Jump to Content
Home
Documentation
Recipes
API Reference
Changelog
Platform
Resources
Sign in
Sign Up
Platform
Resources
Sign in
Sign Up
Home
Documentation
Recipes
API Reference
Changelog
Search
Welcome
What is Bridgecrew?
Prerequisites
Open Source
Get Started
Sign Up
Integrate with Code Repositories
Integrate with GitHub
Integrate with Bitbucket
Integrate with GitLab Self-Managed
Integrate with GitLab
Integrate with GitHub Server
Integrate with Bitbucket Server
Integrate with Azure Repos
Integrate with Cloud Providers
Integrate with AWS
Integrate with Google Cloud Platform
Integrate with Microsoft Azure
Integrate with CI/CD Systems
Terraform Cloud (Sentinel)
Terraform Cloud (Run Tasks)
Github Actions
Jenkins
CircleCI
AWS CodeBuild
Checkov
Bridgecrew CLI
GitHub Code Scanning
GitLab Runner
Azure Pipelines
Kubernetes Clusters
AWS CDK templates
Kubernetes Admission Controller
Terraform Enterprise (Sentinel)
Terraform Enterprise (Run Tasks)
Integrate with IDE
Visual Studio Code
Jetbrains
Integrate with Kubernetes
Integrate with Private Registries
Integrate with Artifactory
Code Analysis
Infrastructure-as-Code
Images
Open Source (SCA)
Secrets
Supply Chain
Code-to-Cloud
Drift Detection
Unmanaged Resource Detection
Unused Resource Detection
Advanced Setup
Plan & Track
Dashboard
Incidents
Projects
Development Pipelines
Resource Explorer
Enforcement
Compliance Reports
Code Repository Badges
Custom Policies
Definition Structure
Visual Editor
Code Editor
Examples (Code-Based)
Fix
IaC Resources
Runtime Resources
Suppress
Create Issue
Manage Tags
Traceability
Manage Tag Rules
Integrations
API Access
SBOM Generation
Organization Management
Notification Systems
Set Up Slack
Set Up Jira
Set Up Splunk
Weekly Email Messages
SSO Systems
OneLogin
Azure AD
ADFS On-Premises
Okta
User Management
Billing
What Happens If My Payment Failed?
How do I delete my account?
AWS Policies
AWS Policy Index
General Policies
Ensure QLDB ledger has deletion protection enabled
Ensure EC2 instances have tags
Ensure EBS volumes are attached to an instance
Ensure AWS EBS volumes are encrypted
Ensure AWS RDS DB cluster encryption is enabled
Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
Ensure DynamoDB PITR is enabled
Ensure all data stored in the EBS snapshot is securely encrypted
Ensure ECR image scan on push is enabled
Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
Ensure data stored in the ElastiCache Replication Group is securely encrypted in-transit
Ensure Instances and Launch configurations use encrypted EBS volumes
Ensure all data stored in SageMaker is securely encrypted at rest
Ensure SNS topic uses a Custom Master Key
Ensure AWS SQS server side encryption is enabled
Ensure AWS EFS with encryption for data at rest is enabled
Ensure Neptune storage is securely encrypted
Ensure all unused Elastic IPs are deleted
Ensure unused network interfaces are deleted
Ensure unused Elastic Load Balancers are deleted
Ensure AWS Kinesis streams are encrypted using SSE
Ensure DAX is securely encrypted at rest
Ensure ECR image tags are immutable
Ensure AWS Redshift cluster is encrypted
Ensure AWS resources that support tags have Tags
Ensure CloudFront distribution has WAF enabled
Ensure DocumentDB is encrypted at rest
Ensure Athena Database is encrypted at rest
Ensure CodeBuild project encryption is not disabled (Artifacts)
Ensure Instance Metadata Service version 1 is not enabled
Ensure MSK cluster encryption at rest and in transit is enabled
Ensure Athena workgroup prevents disabling encryption
Ensure instances with scheduled reboots are rescheduled or manually rebooted
Ensure PGAudit is enabled on RDS Postgres instances
Ensure Glue Data Catalog encryption is enabled
Ensure all data stored in Aurora is securely encrypted at rest
Ensure EFS volumes in ECS task definitions have encryption in transit enabled
Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
Ensure AWS Glue security configuration encryption is enabled
Ensure Neptune cluster instance is not publicly available
Ensure AWS Load Balancer is using TLS 1.2
Ensure API gateway caching is enabled
Ensure DynamoDB Tables have Auto Scaling enabled
Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure RDS instances have backup policy
Ensure Amazon EFS has an AWS Backup backup plan
Ensure RDS clusters have an AWS Backup backup plan
Ensure EBS has an AWS Backup backup plan
Ensure KMS has a rotation policy
Ensure DynamoDB tables are encrypted
Ensure ECR repositories are encrypted
Ensure RDS global clusters are encrypted
Ensure Redshift cluster is encrypted by KMS
Ensure S3 buckets are encrypted with KMS by default
Ensure Secret Manager secret is encrypted using KMS
Ensure only encrypted EBS volumes are attached to EC2 instances
Ensure load balancer has deletion protection enabled
Ensure that AWS EMR clusters have Kerberos enabled
Ensure AWS Lambda function is configured for function-level concurrent execution limit
Ensure AWS Lambda function is configured for a DLQ
Ensure AWS Lambda function is configured inside a VPC
Ensure GuardDuty is enabled to specific org/region
Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
Ensure that EC2 is EBS optimized
Ensure RDS clusters and instances have deletion protection enabled
Ensure Redshift cluster allow version upgrade by default
Ensure S3 bucket has lock configuration enabled by default
Ensure S3 bucket has cross-region replication enabled
Ensure RDS instances have Multi-AZ enabled
Ensure Route 53 DNS service modifications are detected
Ensure provisioned resources are not manually modified
Ensure DocDB has audit logs enabled
Ensure Redshift uses SSL
Ensure Session Manager data is encrypted in transit
Ensure that RDS database cluster snapshot is encrypted
Ensure that CodeBuild projects are encrypted
Ensure that Secrets Manager secret is encrypted using KMS CMK
Ensure EBS default encryption is enabled
Autoscaling groups should supply tags to launch configurations
Ensure that Workspace user volumes are encrypted
Ensure that Workspace root volumes are encrypted
Ensure that CloudWatch Log Group is encrypted by KMS
Ensure that Athena Workgroup is encrypted
Ensure that Timestream database is encrypted with KMS CMK
Ensure Dynamodb point in time recovery is enabled for global tables
Ensure Backup Vault is encrypted at rest using KMS CMK
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Ensure EMR Cluster security configuration encryption uses SSE-KMS
Ensure Route53 A Record has an attached resource
Ensure Postgres RDS has Query Logging enabled
Ensure QLDB ledger permissions mode is set to STANDARD
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)
Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure EFS file system is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)
Ensure RedShift Cluster is encrypted by KMS using a customer managed Key
Ensure Glue component has a security configuration associated
Ensure Glue component has a security configuration associated
Ensure Postgres RDS has Query Logging enabled
Ensure Session Manager logs are enabled and encrypted
Ensure MQ Broker minor version updates are enabled
Ensure AWS Codecommit is associated with an approval rule
Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)
Ensure AWS RDS uses a modern CaCert
Ensure AWS Cloudsearch uses HTTPS
Ensure AWS MQBroker version is up to date
Ensure AWS DB instance gets all minor upgrades automatically
