240 New Policies 🛂
almost 3 years ago by Gilad Mark
Bridgecrew added 240 new out of the box policies, across all supported providers, including Dockerfiles.
This release increases Bridgecrew's up-to-date CIS and other benchmarks coverage for IaC templates.
As part of this release, we added 50 context-aware policies. This capability checks the IaC state for connections between resources with specific attributes. For example, check to "Ensure that only encrypted EBS volumes are attached to EC2 instances", "Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible", "Ensure that IAM groups include at least one IAM user" and many more.
List of new policies
BC ID | Policy Name |
---|---|
BC_AWS_GENERAL_44 | Ensure that Auto Scaling is enabled on your DynamoDB tables |
BC_AWS_GENERAL_45 | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on |
BC_AWS_GENERAL_46 | Ensure that RDS Instances Have Backup Policy |
BC_AWS_GENERAL_47 | Ensure that Redshift clusters has backup plan of AWS Backup |
BC_AWS_GENERAL_48 | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup |
BC_AWS_GENERAL_49 | Ensure that RDS clusters has backup plan of AWS Backup |
BC_AWS_GENERAL_50 | Ensure that EBS are added in the backup plans of AWS Backup |
BC_AWS_GENERAL_51 | Ensure KMS have rotation policy |
BC_AWS_GENERAL_52 | Ensure that DynamoDB Tables are encrypted |
BC_AWS_GENERAL_53 | Ensure that ECR repositories are encrypted |
BC_AWS_GENERAL_54 | Ensure that RDS global clusters are encrypted |
BC_AWS_GENERAL_55 | Ensure that Redshift cluster is encrypted by KMS |
BC_AWS_GENERAL_56 | Ensure that S3 buckets are encrypted with KMS by default |
BC_AWS_GENERAL_6 | Ensure that that point in time recovery is enabled for Amazon DynamoDB tables |
BC_AWS_GENERAL_60 | Ensure that only encrypted EBS volumes are attached to EC2 instances |
BC_AWS_GENERAL_61 | Ensure that Load Balancer has deletion protection enabled |
BC_AWS_GENERAL_62 | Ensure that EMR clusters have Kerberos Enabled |
BC_AWS_GENERAL_63 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
BC_AWS_GENERAL_64 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
BC_AWS_GENERAL_65 | Ensure that AWS Lambda function is configured inside a VPC |
BC_AWS_GENERAL_66 | Ensure GuardDuty is enbaled to specific org/region |
BC_AWS_GENERAL_67 | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager. |
BC_AWS_GENERAL_68 | Ensure that EC2 is EBS optimized |
BC_AWS_GENERAL_69 | Ensure that RDS clusters and Instances have deletion protection enabled |
BC_AWS_GENERAL_70 | Ensured that redshift cluster allow version upgrade by default |
BC_AWS_GENERAL_71 | Ensure that S3 bucket has lock configuration enabled by default |
BC_AWS_GENERAL_72 | Ensure that S3 bucket has cross-region replication enabled |
BC_AWS_IAM_54 | Ensure IAM policies does not allow credentials exposure |
BC_AWS_IAM_55 | Ensure IAM policies does not allow data exfiltration |
BC_AWS_IAM_56 | Ensure IAM policies does not allow permissions management / resource exposure without constraint |
BC_AWS_IAM_57 | Ensure IAM policies does not allow write access without constraint |
BC_AWS_IAM_59 | Ensure that an Amazon RDS Clusters and Instances have AWS Identity and Access Management (IAM) authentication enabled |
BC_AWS_IAM_60 | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled |
BC_AWS_IAM_61 | Ensure that IAM groups includes at least one IAM user |
BC_AWS_IAM_62 | Ensure that all IAM users are members of at least one IAM group. |
BC_AWS_KUBERNETES_6 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS |
BC_AWS_LOGGING_25 | Ensure that CloudFormation stacks are sending event notifications to an SNS topic |
BC_AWS_LOGGING_26 | Ensure that detailed monitoring is enabled for EC2 instances |
BC_AWS_LOGGING_27 | Ensure CloudTrail trails are integrated with CloudWatch Logs |
BC_AWS_LOGGING_28 | Ensure that enhanced monitoring is enabled for Amazon RDS instances |
