45 New Policies 🛂

Bridgecrew added 45 new out of the box policies across multiple resource types and providers.

incident_idPolicy title
BC_AWS_IAM_63Ensure KMS key policy does not contain a wildcard (*) principal
BC_AWS_GENERAL_74Ensure DocDB has audit logs enabled
BC_AWS_GENERAL_75Ensure Redshift uses SSL
BC_AWS_IAM_64Ensure IAM policies does not allow privilege escalation
BC_AWS_GENERAL_76Ensure Session Manager data is encrypted in transit
BC_AWS_IAM_65Ensure RDS database has IAM authentication enabled
BC_AWS_GENERAL_77Ensure that RDS database cluster snapshot is encrypted
BC_AWS_GENERAL_78Ensure that CodeBuild projects are encrypted
BC_AWS_IAM_66Ensure RDS cluster has IAM authentication enabled
BC_AWS_GENERAL_79Ensure that Secrets Manager secret is encrypted using KMS
BC_AWS_GENERAL_81Ensure EBS default encryption is enabled
BC_AWS_GENERAL_90Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
BC_AWS_GENERAL_82Autoscaling groups should supply tags to launch configurations
BC_AWS_GENERAL_91Ensure SQS queue policy is not public by only allowing specific services or principals to access it
BC_AWS_GENERAL_83Ensure that Workspace user volumes are encrypted
BC_AWS_GENERAL_84Ensure that Workspace root volumes are encrypted
BC_AWS_GENERAL_85Ensure that CloudWatch Log Group is encrypted by KMS
BC_AWS_GENERAL_86Ensure that Athena Workgroup is encrypted
BC_AWS_GENERAL_87Ensure that Timestream database is encrypted with KMS CMK
BC_AWS_GENERAL_92Ensure SNS topic policy is not public by only allowing specific services or principals to access it
BC_AWS_IAM_67Ensure an IAM User does not have access to the console
BC_GCP_KUBERNETES_26Ensure the GKE Release Channel is set
BC_AWS_GENERAL_88Ensure Dynamodb point in time recovery (backup) is enabled for global tables
BC_AWS_GENERAL_89Ensure Backup Vault is encrypted at rest using KMS CMK
BC_K8S_107Minimize wildcard use in Roles and ClusterRoles
BC_AWS_NETWORKING_53Ensure VPC subnets do not assign public IP by default
BC_AWS_NETWORKING_54Ensure no default VPC is planned to be provisioned
BC_AWS_GENERAL_93Ensure QLDB ledger permissions mode is set to STANDARD
BC_AWS_GENERAL_94Ensure EMR Cluster security configuration encryption is using SSE-KMS
BC_AWS_NETWORKING_55Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
BC_AWS_GENERAL_95Route53 A Record has Attached Resource
BC_AWS_GENERAL_96Postgres RDS has Query Logging enabled
BC_AWS_NETWORKING_56Ensure Redshift is not deployed outside of a VPC
BC_AWS_NETWORKING_57Ensure Transfer Server is not exposed publicly.
BC_AZR_GENERAL_76Ensure MSSQL is using the latest version of TLS encryption
BC_AWS_NETWORKING_58Ensure public facing ALB are protected by WAF
BC_AZR_GENERAL_77Ensure MySQL is using the latest version of TLS encryption
BC_AZR_GENERAL_78Ensures that Active Directory is used for authentication for Service Fabric
BC_AZR_GENERAL_79Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
BC_DKR_6Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
BC_DKR_7Ensure the base image uses a non latest version tag
BC_DKR_8Ensure the last USER is not root
BC_AWS_NETWORKING_59Ensure public API gateways are protected by WAF
BC_AZR_networking_45Ensure 'public network access enabled' is set to 'False' for MySQL servers
BC_GIT_20Ensure Repository is Private
BC_AZR_GENERAL_80Ensure that Service Fabric uses available three levels of protection available