Ensure AWS Key Management Service (KMS) key is enabled
Ensure AWS AMI copying uses a Customer Managed Key (CMK)
Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK)
Ensure AWS Batch Job is not defined as a privileged container
Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs
Ensure AWS Code Artifact Domain is encrypted by KMS using a Customer Managed Key (CMK)
Ensure AWS API Gateway caching is enabled
Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP
Ensure AWS RDS PostgreSQL instances use a non-vulnerable version of log_fdw extension
Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS AuthType for your Lambda function URLs is defined
Ensure AWS Codecommit branch changes have at least 2 approvals
Ensure AWS CloudFront response header policy enforces Strict Transport Security
Ensure AWS Cloudsearch uses the latest (Transport Layer Security) TLS
Ensure AWS DLM-cross region schedules are encrypted
Ensure AWS Glue component is associated with a security configuration
Ensure AWS API Gateway Domain uses a modern security policy
Ensure AWS AppSync is protected by WAF
Ensure AWS Appsync API Cache is encrypted in transit
Ensure AWS DMS instance receives all minor updates automatically
Ensure AWS replicated backups are encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS SSM Parameter is encrypted
Ensure AWS DAX cluster endpoint uses (Transport Layer Security) TLS
Ensure AWS API deployments enable Create before Destroy
Ensure AWS GuardDuty detector is enabled
Ensure AWS EBS Volume is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS Cloudfront distribution is enabled
Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
Ensure AWS Elasticsearch domain uses an updated TLS policy
Ensure AWS API GATEWAY enables Create before Destroy
Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
Ensure AWS Kinesis Firehose's delivery stream is encrypted
Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)
Ensure AWS Appsync API Cache is encrypted at rest
Ensure AWS copied AMIs are encrypted
Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK)
Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Ensure AWS DLM cross-region events are encrypted
Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)
Ensure AWS API Gateway method settings enable caching
Ensure AWS MemoryDB data is encrypted in transit
Ensure AWS AMI launch permissions are limited
Ensure AWS AppSync has field-level logs enabled
Ensure AWS MWAA environment has worker logs enabled
Ensure AWS MWAA environment has scheduler logs enabled
Ensure AWS AppSync's logging is enabled
Ensure AWS MWAA environment has webserver logs enabled
Ensure AWS ECS Cluster enables logging of ECS Exec
Ensure AWS CloudTrail logging is enabled
Ensure AWS ACM certificates has logging preference
Ensure AWS MQBroker audit logging is enabled
Ensure AWS CloudTrail defines an SNS Topic
Ensure AWS App Flow flow uses Customer Managed Keys (CMKs)
Ensure AWS App Flow connector profile uses Customer Managed Keys (CMKs)
Ensure AWS HTTP and HTTPS target groups define health check
Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)
Ensure AWS Keyspace Table uses Customer Managed Keys (CMKs)
Ensure AWS Kendra index server side encryption uses Customer Managed Keys (CMKs)
Ensure AWS Config recorder is enabled to record all supported resources
Ensure AWS Config must record all possible resources
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
IAM Policies
Ensure using AWS Account root user is avoided
Ensure MFA is enabled for all IAM users with a console password
Ensure credentials unused for 90 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure AWS IAM password policy has an uppercase character
Ensure AWS IAM password policy has a lowercase character
Ensure AWS IAM password policy has a symbol
Ensure AWS IAM password policy has a number
Ensure AWS IAM password policy has a minimum of 14 characters
Ensure AWS IAM password policy does not allow password reuse
Ensure AWS IAM password policy expires in 90 days or less
Ensure no root account access key exists
Ensure MFA is enabled for root account
Ensure hardware MFA for root account is enabled
Ensure security questions are registered in the AWS account
Ensure IAM policies are only attached to Groups and Roles
Ensure detailed billing is enabled
Ensure AWS account contact details are up-to-date
Ensure security contact information is registered
Ensure IAM instance roles are used for AWS resource access from instances
Ensure an IAM role has been created to manage incidents with AWS Support
Ensure access keys are not created during initial user setup for IAM users with a console password
Ensure IAM policies that allow full administrative privileges are not created
Ensure access keys are rotated every 30 days or less
Ensure access keys are rotated every 45 days or less
Ensure active access keys are used every 90 days or less
Ensure IAM users that are inactive for 30 days or more are deactivated
Ensure unused IAM Users and Roles for 90 days are removed
Ensure user accounts unused for 90 days are removed
Ensure AWS roles with administrative privileges unused for 90 days are removed
Ensure user accounts with administrative privileges unused for 90 days are removed
Ensure empty IAM groups are removed
Ensure unattached policies are removed
Ensure unused policies are detached from users
Ensure unused policies are detached from roles
Ensure unused policies are detached from groups
Ensure IAM policy documents do not allow * (asterisk) as a statement's action
Ensure IAM role allows only specific services or principals to be assumed
Ensure AWS IAM policy does not allow assume role permission across all services
Ensure SQS policy documents do not allow * (asterisk) as a statement's action
Ensure AWS IAM policy does not allow full administrative privileges
Ensure IAM policy documents do not allow * (asterisk) as a statement's action
Ensure excessive permissions are not granted for IAM users
Ensure excessive permissions are not granted for IAM roles
Ensure excessive permissions are not granted for IAM groups
Ensure excessive permissions are not granted for IAM policy
Ensure credentials unused for 180 days or greater are disabled
Ensure IAM policies do not allow credentials exposure for ECR
Ensure IAM policies do not allow data exfiltration
Ensure IAM policies do not allow permissions management / resource exposure without constraint
Ensure IAM policies does not allow write access without constraint
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Ensure respective logs of Amazon RDS are enabled
Ensure IAM groups include at least one IAM user
Ensure all IAM users are members of at least one IAM group
Ensure IAM configuration modifications are detected
Ensure IAM policies does not allow privilege escalation
Ensure RDS database has IAM authentication enabled
Ensure RDS cluster has IAM authentication enabled
Ensure an IAM User does not have access to the console
Ensure KMS key policy does not contain wildcard (*) principal
Ensure the AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions
Ensure an IAM role is attached to EC2 instance
Ensure S3 Bucket does not allow access to all Authenticated users
Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled
Kubernetes Policies
Ensure AWS EKS cluster security group is not overly permissive to all traffic
Ensure AWS EKS cluster endpoint access is publicly disabled