BC_AWS_LOGGING_29 | Ensure API Gateway stage have logging level defined as appropiate |
BC_AWS_LOGGING_5 | Ensure AWS Config is enabled in all regions |
BC_AWS_LOGGING_9 | Ensure VPC flow logging is enabled in all VPCs |
BC_AWS_NETWORKING_38 | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance |
BC_AWS_NETWORKING_39 | Ensure that VPC Endpoint Service is configured for Manual Acceptance |
BC_AWS_NETWORKING_4 | Ensure the default security group of every VPC restricts all traffic |
BC_AWS_NETWORKING_40 | Ensure that Amazon EMR clusters' security groups are not open to the world |
BC_AWS_NETWORKING_41 | Ensure that ALB drops HTTP headers |
BC_AWS_NETWORKING_42 | Ensure that Elasticsearch is configured inside a VPC |
BC_AWS_NETWORKING_43 | Ensure that ELB is cross-zone-load-balancing enabled |
BC_AWS_NETWORKING_44 | Ensure that Amazon Redshift clusters are not publicly accessible |
BC_AWS_NETWORKING_46 | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
BC_AWS_NETWORKING_47 | Ensure that EC2 instances belong to a VPC |
BC_AWS_NETWORKING_48 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
BC_AWS_NETWORKING_49 | Ensure that ALB redirects HTTP requests into HTTPS ones |
BC_AWS_NETWORKING_50 | Ensure that all NACL are attached to subnets |
BC_AWS_NETWORKING_51 | Ensure that Security Groups are attached to EC2 instances or elastic network interfaces (ENIs) |
BC_AWS_NETWORKING_52 | S3 Bucket Should Have Public Access Blocks |
BC_AZR_GENERAL_15 | Ensure FTP deployments are disabled |
BC_AZR_GENERAL_16 | Ensure that PostgreSQL server enables geo-redundant backups |
BC_AZR_GENERAL_17 | Ensure that key vault key is backed by HSM |
BC_AZR_GENERAL_18 | Ensure that MariaDB server enables geo-redundant backups |
BC_AZR_GENERAL_19 | Ensure that My SQL server enables geo-redundant backups |
BC_AZR_GENERAL_20 | Ensure that virtual machines are backed up using Azure Backup |
BC_AZR_GENERAL_21 | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
BC_AZR_GENERAL_22 | Ensure that Data Lake Store accounts enables encryption |
BC_AZR_GENERAL_24 | Ensure that PostgreSQL server enables infrastructure encryption |
BC_AZR_GENERAL_25 | Ensure that Automation account variables are encrypted |
BC_AZR_GENERAL_26 | Ensure that Azure Data Explorer uses disk encryption |
BC_AZR_GENERAL_27 | Ensure that Azure Data Explorer uses double encryption |
BC_AZR_GENERAL_28 | Ensure that Azure Batch account uses key vault to encrypt data |
BC_AZR_GENERAL_29 | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
BC_AZR_GENERAL_30 | Ensure that MySQL Server Enables Infrastructure Encryption |
BC_AZR_GENERAL_31 | Ensure that Virtual machine scale sets have encryption at host enabled |
BC_AZR_GENERAL_32 | Ensure storage for critical data are encrypted with Customer Managed Key |
BC_AZR_GENERAL_33 | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
BC_AZR_GENERAL_34 | Ensure that Unattached disks are encrypted |
BC_AZR_GENERAL_35 | Ensure that Azure data factories are encrypted with a customer-managed key |
BC_AZR_GENERAL_36 | Ensure that MySQL server enables customer-managed key for encryption |
BC_AZR_GENERAL_37 | Ensure that PostgreSQL server enables customer-managed key for encryption |
BC_AZR_GENERAL_38 | Ensure that Storage Accounts use customer-managed key for encryption |
BC_AZR_GENERAL_39 | Ensure that Azure Data Factory uses Git repository for source control |
BC_AZR_GENERAL_40 | Ensure that key vault enables purge protection |
BC_AZR_GENERAL_41 | Ensure that key vault enables soft delete |
BC_AZR_GENERAL_42 | "Ensure that key vault secrets have ""content_type"" set" |
BC_AZR_GENERAL_44 | Ensure that My SQL server enables Threat detection policy |
BC_AZR_GENERAL_45 | Ensure that PostgreSQL server enables Threat detection policy |
BC_AZR_GENERAL_46 | Ensure that Azure Defender is set to On for Servers |
