Severity changes across 111 policies 🛂

In order to align with the continuous policy changes within Prisma cloud, Bridgecrew has changed the severities of the policies mentioned below.
Note that such change might impact severity-based feature like Enforcement.

BC Policy IDPolicy TitleOld severityNew severity
BC_AWS_IAM_11Ensure AWS IAM password policy expires in 90 days or lessHIGHMEDIUM
BC_AWS_IAM_16Ensure IAM policies are only attached to Groups and RolesCRITICALLOW
BC_AWS_LOGGING_1Ensure AWS CloudTrail is enabled in all regionsCRITICALLOW
BC_AWS_LOGGING_2Ensure AWS CloudTrail log validation is enabled in all regionsHIGHLOW
BC_AWS_LOGGING_9Ensure AWS VPC Flow Logs are enabledHIGHMEDIUM
BC_AWS_LOGGING_11Ensure container insights are enabled on ECS clusterMEDIUMLOW
BC_AWS_NETWORKING_1Ensure AWS Security Group does not allow all traffic on SSH port 22CRITICALLOW
BC_AWS_NETWORKING_2Ensure Security Groups do not allow ingress from to port 3389CRITICALLOW
BC_AWS_NETWORKING_4Ensure AWS Default Security Group restricts all trafficHIGHLOW
BC_AWS_NETWORKING_32Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPSMEDIUMHIGH
BC_AWS_KUBERNETES_2Ensure AWS EKS cluster endpoint access is publicly disabledHIGHMEDIUM
BC_AWS_KUBERNETES_4Ensure AWS EKS control plane logging is enabledMEDIUMLOW
BC_AWS_GENERAL_14Ensure all data stored in SageMaker is securely encrypted at restMEDIUMHIGH
BC_AWS_GENERAL_22Ensure AWS Kinesis streams are encrypted using SSEHIGHMEDIUM
BC_AWS_ELASTICSEARCH_3Ensure AWS Elasticsearch domain encryption for data at rest is enabledHIGHLOW
BC_AWS_S3_14Ensure data stored in the S3 bucket is securely encrypted at restHIGHLOW
BC_AWS_S3_23Ensure S3 bucket does not allow an action with any PrincipalCRITICALMEDIUM
BC_AWS_PUBLIC_2Ensure AWS RDS database instance is not publicly accessibleHIGHMEDIUM
BC_GCP_KUBERNETES_1Ensure Stackdriver logging on Kubernetes engine clusters is enabledLOWMEDIUM
BC_GCP_KUBERNETES_2Ensure ABAC authorization on Kubernetes engine clusters is disabledLOWMEDIUM
BC_GCP_KUBERNETES_3Ensure GCP Kubernetes engine clusters have stackdriver logging enabledLOWMEDIUM
BC_GCP_KUBERNETES_4Ensure GCP Kubernetes cluster node auto-repair configuration is enabledLOWMEDIUM
BC_GCP_KUBERNETES_5Ensure GCP Kubernetes cluster node auto-upgrade configuration is enabledLOWMEDIUM
BC_GCP_KUBERNETES_6Ensure private cluster is enabled when creating Kubernetes clustersLOWMEDIUM
BC_GCP_KUBERNETES_7Ensure GCP Kubernetes engine clusters have network policy enabledLOWMEDIUM
BC_GCP_KUBERNETES_11Ensure GCP Kubernetes engine clusters have basic authentication disabledLOWMEDIUM
BC_GCP_KUBERNETES_12Ensure master authorized networks are enabled in GKE clustersLOWMEDIUM
BC_GCP_NETWORKING_7Ensure default network does not exist in a projectHIGHMEDIUM
BC_GCP_NETWORKING_10Ensure project instance does not override the project setting enabling OSLoginHIGHMEDIUM
BC_GCP_NETWORKING_12Ensure IP forwarding on instances is disabledHIGHMEDIUM
BC_GCP_GENERAL_1Ensure GCP VM disks are encrypted with CSEKsHIGHLOW
BC_GCP_GENERAL_4Ensure GCP KMS encryption key is rotating every 90 daysCRITICALMEDIUM
BC_GCP_PUBLIC_2Ensure compute instances do not have public IPsHIGHMEDIUM
BC_GCP_IAM_1Ensure instances do not use default Compute Engine service accountHIGHMEDIUM