Ensure AWS EKS cluster has secrets encryption enabled
Ensure AWS EKS control plane logging is enabled
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
Ensure Kubernetes secrets are encrypted using CMKs managed in AWS KMS
Logging Policies
Ensure AWS CloudTrail is enabled in all regions
Ensure AWS CloudTrail log validation is enabled in all regions
Ensure the S3 bucket used to store CloudTrail logs does not have public access
Ensure CloudTrail and CloudWatch logs are integrated
Ensure AWS config is enabled in all regions
Ensure CloudTrail S3 bucket access logging is enabled
Ensure AWS CloudTrail logs are encrypted using CMKs
Ensure AWS CMK rotation is enabled
Ensure AWS VPC Flow logs are enabled
Ensure Amazon MQ Broker logging is enabled
Ensure container insights are enabled on ECS cluster
Ensure AWS Redshift database has audit logging enabled
Ensure CloudWatch log groups specify retention days
Ensure CloudTrail logging in All Regions is enabled
Ensure API Gateway has X-Ray tracing enabled
Ensure Global Accelerator has Flow logs enabled
Ensure API Gateway has access logging enabled
Ensure Amazon MSK cluster logging is enabled
Ensure AWS DocumentDB logging is enabled
Ensure AWS CloudFront distribution has access logging enabled
Ensure CloudWatch logs are encrypted at rest using KMS CMKs
Ensure AWS ELB (Classic) with access log is enabled
Ensure the ELB has access logging enabled
Ensure Neptune logging is enabled
Ensure AWS CloudFormation stacks are sending event notifications to an SNS topic
Ensure detailed monitoring for EC2 instances is enabled
Ensure CloudTrail trail is integrated with CloudWatch Log
Ensure enhanced monitoring for Amazon RDS instances is enabled
Ensure API Gateway stage have logging level defined appropriately
Ensure API Gateway V2 has Access Logging enabled
Ensure Logging is enabled for WAF Web Access Control Lists
Ensure Postgres RDS as aws_db_instance has Query Logging enabled
Ensure WAF2 has a Logging Configuration
Networking Policies
Ensure AWS Security Group does not allow all traffic on SSH port 22
Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
Ensure AWS Default Security Group restricts all traffic
Ensure VPC peering routing tables have least access
Ensure EC2 instances do not have security groups attached
Ensure AWS VPC endpoints are not exposed
Ensure Security Groups do not have unrestricted access
Ensure Security Groups accept traffic only from ports 80 and 443
Ensure EC2 instance does not have unrestricted security group attached
Ensure RDS database does not have unrestricted security group attached
Ensure network interface does not have unrestricted security group attached
Ensure classical load balancer does not have unrestricted security group attached
Ensure application load balancer does not have unrestricted security group attached
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Do not use default settings of a VPC
Ensure Internet-facing ELBs are whitelisted
Ensure ALB protocol is HTTPS
Ensure every Security Group rule has a description
Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
Ensure CloudFront distributions do not use deprecated SSL protocols
Ensure ELBs do not allow insecure SSL protocols or ciphers
Ensure EC2 instances behind load balancers are not publicly accessible
Ensure ELBs use SSL listeners
Ensure DocDB TLS is not disabled
Ensure AWS SageMaker notebook instance is configured with direct internet access feature
Ensure VPC endpoint service is configured for manual acceptance
Ensure Amazon EMR clusters' security groups are not open to the world
Ensure that ALB drops HTTP headers
Ensure that Elasticsearch is configured inside a VPC
Ensure ELB has cross-zone-load-balancing enabled
Ensure Amazon Redshift clusters are not publicly accessible
Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
Ensure AWS EC2 instance is configured with VPC
Ensure all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure ALB redirects HTTP requests into HTTPS ones
Ensure all NACL are attached to subnets
Ensure Security Groups are attached to EC2 instances or ENIs
Ensure S3 Bucket has public access blocks
Security Group modifications detected
Ensure public facing ALB are protected by AWS Web Application Firewall v2 (AWS WAFv2)
Ensure public API gateway are protected by AWS Web Application Firewall v2 (AWS WAFv2)
Ensure VPC subnets do not assign public IP by default
Ensure no default VPC is planned to be provisioned
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Ensure Redshift is not deployed outside of a VPC
Ensure Transfer Server is not exposed publicly
Ensure WAF prevents message lookup in Log4j2
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
Ensure CloudFront distribution has a strict security headers policy attached
Ensure WAF has associated rules
Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
Ensure AWS Elasticache security groups are defined
Ensure AWS ACM certificate enables Create before Destroy
Ensure AWS Elasticsearch does not use the default security group
Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21
Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389
Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 22
Ensure AWS RDS security groups are defined
Ensure AWS ELB Policy uses only secure protocols
Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20
Ensure AWS NAT Gateways are utilized for the default route
Ensure AWS Security Group does not allow all traffic on all ports
Ensure AWS CloudFront distribution uses custom SSL certificate
Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic
Ensure AWS Database Migration Service endpoints have SSL configured
Public Policies
Ensure AWS ECR repository is not exposed to public
Ensure AWS RDS database instance is not publicly accessible
Ensure Elasticsearch domains are not publicly accessible
Ensure SQS queue policy is not publicly accessible
Ensure SNS topic policy is not publicly accessible
Ensure API gateway methods are not publicly accessible
Ensure EBS snapshots are not publicly accessible
Ensure EC2 AMIs are not publicly accessible
Ensure Amazon Redshift clusters are not publicly accessible
Ensure RDS instances are not publicly accessible
Ensure AWS MQ is not publicly accessible
Ensure AWS EC2 instances aren't automatically made public with a public IP
Ensure DMS replication instance is not publicly accessible
Elasticsearch Policies
Ensure AWS Elasticsearch domain encryption for data at rest is enabled
Ensure AWS Elasticsearch has node-to-node encryption enabled
Ensure AWS Elasticsearch domains have EnforceHTTPS enabled
Ensure AWS Elasticsearch domain logging is enabled
Monitoring Policies
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for management console sign-in without MFA
Ensure a log metric filter and alarm exist for root account use
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure a log metric filter and alarm exist for Security Group changes
Ensure a log metric filter and alarm exist for changes to NACLs
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
S3 Policies
Ensure bucket ACL does not grant READ permission to everyone
Ensure AWS S3 bucket is not publicly writable
Ensure bucket ACL does not grant READ_ACP permission to everyone
Ensure bucket ACL does not grant WRITE_ACP permission to everyone
Ensure bucket ACL does not grant FULL_CONTROL permission to everyone