BC_AZR_GENERAL_47 | Ensure that function apps enables Authentication |
BC_AZR_GENERAL_48 | Ensure that CORS disallows every resource to access app services |
BC_AZR_GENERAL_49 | Ensure that 'Security contact emails' is set |
BC_AZR_GENERAL_51 | Ensure that CORS disallows every resource to access function apps |
BC_AZR_GENERAL_52 | Ensure that 'HTTP Version' is the latest if used to run the function app |
BC_AZR_GENERAL_53 | Ensure that Azure Defender is set to On for Azure SQL database servers |
BC_AZR_GENERAL_54 | Ensure that Managed identity provider is enabled for app services |
BC_AZR_GENERAL_55 | Ensure that remote debugging is not enabled for app services |
BC_AZR_GENERAL_56 | Ensure that Azure Defender is set to On for SQL servers on machines |
BC_AZR_GENERAL_57 | "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" |
BC_AZR_GENERAL_58 | "Ensure that 'PHP version' is the latest, if used to run the web app" |
BC_AZR_GENERAL_59 | "Ensure that 'Python version' is the latest, if used to run the web app" |
BC_AZR_GENERAL_60 | "Ensure that 'Java version' is the latest, if used to run the web app" |
BC_AZR_GENERAL_61 | Ensure that Azure Defender is set to On for Storage |
BC_AZR_GENERAL_62 | Ensure that Azure Defender is set to On for Kubernetes |
BC_AZR_GENERAL_63 | Ensure that Azure Defender is set to On for Container Registries |
BC_AZR_GENERAL_64 | Ensure that Azure Defender is set to On for Key Vault |
BC_AZR_GENERAL_65 | Ensure that app services use Azure Files |
BC_AZR_GENERAL_66 | Ensure that Virtual Machines use managed disks |
BC_AZR_GENERAL_67 | Ensure that automatic OS image patching is enbaled for Virtual Machine Scale Sets |
BC_AZR_GENERAL_68 | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
BC_AZR_GENERAL_69 | Ensure that sql servers enables data security policy |
BC_AZR_GENERAL_70 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
BC_AZR_GENERAL_71 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
BC_AZR_GENERAL_72 | Ensure that VA setting Send scan reports to is configured for a SQL server |
BC_AZR_GENERAL_73 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
BC_AZR_GENERAL_74 | Ensure that Azure Active Directory Admin is configured |
BC_AZR_GENERAL_75 | Ensure Virtual Machines are utilizing Managed Disks |
BC_AZR_KUBERNETES_6 | Ensure that AKS enables private clusters |
BC_AZR_KUBERNETES_7 | Ensure that AKS uses Azure Policies Add-on |
BC_AZR_KUBERNETES_8 | Ensure that AKS uses disk encryption set |
BC_AZR_LOGGING_10 | Ensure that App service enables failed request tracing |
BC_AZR_LOGGING_11 | Ensure Storage logging is enabled for Blob service for read requests |
BC_AZR_LOGGING_12 | Ensure the storage container storing the activity logs is not publicly accessible |
BC_AZR_LOGGING_7 | Ensure Storage logging is enabled for Table service for read requests |
BC_AZR_LOGGING_8 | Ensure that App service enables HTTP logging |
BC_AZR_LOGGING_9 | Ensure that App service enables detailed error messages |
BC_AZR_NETWORKING_18 | Ensure that Storage accounts disallow public access |
BC_AZR_NETWORKING_19 | Ensure that storage account enables secure transfer |
BC_AZR_NETWORKING_20 | Ensure that PostgreSQL server disables public network access |
BC_AZR_NETWORKING_21 | Ensure that Function apps is only accessible over HTTPS |
BC_AZR_NETWORKING_22 | Ensure that UDP Services are restricted from the Internet |
BC_AZR_NETWORKING_23 | Ensure that Azure Cache for Redis disables public network access |
BC_AZR_NETWORKING_24 | Ensure that only SSL are enabled for Cache for Redis |
BC_AZR_NETWORKING_25 | Ensure that Azure Container Container group is deployed into virtual network |
BC_AZR_NETWORKING_26 | Ensure Cosmos DB accounts have restricted access |
BC_AZR_NETWORKING_27 | Ensure that Azure Synapse workspaces have no IP firewall rules attached |