BC_GCP_IAM_2Ensure instances do not use default service account with full access to cloud APIsCRITICALMEDIUM
BC_GCP_LOGGING_1Ensure GCP VPC flow logs for the subnet is set to OnHIGHMEDIUM
BC_AZR_NETWORKING_9Ensure MySQL server databases have Enforce SSL connection enabledHIGHMEDIUM
BC_AZR_NETWORKING_10Ensure Azure PostgreSQL database server with SSL connection is enabledHIGHMEDIUM
BC_AZR_NETWORKING_15Ensure Azure Storage Account default network access is set to DenyCRITICALMEDIUM
BC_AZR_NETWORKING_16Ensure Azure Storage Account Trusted Microsoft Services access is enabledHIGHMEDIUM
BC_AZR_LOGGING_1Ensure Azure Network Watcher NSG flow logs retention is greater than 90 daysHIGHMEDIUM
BC_AZR_LOGGING_4Ensure storage logging for queue service has read, write, and delete requests enabledHIGHMEDIUM
BC_AZR_LOGGING_5Ensure activity log retention is set to 365 days or greaterHIGHMEDIUM
BC_AZR_LOGGING_6Ensure log profile is configured to capture all activitiesCRITICALLOW
BC_AZR_GENERAL_2Ensure Azure App Service Web app authentication is onHIGHMEDIUM
BC_AZR_GENERAL_5Ensure Send email notification for high severity alerts to admins is enabledLOWMEDIUM
BC_AZR_GENERAL_8Ensure MSSQL servers have email service and co-administrators enabledHIGHMEDIUM
BC_AZR_GENERAL_9Ensure standard pricing tier is selectedHIGHMEDIUM
BC_AZR_GENERAL_11Ensure Azure Key Vault is recoverableCRITICALMEDIUM
BC_AZR_KUBERNETES_1Ensure Azure AKS cluster monitoring is enabledLOWMEDIUM
BC_AZR_KUBERNETES_2Ensure Azure AKS enable RBAC is enforcedLOWHIGH
BC_AWS_GENERAL_27Ensure CloudFront distribution has WAF enabledHIGHMEDIUM
BC_AWS_PUBLIC_11Ensure AWS MQ is not publicly accessibleHIGHMEDIUM
BC_AWS_GENERAL_31Ensure Instance Metadata Service version 1 is not enabledLOWMEDIUM
BC_AZR_STORAGE_2Ensure storage account uses the latest version of TLS encryptionHIGHMEDIUM
BC_GCP_IAM_10Ensure roles do not impersonate or manage Service Accounts used at project levelCRITICALMEDIUM
BC_GCP_SQL_9Ensure Cloud SQL SQL server instance database flag cross db ownership chaining is set to OffLOWMEDIUM
BC_GCP_SQL_10Ensure Cloud SQL SQL server instance contained database authentication database flag is set to OffLOWMEDIUM
BC_GCP_GCS_4Ensure bucket does not log to itselfMEDIUMLOW
BC_AWS_GENERAL_62Ensure that AWS EMR clusters have Kerberos enabledLOWMEDIUM
BC_AWS_NETWORKING_38Ensure AWS SageMaker notebook instance is configured with direct internet access featureHIGHMEDIUM
BC_AWS_NETWORKING_43Ensure ELB has cross-zone-load-balancing enabledLOWMEDIUM
BC_AWS_GENERAL_55Ensure Redshift cluster is encrypted by KMSLOWMEDIUM
BC_AZR_GENERAL_46Ensure Azure Security Center Defender is set to On for serversHIGHMEDIUM
BC_AZR_GENERAL_47Ensure Azure function app authentication is onLOWMEDIUM
BC_AZR_NETWORKING_19Ensure storage accounts have secure transfer enabledHIGHMEDIUM
BC_AZR_GENERAL_50Ensure Azure Security Center Defender is set to On for app serviceHIGHMEDIUM
BC_AZR_GENERAL_52Ensure function app uses the latest HTTP versionLOWMEDIUM
BC_AZR_GENERAL_53Ensure Azure Security Center Defender is set to On for Azure SQL database serversHIGHMEDIUM
BC_AZR_NETWORKING_21Ensure function apps are only accessible over HTTPSLOWMEDIUM
BC_AZR_GENERAL_56Ensure Azure Defender is set to On for SQL servers on machinesHIGHMEDIUM
BC_AZR_GENERAL_61Ensure Azure Security Center Defender is set to On for storageHIGHMEDIUM
BC_AZR_GENERAL_64Ensure Azure Security Center Defender set to On for Key VaultHIGHMEDIUM
BC_AZR_GENERAL_40Ensure key vault enables purge protectionLOWMEDIUM
BC_AZR_NETWORKING_35Ensure Azure virtual machine NIC has IP forwarding disabledLOWMEDIUM
BC_AZR_NETWORKING_38Ensure Azure front door has WAF enabledLOWMEDIUM
BC_AZR_LOGGING_12Ensure the storage container storing activity logs is not publicly accessibleLOWMEDIUM
BC_AZR_GENERAL_69Ensure SQL servers enable data security policyLOWMEDIUM
BC_GCP_KUBERNETES_18Enable VPC flow logs and intranode visibilityLOWMEDIUM
BC_GCP_KUBERNETES_19Ensure GCP Kubernetes Engine Clusters are configured with private nodes featureLOWMEDIUM
BC_GCP_KUBERNETES_21Ensure use of binary authorizationLOWMEDIUM
BC_GCP_KUBERNETES_22Ensure GCP Kubernetes Engine Clusters have legacy compute engine metadata endpoints disabledLOWMEDIUM
BC_GCP_KUBERNETES_17Ensure secure boot for shielded GKE nodes is enabledLOWMEDIUM
BC_GCP_KUBERNETES_24Ensure shielded GKE nodes are enabledLOWMEDIUM
BC_GCP_KUBERNETES_25Ensure integrity monitoring for shielded GKE nodes is enabledLOWMEDIUM
BC_GCP_KUBERNETES_16Ensure Kubernetes engine cluster nodes do not have default service account for project accessLOWMEDIUM
BC_GCP_NETWORKING_13Ensure GCP project is not configured with legacy networkLOWMEDIUM
BC_GCP_LOGGING_4Ensure GCP log bucket retention policy is configured using bucket lockLOWMEDIUM
BC_GCP_LOGGING_5Ensure GCP project audit logging is configured properly across all services and all users in a projectLOWMEDIUM
BC_AZR_NETWORKING_46Ensure Front Door WAF prevents message lookup in Log4j2CRITICALMEDIUM
BC_AZR_NETWORKING_47Ensure Application Gateway WAF prevents message lookup in Log4j2CRITICALMEDIUM
BC_GCP_NETWORKING_14Ensure Cloud Armor prevents message lookup in Log4j2CRITICALMEDIUM
BC_AWS_NETWORKING_63Verify CloudFront Distribution Viewer Certificate is using TLS v1.2LOWMEDIUM
BC_OCI_Storage_1Ensure OCI Block Storage Block Volume has backup enabledLOWHIGH
BC_OCI_STORAGE_2Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK)LOWHIGH
BC_OCI_COMPUTE_1Ensure OCI Compute Instance boot volume has in-transit data encryption enabledLOWHIGH
BC_OCI_COMPUTE_2Ensure OCI Compute Instance has Legacy MetaData service endpoint disabledLOWHIGH
BC_OCI_LOGGING_1Ensure OCI Compute Instance has monitoring enabledLOWHIGH
BC_OCI_STORAGE_3Ensure OCI Object Storage bucket can emit object eventsLOWHIGH
BC_OCI_STORAGE_4Ensure OCI Object Storage has versioning enabledLOWHIGH
BC_OCI_STORAGE_5Ensure OCI Object Storage is encrypted with Customer Managed KeyLOWHIGH
BC_OCI_STORAGE_6Ensure OCI Object Storage is not PublicLOWHIGH
BC_OCI_IAM_1Ensure OCI IAM password policy contains lowercase charactersLOWHIGH
BC_OCI_IAM_2Ensure OCI IAM password policy contains numeric charactersLOWHIGH
BC_OCI_IAM_3Ensure OCI IAM password policy contains symbolsLOWHIGH
BC_OCI_IAM_4Ensure OCI IAM password policy contains uppercase charactersLOWHIGH
BC_OCI_STORAGE_7Ensure OCI File System is Encrypted with a customer Managed KeyLOWHIGH
BC_OCI_NETWORKING_1Ensure VCN has an inbound security listLOWHIGH
BC_OCI_NETWORKING_2Ensure VCN inbound security lists are statelessLOWHIGH
BC_OCI_IAM_5Ensure OCI IAM password policy has a minimum length of 14 charactersLOWHIGH