Ensure bucket ACL does not grant READ permission to AWS users
Ensure bucket ACL does not grant WRITE permission to AWS users
Ensure bucket ACL does not grant READ_ACP permission to AWS users
Ensure bucket ACL does not grant WRITE_ACP permission to AWS users
Ensure bucket ACL does not grant FULL_CONTROL permission to AWS users
Ensure S3 bucket policy does not grant Allow permission to everyone
Ensure AWS access logging is enabled on S3 buckets
Ensure data stored in the S3 bucket is securely encrypted at rest
Ensure data is transported from the S3 bucket securely
Ensure AWS S3 object versioning is enabled
Ensure bucket policy does not grant Write permissions to public
Ensure S3 bucket has block public ACLS enabled
Ensure S3 Bucket BlockPublicPolicy is set to True
Ensure S3 bucket IgnorePublicAcls is set to True
Ensure S3 bucket RestrictPublicBucket is set to True
Ensure S3 bucket does not allow an action with any Principal
Ensure S3 bucket MFA Delete is enabled
Ensure S3 bucket modifications can be detected
Secrets Policies
Ensure EC2 user data does not expose secrets
Ensure CloudFormation outputs do not expose secrets
Ensure Lambda function's environment variables do not expose secrets
Ensure ECS task definition variables do not expose secrets
Ensure AWS access keys and secrets are not hard coded in infrastructure
Serverless Policies
Serverless Lambda policy modifications detected
Ensure Lambda function does not have Admin privileges
Ensure Lambda function does not have cross account access
Lambda function should not have same IAM role for more than one Lambda function
Ensure AWS Lambda functions with tracing are enabled
Check encryption settings for Lambda environmental variable
Kubernetes Policies
Kubernetes Policy Index
Do not admit containers wishing to share host process ID namespace
Do not admit privileged containers
Do not admit containers wishing to share host IPC namespace
Do not admit containers wishing to share host network namespace
Do not admit root containers
Do not admit containers with NET_RAW capability
Ensure liveness probe is configured
Ensure readiness probe is configured
Ensure CPU request is set
Ensure CPU limits are set
Ensure memory requests are set
Ensure memory limits are set
Ensure image tag is set to Fixed - not Latest or Blank
Ensure image pull policy is set to Always
Ensure container is not privileged
Ensure containers do not share host process ID namespace
Ensure containers do not share host IPC namespace
Ensure containers do not share the host network namespace
Ensure containers do not run with AllowPrivilegeEscalation
Ensure default namespace is not used
Use Read-Only filesystem for containers where possible
Minimize admission of root containers
Ensure containers with added capability are not allowed
Ensure admission of containers with added capability is minimized
Do not specify hostPort unless absolutely necessary
Limit mounting Docker socket daemon in a container
Ensure admission of containers with NET_RAW capability is minimized
Ensure securityContext is applied to pods and containers
Ensure seccomp is set to Docker/Default or Runtime/Default
Ensure seccomp profile is set to Docker/Default or Runtime/Default
Ensure Kubernetes dashboard is not deployed
Ensure Tiller (Helm V2) is not deployed
Use secrets as files instead of environment variables
Ensure admission of containers with capabilities assigned is limited
Ensure service account tokens are mounted where necessary
Ensure CAP_SYS_ADMIN Linux capability is not used
Ensure containers run with a high UID to avoid host conflict
Ensure default service accounts are not actively used
Ensure images are selected using a digest
Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Ensure Tiller (Helm v2) service is deleted
Ensure containers do not run with AllowPrivilegeEscalation
Ensure securityContext is applied to pods and containers
Minimize the admission of containers with capabilities assigned
Ensure that default service accounts are not actively used by bounding to a role or cluster role
Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for API servers
Ensure Kubelet only uses strong cryptographic ciphers
Ensure the --etcd-cafile argument is set appropriately
Ensure encryption providers are appropriately configured
Ensure the API server makes use of strong cryptographic ciphers
Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
Ensure the --profiling argument for controller managers is set to False
Ensure the --use-service-account-credentials argument for controller managers is set to True
Ensure the --service-account-private-key-file argument for controller managers is set appropriately
Ensure the --root-ca-file argument for controller managers is set appropriately
Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
Ensure the --bind-address argument for controller managers is set to 127.0.0.1
Ensure the --profiling argument is set to False
Ensure the --bind-address argument is set to 127.0.0.1
Ensure the --cert-file and --key-file arguments are set appropriately
Ensure the --client-cert-auth argument is set to True
Ensure the --auto-tls argument is not set to True
Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
Ensure the --peer-client-cert-auth argument is set to True
Ensure the --peer-auto-tls argument is not set to True
Ensure the --anonymous-auth argument is set to False
Ensure the --authorization-mode argument is not set to AlwaysAllow
Ensure the --client-ca-file argument for API Servers is set appropriately
Ensure the --read-only-port argument is set to 0
Ensure the --streaming-connection-idle-timeout argument is not set to 0
Ensure the --protect-kernel-defaults argument is set to True
Ensure the --make-iptables-util-chains argument is set to True
Ensure the --hostname-override argument is not set
Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for Kubelet
Ensure the --rotate-certificates argument is not set to False
Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
Ensure the --anonymous-auth argument is set to False
Ensure the --basic-auth-file argument is not Set
Ensure the --token-auth-file argument is not Set
Ensure the --kubelet-https argument is set to True
Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Ensure the --kubelet-certificate-authority argument is set appropriately
Ensure the --authorization-mode argument is not set to AlwaysAllow
Ensure the --authorization-mode argument includes node
Ensure the --authorization-mode argument includes RBAC
Ensure the admission control plugin EventRateLimit is set
Ensure the admission control plugin AlwaysAdmit is not set
Ensure the admission control plugin AlwaysPullImages is set
Ensure the admission control plugin SecurityContextDeny is sSet if PodSecurityPolicy is not used
Ensure the admission control plugin ServiceAccount is set
Ensure the admission control plugin NamespaceLifecycle is set
Ensure the admission control plugin PodSecurityPolicy is set
Ensure the admission control plugin NodeRestriction is set
Ensure the --insecure-bind-address argument is not set
Ensure the --insecure-port argument is set to 0
Ensure the --secure-port argument is not set to 0
Ensure the --profiling argument is set to False
Ensure the --audit-log-path argument is set
Ensure the --audit-log-maxage argument is set to 30 or as appropriate
Ensure the --audit-log-maxbackup argument is set to 10 or as appropriate
Ensure the --audit-log-maxsize argument is set to 100 or as appropriate
Ensure the --request-timeout argument is set appropriately
Ensure the --service-account-lookup argument is set to True
Ensure the --service-account-key-file argument is set appropriately
Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
Ensure minimized wildcard use in Roles and ClusterRoles
Ensure ClusterRoles that grant control over validating or mutating admission webhook configurations are minimized
Ensure ClusterRoles that grant permissions to approve CertificateSigningRequests are minimized
Ensure Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are minimized
Ensure Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are minimized
Prevent NGINX Ingress annotation snippets which contain LUA code execution
Prevent All NGINX Ingress annotation snippets
Prevent NGINX Ingress annotation snippets which contain alias statements
RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation
No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts
ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster
No ServiceAccount/Node should be able to read all secrets
Azure Policies
Azure Policy Index
General Policies
Ensure Azure VM data disk is encrypted with ADE/CMK
Ensure Azure App Service Web app authentication is On
Ensure a security contact phone number is present
Ensure Send email notification for high severity alerts is enabled
Ensure Send email notification for high severity alerts to admins is enabled
Ensure Azure SQL Server threat detection alerts are enabled for all threat types
Ensure Azure SQL server send alerts to field value is set
Ensure MSSQL servers have email service and co-administrators enabled
Ensure standard pricing tier is selected
Ensure all keys have an expiration date
Ensure Azure key vault is recoverable
Ensure a retention period of less than 90 days is specified
Ensure Azure Linux scale set uses an SSH key
Ensure Virtual Machine extensions are not installed
Ensure FTP Deployments are disabled
Ensure PostgreSQL server enables geo-redundant backups
Ensure key vault key is backed by HSM
Ensure MariaDB server enables geo-redundant backups
Ensure My SQL server enables geo-redundant backups
Ensure Virtual Machines are backed up using Azure backup
Ensure Cosmos DB accounts have customer-managed keys to encrypt data at rest
Ensure Data Lake Store accounts enable encryption
Ensure PostgreSQL server enables infrastructure encryption
Ensure Automation account variables are encrypted
Ensure Azure Data Explorer uses disk encryption
Ensure Azure Data Explorer uses double encryption
Ensure Azure Batch account uses key vault to encrypt data
Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption
Ensure MySQL server enables infrastructure encryption
Ensure Azure Data Factory uses Git repository for source control
Ensure key vault enables purge protection
Ensure key vault enables soft-delete
Ensure key vault secrets have content_type set
Ensure My SQL server enables Threat Detection policy
Ensure PostgreSQL server enables Threat Detection policy
Ensure Azure Security Center Defender is set to On for servers
Ensure Azure function app authentication is on
Ensure CORS disallows resource to access app services
Ensure security contact emails are set
Ensure Azure Security Center Defender is set to On for app service
Ensure CORS does not allow resources to access function apps
Ensure function app uses the latest HTTP version
Ensure Azure Security Center Defender is set to On for Azure SQL database servers
Ensure managed identity provider is enabled for app services
Ensure remote debugging is not enabled for app services
Ensure Azure Defender is set to On for SQL servers on machines
Ensure Azure App Service Web app uses the latest .Net Core version
Ensure Azure App Service Web app uses the latest PHP version
Ensure Azure App Service Web app uses the latest Python version
Ensure Azure App Service Web app uses the latest Java version
Ensure Azure Security Center Defender is set to On for storage
Ensure Azure Security Center Defender is set to On for Kubernetes
Ensure Azure Defender is set to On for container registries
Ensure Azure Security Center Defender set to On for Key Vault
Ensure app services use Azure files
Ensure Virtual Machines are utilizing managed disks
Ensure automatic OS image patching is enabled for Virtual Machine scale sets
Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
Ensure SQL servers enable data security policy
Ensure Azure SQL server ADS Vulnerability Assessment is enabled
Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled
Ensure Azure SQL server ADS VA Send scan reports to is configured
Ensure Azure SQL server ADS VA Also send email notifications to admins and subscription owners is enabled
Ensure SQL servers have Azure Active Directory admin configured
Ensure Azure Virtual Machines are utilizing managed disks
Ensure Virtual Machine scale sets have encryption at host enabled
Ensure storage for critical data are encrypted with CMKs
Ensure Azure Data Explorer encryption at rest uses a customer-managed key
Ensure unattached disks are encrypted
Ensure Azure data factories are encrypted with a customer-managed key
Ensure MySQL server enables customer-managed key for encryption
Ensure PostgreSQL server enables customer-managed key for encryption
Ensure Azure storage account encryption CMKs are enabled
Ensure MSSQL is using the latest version of TLS encryption
Ensure MySQL is using the latest version of TLS encryption
Ensure that Active Directory is used for Service Fabric authentication
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Ensure that Service Fabric uses available three levels of protection available
Ensure Azure resources that support tags have Tags
Ensure Cognitive Services account encryption CMKs are enabled
Ensure Azure Virtual machine does not enable password authentication
Ensure Azure PostgreSQL Flexible Server enables geo-redundant backups
Ensure Azure data exfiltration protection for Azure Synapse workspace is enabled
Ensure Azure Client Certificates are enforced for API management
Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption
Ensure Azure built-in logging for Azure function app is enabled
Ensure Azure SQL Server has default auditing policy configured
IAM Policies
Ensure App Service is registered with an Azure Active Directory account
Ensure Azure subscriptions with custom roles have minimum permissions
Ensure Azure Kubernetes Service (AKS) local admin account is disabled
Ensure Azure ACR admin account is disabled
Ensure Azure Windows VM enables encryption
Ensure Azure CosmosDB has Local Authentication disabled
Ensure Azure Machine Learning Compute Cluster Local Authentication is disabled
Ensure Azure ACR disables anonymous image pulling
Kubernetes Policies
Ensure Azure AKS cluster monitoring is enabled
Ensure Azure AKS enable RBAC is enforced
Ensure AKS API server defines authorized IP ranges
Ensure AKS cluster network policies are enforced
Ensure Kubernetes dashboard is disabled
Ensure AKS enables private clusters
Ensure AKS uses Azure policies add-on
Ensure AKS uses disk encryption set
Logging Policies
Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
Ensure Azure SQL server auditing is enabled
Ensure Azure SQL server audit log retention is greater than 90 days
Ensure storage logging for queue service has read, write, and delete requests enabled
Ensure activity log retention is set to 365 days or greater
Ensure log profile is configured to capture all activities
Ensure Azure storage account logging for tables is enabled
Ensure app service enables HTTP logging
Ensure app service enables detailed error messages
Ensure app service enables failed request tracing
Ensure Azure storage account logging for blobs is enabled
Ensure the storage container storing activity logs is not publicly accessible
Networking Policies
Ensure Azure instance authenticates using SSH keys
Ensure RDP Internet access is restricted
Ensure SSH Internet access is restricted
Ensure SQL databases do not allow ingress from 0.0.0.0/0
Ensure Azure App Service Web app redirects HTTP to HTTPS
Ensure Web App uses the latest version of TLS encryption
Ensure Web App has incoming client certificates enabled
Ensure Web App uses the latest version of HTTP
Ensure MySQL server databases have Enforce SSL connection enabled
Ensure Azure PostgreSQL database server with SSL connection is enabled
Ensure Azure PostgreSQL database server with log checkpoints parameter is enabled
Ensure Azure PostgreSQL database server with log connections parameter is enabled
Ensure Azure PostgreSQL database server with connection throttling parameter is enabled
Ensure public access level for Blob Containers is set to private
Ensure Azure Storage Account default network access is set to Deny
Ensure Azure Storage Account Trusted Microsoft Services access is enabled
Ensure MariaDB servers have Enforce SSL connection enabled
Ensure that Storage accounts disallow public access
Ensure storage accounts have secure transfer enabled
Ensure PostgreSQL server disables public network access
Ensure function apps are only accessible over HTTPS
Ensure UDP Services are restricted from the Internet
Ensure Azure cache for Redis has public network access disabled
Ensure only SSL are enabled for cache for Redis
Ensure Azure container container group is deployed into a virtual network
Ensure Cosmos DB accounts have restricted access
Ensure Azure Synapse workspaces have no IP firewall rules attached
Ensure Azure Cosmos DB disables public network access
Ensure Azure Data factory public network access is disabled
Ensure Azure Event Grid domain public network access is disabled
Ensure API management services use virtual networks
Ensure Azure IoT Hub disables public network access
Ensure key vault allows firewall rules settings
Ensure SQL server disables public network access
Ensure Azure virtual machine NIC has IP forwarding disabled
Ensure network interfaces do not use public IPs
Ensure Azure application gateway has WAF enabled
Ensure Azure front door has WAF enabled
Ensure application gateway uses WAF in Detection or Prevention modes
Ensure Azure front door uses WAF in Detection or Prevention modes
Ensure Azure Cognitive Search disables public network access
Ensure Azure file sync disables public network access
Ensure Azure Synapse Workspaces enable managed virtual networks
Ensure My SQL server disables public network access
Ensure 'public network access enabled' is set to False for mySQL servers
Ensure Front Door WAF prevents message lookup in Log4j2
Ensure Application Gateway WAF prevents message lookup in Log4j2
Ensure Cognitive Services disables public network access
Ensure Azure Databricks workspace is not public
Ensure Azure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
Ensure Azure App's service slot uses the latest version of TLS encryption
Ensure Azure PostgreSQL uses the latest version of TLS encryption
Ensure Azure Machine Learning Workspace is not publicly accessible
Ensure Azure ACR is set to disable public networking
Ensure Azure Function app uses the latest version of TLS encryption
Ensure Azure Cognitive Services accounts disable public network access
Ensure Azure HTTP (port 80) access from the internet is restricted
Ensure Azure Spring Cloud API Portal Public Access is disabled
Ensure Azure Spring Cloud API Portal is enabled for HTTPS
Ensure Azure App service slot has debugging disabled
Ensure Azure Redis Cache uses the latest version of TLS encryption
Ensure Azure AKS cluster nodes do not have public IP addresses
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)
Secrets Policies
Ensure AKV secrets have an expiration date set
Ensure secrets are not exposed in Azure VM customData
Storage Policies
Ensure Cosmos DB does not allow privileged escalation by restricting management plane changes
Ensure secure transfer required is enabled
Ensure storage account uses the latest version of TLS encryption
Ensure Storage Accounts adhere to the naming rules
Public Policies
Ensure MariaDB servers have public network access enabled set to False
Google Cloud Policies
Google Cloud Policy Index
General Policies
Ensure GCP VM disks are encrypted with CSEKs
Ensure boot disks for instances use CSEKs
Ensure compute instances launch with shielded VM enabled
Ensure GCP KMS encryption key is rotating every 90 days
Ensure incoming connections to Cloud SQL database instances use SSL
Ensure Cloud SQL database instances have backup configuration enabled
Ensure GCP BigQuery dataset is not publicly accessible
Ensure there are only GCP-managed service account keys for each service account
Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
Ensure GCP resources that support labels have Labels
Ensure GCP Memorystore for Redis has AUTH enabled
Ensure GCP Memorystore for Redis uses intransit encryption
Ensure GCP SQL database uses the latest Major version
Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs)
Ensure GCP Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEKs)
Ensure GCP Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEKs)
Ensure GCP Vertex AI datasets use a Customer Manager Key (CMK)
Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK)
Ensure GCP Pub/Sub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure GCP data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure GCP Artifact Registry repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure GCP subnet has a private IP Google access
Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure GCP KMS keys are protected from deletion
Ensure GCP data fusion instances are private
Ensure GCP cloud build workers are private
Ensure GCP DataFusion has stack driver monitoring enabled
Ensure GCP Cloud storage has versioning enabled
Ensure GCP DataFusion has stack driver logging enabled
IAM Policies
Ensure instances do not use default Compute Engine service account
Ensure instances do not use default service account with full access to cloud APIs
Ensure IAM users are not assigned Service Account User or Service Account Token creator roles at project level
Ensure Service Account does not have admin privileges
Ensure roles do not impersonate or manage Service Accounts used at folder level
Ensure roles do not impersonate or manage Service Accounts used at organizational level
Ensure default Service Account is not used at project level
Ensure default Service Account is not used at organization level
Ensure default Service Account is not used at folder level
Ensure roles do not impersonate or manage Service Accounts used at project level
Ensure a MySQL database instance does not allow anyone to connect with administrative privileges
Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible
Kubernetes Policies