BC_AZR_NETWORKING_28 | Ensure that Azure Cosmos DB disables public network access |
BC_AZR_NETWORKING_29 | Ensure that Azure Data factory public network access is disabled |
BC_AZR_NETWORKING_30 | Ensure that Azure Event Grid Domain public network access is disabled |
BC_AZR_NETWORKING_31 | Ensure that API management services uses virtual networks |
BC_AZR_NETWORKING_32 | Ensure that Azure IoT Hub disables public network access |
BC_AZR_NETWORKING_33 | Ensure that key vault allows firewall rules settings |
BC_AZR_NETWORKING_34 | Ensure that SQL server disables public network access |
BC_AZR_NETWORKING_35 | Ensure that Network Interfaces disable IP forwarding |
BC_AZR_NETWORKING_36 | Ensure that Network Interfaces don't use public IPs |
BC_AZR_NETWORKING_37 | Ensure that Application Gateway enables WAF |
BC_AZR_NETWORKING_38 | Ensure that Azure Front Door enables WAF |
BC_AZR_NETWORKING_39 | "Ensure that Application Gateway uses WAF in ""Detection"" or ""Prevention"" modes" |
BC_AZR_NETWORKING_40 | "Ensure that Azure Front Door uses WAF in ""Detection"" or ""Prevention"" modes" |
BC_AZR_NETWORKING_41 | Ensure that Azure Cognitive Search disables public network access |
BC_AZR_NETWORKING_42 | Ensure that Azure File Sync disables public network access |
BC_AZR_NETWORKING_43 | Ensure that Azure Synapse workspaces enables managed virtual networks |
BC_AZR_NETWORKING_44 | Ensure that MySQL server disables public network access |
BC_DKR_1 | Ensure port 22 is not exposed |
BC_DKR_2 | Ensure that HEALTHCHECK instructions have been added to container images |
BC_DKR_3 | Ensure that a user for the container has been created |
BC_DKR_4 | Ensure update instructions are not use alone in the Dockerfile |
BC_DKR_5 | Ensure that COPY is used instead of ADD in Dockerfiles |
BC_GCP_GENERAL_8 | Ensure that there are only GCP-managed service account keys for each service account |
BC_GCP_GENERAL_9 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
BC_GCP_IAM_11 | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
BC_GCP_KUBERNETES_16 | Ensure GKE clusters are not running using the Compute Engine default service account |
BC_GCP_KUBERNETES_17 | Ensure Secure Boot for Shielded GKE Nodes is Enabled |
BC_GCP_KUBERNETES_18 | Enable VPC Flow Logs and Intranode Visibility |
BC_GCP_KUBERNETES_19 | Ensure clusters are created with Private Nodes |
BC_GCP_KUBERNETES_20 | Manage Kubernetes RBAC users with Google Groups for GKE |
BC_GCP_KUBERNETES_21 | Ensure use of Binary Authorization |
BC_GCP_KUBERNETES_22 | Ensure legacy Compute Engine instance metadata APIs are Disabled |
BC_GCP_KUBERNETES_23 | Ensure the GKE Metadata Server is Enabled |
BC_GCP_KUBERNETES_24 | Ensure Shielded GKE Nodes are Enabled |
BC_GCP_KUBERNETES_25 | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
BC_GCP_LOGGING_4 | Ensure that retention policies on log buckets are configured using Bucket Lock |
BC_GCP_LOGGING_5 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
BC_GCP_NETWORKING_13 | Ensure legacy networks do not exist for a project |
BC_K8S_100 | Ensure that the --protect-kernel-defaults argument is set to true |
BC_K8S_101 | Ensure that the --make-iptables-util-chains argument is set to true |
BC_K8S_102 | Ensure that the --hostname-override argument is not set |
BC_K8S_103 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture |
BC_K8S_104 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate for Kubelet |
BC_K8S_105 | Ensure that the --rotate-certificates argument is not set to false |
BC_K8S_106 | Ensure that the RotateKubeletServerCertificate argument is set to true for kubelet |
BC_K8S_46 | Ensure that the --anonymous-auth argument is set to false |
BC_K8S_47 | Ensure that the --basic-auth-file argument is not set |
BC_K8S_48 | Ensure that the --token-auth-file parameter is not set |
BC_K8S_49 | Ensure that the --kubelet-https argument is set to true |
