added
OCI and OpenStack support as part of 53 new policies 🛂
5 months ago by Gilad Mark
Bridgecrew added 53 new out-of-the-box policies across multiple resource types and providers.
New additions also include supporting Oracle Cloud Infrastructure (OCI) Terraform resources and OpenStack secrets and Terraform resources.
| Policy Id | Policy title |
|---|---|
| BC_AWS_LOGGING_30 | Ensure API Gateway V2 has Access Logging enabled |
| BC_AWS_NETWORKING_61 | Ensure API Gateway caching is enabled |
| BC_AWS_NETWORKING_62 | Ensure that Load Balancer has deletion protection enabled |
| BC_AWS_STORAGE_1 | Ensure QLDB ledger has deletion protection enabled |
| BC_AWS_SERVERLESS_5 | Ensure encryption settings for Lambda environmental variable is set properly |
| BC_AWS_NETWORKING_63 | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
| BC_AZR_STORAGE_4 | Ensure Storage Accounts adhere to the naming rules |
| BC_AZR_STORAGE_5 | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
| BC_OCI_SECRETS_1 | Ensure no hard coded OCI private key in provider |
| BC_OCI_Storage_1 | Ensure OCI Block Storage Block Volume has backup enabled |
| BC_OCI_Storage_2 | Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK) |
| BC_OCI_COMPUTE_1 | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled |
| BC_OCI_COMPUTE_2 | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled |
| BC_OCI_LOGGING_1 | Ensure OCI Compute Instance has monitoring enabled |
| BC_OCI_STORAGE_3 | Ensure OCI Object Storage bucket can emit object events |
| BC_OCI_STORAGE_4 | Ensure OCI Object Storage has versioning enabled |
| BC_OCI_STORAGE_5 | Ensure OCI Object Storage is encrypted with Customer Managed Key |
| BC_OCI_STORAGE_6 | Ensure OCI Object Storage is not Public |
| BC_OCI_IAM_1 | Ensure OCI IAM password policy contains lowercase characters |
| BC_OCI_IAM_2 | Ensure OCI IAM password policy contains numeric characters |
| BC_OCI_IAM_3 | Ensure OCI IAM password policy contains symbols |
| BC_OCI_IAM_4 | Ensure OCI IAM password policy contains uppercase characters |
| BC_OCI_STORAGE_7 | Ensure OCI File System is Encrypted with a customer Managed Key |
| BC_OCI_NETWORKING_1 | Ensure VCN has an inbound security list |
| BC_OCI_NETWORKING_2 | Ensure VCN inbound security lists are stateless |
| BC_OCI_IAM_5 | Ensure OCI IAM password policy has a minimum length of 14 characters |
| BC_AWS_NETWORKING_64 | Ensure WAF has associated rules |
| BC_AWS_LOGGING_31 | Ensure Logging is enabled for WAF Web Access Control Lists |
| BC_AWS_GENERAL_97 | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_98 | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_99 | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_100 | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_101 | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_102 | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_103 | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_104 | Ensure EFS file system is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_105 | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_106 | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_107 | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_108 | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_109 | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_110 | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_GENERAL_111 | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) |
| BC_AWS_LOGGING_32 | Ensure Postgres RDS has Query Logging enabled |
| BC_AWS_LOGGING_33 | Ensure WAF2 has a Logging Configuration |
| BC_AWS_NETWORKING_65 | Ensure CloudFront distribution has a strict security headers policy attached |
| BC_1 | Ensure no hard coded API token exist in the provider |
| BC_K8S_108 | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 |
| BC_K8S_109 | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 |
| BC_K8S_110 | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 |
| BC_OPENSTACK_SECRETS_1 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) |
| BC_OPENSTACK_NETWORKING_1 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) |
| BC_OPENSTACK_NETWORKING_2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) |