Ensure Stackdriver logging on Kubernetes engine clusters is enabled
Ensure ABAC authorization on Kubernetes engine clusters is disabled
Ensure GCP Kubernetes engine clusters have stackdriver logging enabled
Ensure GCP Kubernetes cluster node auto-repair configuration is enabled
Ensure GCP Kubernetes cluster node auto-upgrade configuration is enabled
Ensure private cluster is enabled when creating Kubernetes clusters
Ensure GCP Kubernetes engine clusters have network policy enabled
Ensure client certificate authentication to Kubernetes Engine Clusters is disabled
Ensure PodSecurityPolicy controller is enabled on Kubernetes engine clusters
Ensure GKE control plane is not public
Ensure GCP Kubernetes engine clusters have basic authentication disabled
Ensure master authorized networks are enabled in GKE clusters
Ensure GCP Kubernetes engine clusters have label information
Ensure GCP Kubernetes engine clusters are using Container-Optimized OS for node image
Ensure Kubernetes clusters are created with alias IP ranges enabled
Ensure Kubernetes engine cluster nodes do not have default service account for project access
Ensure secure boot for shielded GKE nodes is enabled
Enable VPC flow logs and intranode visibility
Ensure GCP Kubernetes Engine Clusters are configured with private nodes feature
Ensure Kubernetes RBAC users are managed with Google Groups for GKE
Ensure binary authorization is used
Ensure GCP Kubernetes engine clusters have legacy compute engine metadata endpoints disabled
Ensure the GKE metadata server is enabled
Ensure shielded GKE nodes are enabled
Ensure integrity monitoring for shielded GKE nodes is enabled
Ensure the GKE Release Channel is set
Logging Policies
Ensure GCP VPC flow logs for the subnet is set to On
Ensure GCP log bucket retention policy is configured using bucket lock
Ensure GCP project audit logging is configured properly across all services and all users in a project
Networking Policies
Ensure GCP Firewall rule does not allow all traffic on SSH port 22
Ensure GCP Firewall rule does not allow all traffic on RDP port 3389
Ensure GCP HTTPS load balancer is not configured with SSL policy having TLS version 1.1 or lower
Ensure Cloud SQL database instances are not publicly accessible
Ensure GCP Cloud DNS has DNSSEC enabled
Ensure RSASHA1 is not used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
Ensure default network does not exist in a project
Ensure GCP VM instances have block project-wide SSH keys feature enabled
Ensure GCP projects have OS login enabled
Ensure project instance does not override the project setting enabling OSLogin
Ensure GCP VM instances do not have serial port access enabled
Ensure IP forwarding on instances is disabled
Ensure GCP project is not configured with legacy network
Ensure Cloud Armor prevents message lookup in Log4j2
Ensure GCP Firewall rule does not allow all traffic on MySQL port 3306
Ensure GCP compute firewall ingress does not allow unrestricted MySQL access
Ensure GCP Private Google Access is enabled for IPV6
Ensure GCP Google compute firewall ingress does not allow unrestricted HTTP port 80 access
Ensure GCP Google compute firewall ingress does not allow FTP port (20) access
Ensure GCP Google compute firewall ingress does not allow unrestricted FTP access
Ensure GCP compute firewall ingress does not allow unrestricted access to all ports
Ensure GCP Cloud Function HTTP trigger is secured
Ensure GCP GCR Container Vulnerability Scanning is enabled
Public Policies
Ensure GCP storage buckets are not publicly accessible to all authenticated users
Ensure compute instances do not have public IPs
Ensure GCP BigQuery Tables are not anonymously or publicly accessible
Ensure GCP Dataflow jobs are private
Ensure GCP Vertex AI instances are private
Ensure GCP Dataproc cluster is not anonymously or publicly accessible
Ensure GCP Cloud KMS cryptokey is not anonymously or publicly accessible
Ensure GCP Cloud Run services are not anonymously or publicly accessible
Ensure GCP Pub/Sub Topic is not anonymously or publicly accessible
Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible
Ensure GCP Container Registry repositories are not anonymously or publicly accessible
Ensure GCP Dataproc Clusters do not have public IPs
Google Cloud Storage Policies
Ensure Google storage buckets are encrypted
Ensure GCP cloud storage bucket with uniform bucket-level access are enabled
Ensure bucket logs access
Ensure bucket does not log to itself
Cloud SQL Policies
Ensure GCP MySQL instance with local_infile database flag is disabled
Ensure Cloud SQL PostgreSQL instances have log_checkpoints database flag set to On
Ensure GCP PostgreSQL instance database flag log_connections is enabled
Ensure GCP PostgreSQL instance database flag log_disconnections is enabled
Ensure GCP PostgreSQL instance database flag log_lock_waits is enabled
Ensure GCP PostgreSQL instance database flag log_min_messages is set
Ensure GCP PostgreSQL instance database flag log_temp_files is set to 0
Ensure GCP PostgreSQL instance database flag log_min_duration_statement is set to -1
Ensure Cloud SQL SQL server instance database flag cross db ownership chaining is set to Off
Ensure Cloud SQL SQL server instance contained database authentication database flag is set to Off
Ensure Cloud SQL database instances do not have public IPs
Docker Policies
Docker Policy Index
Ensure port 22 is not exposed
Ensure healthcheck instructions have been added to container images
Ensure a user for the container has been created
Ensure update instructions are not used alone in a Dockerfile
Ensure Copy is used instead of Add in Dockerfiles
Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
Ensure the base image uses a non latest version tag
Ensure the last USER is not root
Ensure Docker From alias is unique for multistage builds
Ensure Docker WORKDIR values are absolute paths
Ensure Docker APT is not used
Git Policies
Secrets Policy Index
Artifactory Credentials
AWS Access Keys
Azure Storage Account Access Keys
Basic Auth Credentials
Cloudant Credentials
Base64 High Entropy String
IBM Cloud IAM Key
IBM COS HMAC Credentials
JSON Web Token
Secret Keyword
Mailchimp Access Key
NPM Token
Private Key
Slack Token
SoftLayer Credentials
Square OAuth Secret
Stripe Access Key
Twilio Access Key
Hex High Entropy String
Ensure GitHub repository is private
Airtable API Key
Algolia API Key
Alibaba Cloud Keys
Asana Token
Atlassian Oauth2 Keys
Auth0 Token
Bitbucket Token
Buildkite Agent Token
CircleCI Personal Token
Codecov API key
Coinbase Keys
Confluent Keys
Databricks Authentication Token
DigitalOcean Token
Discord Token
Doppler API Key
DroneCI Token
Dropbox App Credentials
Dynatrace Token
Elastic Email Key
Fastly Personal Token
FullStory API Key
GitHub Token
GitLab Token
Google Cloud Keys
Grafana Token
Terraform Cloud API Token
Heroku Platform Key
HubSpot API Key
Intercom Access Token
Jira Token
LaunchDarkly Personal Token
Netlify Token
New Relic Key
Notion Integration Token
Okta Token
PagerDuty Authorization Token
PlanetScale Token
Postman API Key
Pulumi Access Token
Python Package Index Key
RapidAPI Key
Readme API Key
RubyGems API Key
Sentry Token
Splunk User Credentials
Sumo Logic Keys
Telegram Bot Token
Travis Personal Token
Typeform API Token
Vault Unseal Key
Yandex Predictor API key
Cloudflare API Credentials
Vercel API Token
Webflow API Token
Scalr API Token
MongoDB Connection String
GCP Service Account Auth Key
Random string entropy detector
Braintree Payments Key
AWS MWS Auth Token
Paypal Token ID
Paypal Token Key
Braintree Payments ID
Braintree Access Token
OCI Policies
Compute Policies
Ensure OCI Compute Instance boot volume has in-transit data encryption enabled
Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled
Secrets Policies
Ensure no hard coded OCI private key in provider
Storage Policies
Ensure OCI Block Storage Block Volume has backup enabled
Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK)
Ensure OCI Object Storage bucket can emit object events
Ensure OCI Object Storage has versioning enabled
Ensure OCI Object Storage is encrypted with Customer Managed Key
Ensure OCI Object Storage is not Public
Ensure OCI File System is Encrypted with a customer Managed Key
Logging Policies
Ensure OCI Compute Instance has monitoring enabled
Networking Policies
Ensure VCN has an inbound security list
Ensure VCN inbound security lists are stateless
Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 3389
Ensure OCI security groups rules do not allow ingress from 0.0.0.0/0 to port 22
Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 22
Ensure OCI security group has stateless ingress security rules
IAM Policies
Ensure OCI IAM password policy contains lowercase characters
Ensure OCI IAM password policy contains numeric characters
Ensure OCI IAM password policy contains symbols
Ensure OCI IAM password policy contains uppercase characters
Ensure OCI IAM password policy has a minimum length of 14 characters
Alibaba Policies
Alibaba Policy Index
General Policies
Ensure Alibaba Cloud OSS bucket has Transfer Acceleration disabled
Ensure Alibaba Cloud OSS bucket is encrypted with Customer Master Key
Ensure Alibaba Cloud OSS bucket has versioning enabled
Ensure Alibaba Cloud Disk is encrypted with Customer Master Key
Ensure Alibaba Cloud OSS bucket is not public
Ensure Alibaba Cloud Disk is encrypted
Ensure Alibaba Cloud database instance is not public
Ensure Alibaba RDS instance has log_connections enabled
Ensure Alibaba Cloud RDS instance has log_duration enabled
Ensure Alibaba Cloud RDS instance has log_disconnections enabled
Ensure Alibaba Cloud launch template data disks are encrypted
Ensure Alibaba Cloud RDS instance is set to perform auto upgrades for minor versions
Ensure Alibaba Cloud KMS Key Rotation is enabled
Ensure Alibaba Cloud RDS log audit is enabled
Ensure Alibaba Cloud MongoDB has transparent data encryption enabled
IAM Policies
Ensure Alibaba Cloud RAM password policy requires at least one uppercase letter
Ensure Alibaba Cloud RAM password policy requires at least one number
Ensure Alibaba Cloud RAM password policy requires minimum length of 14 or greater
Ensure Alibaba Cloud RAM Account maximal login attempts is less than 5
Ensure Alibaba Cloud RAM password policy prevents password reuse
Ensure Alibaba Cloud RAM password policy requires at least one symbol
Ensure Alibaba Cloud RAM password policy requires at least one lowercase letter
Ensure Alibaba Cloud RAM password policy expires passwords within 90 days or less
Ensure Alibaba Cloud RAM enforces MFA
Kubernetes Policies
Ensure Alibaba Cloud Kubernetes installs plugin Terway or Flannel to support standard policies
Ensure Alibaba Cloud Kubernetes node pools are set to auto repair
Logging Policies
Ensure Alibaba Cloud Transparent Data Encryption is Enabled on instance
Ensure Alibaba Cloud OSS bucket has access logging enabled
Ensure Alibaba Cloud RDS Instance SQL Collector Retention Period should be greater than 180
Ensure Alibaba Cloud Action Trail Logging for all regions
Ensure Alibaba Cloud Action Trail Logging for all events
Networking Policies
Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 3389
Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22
Ensure Alibaba Cloud RDS instance uses SSL
Ensure Alibaba Cloud API Gateway API Protocol uses HTTPS
Ensure Alibaba Cloud Cypher Policy is secured
Ensure Alibaba Cloud MongoDB instance uses SSL
Ensure Alibaba cloud ALB ACL restricts public access
Ensure Alibaba Cloud MongoDB instance is not public
Ensure Alibaba Cloud MongoDB is deployed inside a VPC
Bridgecrew Policies
General
Bridgecrew provider has hard-coded API token
Open source vulnerabilities
Open Source package License Compliance
Open Source Package Unknown License
Open Source Policies
Supported Language Index
Docker
Go
HCL
Java
JavaScript
Kotlin
Python
Ruby
YAML
Build Integrity Policies
GitHub Policies
Ensure GitHub organization security settings require 2FA
Ensure GitHub organization security settings require SSO
Ensure GitHub organization security settings has IP allow list enabled
Ensure GitHub branch protection rules requires signed commits
Ensure GitHub pull requests have at least 2 approvals
Ensure GitHub repository webhooks use HTTPs
Ensure GitHub branch protection rules requires linear history
Ensure the GitHub repository has at least 2 admins set
Ensure GitHub branch protection rules are enforced on administrators
Ensure GitHub organization webhooks use HTTPs
Ensure GitHub repository is Private
Ensure GitHub repository has vulnerability alerts enabled
Ensure GitHub Actions secrets are encrypted
Ensure GitHub branch protection dismisses stale review on new commit
Ensure GitHub branch protection restricts who can dismiss PR reviews
Ensure GitHub branch protection requires CODEOWNER reviews
Ensure GitHub branch protection requires status checks
Ensure GitHub branch protection requires conversation resolution
Ensure GitHub branch protection requires push restrictions
Ensure GitHub branch protection rules does not allow deletions
GitLab Policies
Ensure all Gitlab groups require two factor authentication
Ensure Gitlab branch protection rules do not allow force pushes
Ensure Gitlab project merge requests has at least 2 approvals
Ensure Gitlab project prevents secrets
Ensure GitLab projects commits are signed
GitHub Actions Policies
Ensure GitHub ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
Ensure Github run commands are not vulnerable to shell injection
Suspicious use of curl with secrets
Suspicious use of netcat with IP address
Ensure GitHub Actions artifact build has cosign - sign execution in pipeline
Ensure GitHub Actions artifact build has SBOM attestation in pipeline
Ensure GitHub Actions does not contain workflow_dispatch inputs parameters
Bitbucket Policies
Ensure BitBucket pull requests require at least 2 approvals
GitLab CI Policies
Suspicious use of curl with CI environment variables in script
Avoid creating rules that generate double pipelines
Azure Pipelines Policies
Ensure container job uses a non latest version tag
Ensure container job uses a version digest
Ensure set variable is not marked as a secret
OpenStack Policies
Ensure OpenStack firewall rule has destination IP configured
Ensure OpenStack instance does not use basic credentials
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
API Policies
OpenAPI Policies
Ensure that securityDefinitions is defined and not empty
Ensure that if the security scheme is not of type 'oauth2', the array value must be empty
Ensure that security schemes don't allow cleartext credentials over unencrypted channel
Ensure that the global security field has rules defined
Ensure that security operations is not empty
Ensure that security requirement defined in securityDefinitions
General
Suggest Edits
Updated almost 2 years ago