BC_K8S_50 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
BC_K8S_51 | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
BC_K8S_52 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
BC_K8S_53 | Ensure that the --authorization-mode argument includes Node |
BC_K8S_54 | Ensure that the --authorization-mode argument includes RBAC |
BC_K8S_55 | Ensure that the admission control plugin EventRateLimit is set |
BC_K8S_56 | Ensure that the admission control plugin AlwaysAdmit is not set |
BC_K8S_57 | Ensure that the admission control plugin AlwaysPullImages is set |
BC_K8S_58 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
BC_K8S_59 | Ensure that the admission control plugin ServiceAccount is set |
BC_K8S_60 | Ensure that the admission control plugin NamespaceLifecycle is set |
BC_K8S_61 | Ensure that the admission control plugin PodSecurityPolicy is set |
BC_K8S_62 | Ensure that the admission control plugin NodeRestriction is set |
BC_K8S_63 | Ensure that the --insecure-bind-address argument is not set |
BC_K8S_64 | Ensure that the --insecure-port argument is set to 0 |
BC_K8S_65 | Ensure that the --secure-port argument is not set to 0 |
BC_K8S_66 | Ensure that the --profiling argument is set to false |
BC_K8S_67 | Ensure that the --audit-log-path argument is set |
BC_K8S_68 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
BC_K8S_69 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
BC_K8S_70 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
BC_K8S_71 | Ensure that the --request-timeout argument is set as appropriate |
BC_K8S_72 | Ensure that the --service-account-lookup argument is set to true |
BC_K8S_73 | Ensure that the --service-account-key-file argument is set as appropriate |
BC_K8S_74 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
BC_K8S_75 | Ensure that the --tls-cert-file and --tls-private-key-file Arguments are Set as Appropriate for API Servers |
BC_K8S_76 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
BC_K8S_77 | Ensure that the --etcd-cafile argument is set as appropriate |
BC_K8S_78 | Ensure that encryption providers are appropriately configured |
BC_K8S_79 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers |
BC_K8S_80 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate for controller managers |
BC_K8S_81 | Ensure that the --profiling Argument is Set to False for Controller Manager |
BC_K8S_82 | Ensure that the --use-service-account-credentials argument is set to true for controller managers |
BC_K8S_83 | Ensure that the --service-account-private-key-file argument is set as appropriate for controller managers |
BC_K8S_84 | Ensure that the --root-ca-file argument is set as appropriate for controller managers |
BC_K8S_85 | Ensure that the RotateKubeletServerCertificate argument is set to true |
BC_K8S_86 | Ensure that the --bind-address argument is set to 127.0.0.1 for controller managers for controller managers |
BC_K8S_87 | Ensure that the --profiling argument is set to false for scheduler |
BC_K8S_88 | Ensure that the --bind-address argument is set to 127.0.0.1 |
BC_K8S_89 | Ensure that the --cert-file and --key-file arguments are set as appropriate |
BC_K8S_90 | Ensure that the --client-cert-auth argument is set to true |
BC_K8S_91 | Ensure that the --auto-tls argument is not set to true |
BC_K8S_92 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
BC_K8S_93 | Ensure that the --peer-client-cert-auth argument is set to true |
BC_K8S_94 | Ensure that the --peer-auto-tls argument is not set to true |
BC_K8S_95 | Ensure that the --anonymous-auth argument is set to false |
BC_K8S_96 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
BC_K8S_97 | Ensure that the --client-ca-file argument is set as appropriate for kubelet |
BC_K8S_98 | Ensure that the --read-only-port argument is set to 0 |
BC_K8S_99 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |