --tls-cert-file and --tls-private-key-file Arguments are Set as Appropriate for API Servers
BC_K8S_76Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
BC_K8S_77Ensure that the --etcd-cafile argument is set as appropriate
BC_K8S_78Ensure that encryption providers are appropriately configured
BC_K8S_79Ensure that the API Server only makes use of Strong Cryptographic Ciphers
BC_K8S_80Ensure that the --terminated-pod-gc-threshold argument is set as appropriate for controller managers
BC_K8S_81Ensure that the --profiling Argument is Set to False for Controller Manager
BC_K8S_82Ensure that the --use-service-account-credentials argument is set to true for controller managers
BC_K8S_83Ensure that the --service-account-private-key-file argument is set as appropriate for controller managers
BC_K8S_84Ensure that the --root-ca-file argument is set as appropriate for controller managers
BC_K8S_85Ensure that the RotateKubeletServerCertificate argument is set to true
BC_K8S_86Ensure that the --bind-address argument is set to 127.0.0.1 for controller managers for controller managers
BC_K8S_87Ensure that the --profiling argument is set to false for scheduler
BC_K8S_88Ensure that the --bind-address argument is set to 127.0.0.1
BC_K8S_89Ensure that the --cert-file and --key-file arguments are set as appropriate
BC_K8S_90Ensure that the --client-cert-auth argument is set to true
BC_K8S_91Ensure that the --auto-tls argument is not set to true
BC_K8S_92Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
BC_K8S_93Ensure that the --peer-client-cert-auth argument is set to true
BC_K8S_94Ensure that the --peer-auto-tls argument is not set to true
BC_K8S_95Ensure that the --anonymous-auth argument is set to false
BC_K8S_96Ensure that the --authorization-mode argument is not set to AlwaysAllow
BC_K8S_97Ensure that the --client-ca-file argument is set as appropriate for kubelet
BC_K8S_98Ensure that the --read-only-port argument is set to 0
BC_K8S_99Ensure that the --streaming-connection-idle-timeout argument is not set to 0