Jump to Content
Bridegecrew
HomeDocumentationRecipesAPI ReferenceChangelog
PlatformResourcesSign inSign UpBridegecrew
PlatformResourcesSign inSign Up
HomeDocumentationRecipesAPI ReferenceChangelog

Welcome

  • What is Bridgecrew?
  • Prerequisites
  • Open Source

Get Started

  • Sign Up
  • Integrate with Code Repositories
    • Integrate with GitHub
    • Integrate with Bitbucket
    • Integrate with GitLab Self-Managed
    • Integrate with GitLab
    • Integrate with GitHub Server
    • Integrate with Bitbucket Server
    • Integrate with Azure Repos
  • Integrate with Cloud Providers
    • Integrate with AWS
    • Integrate with Google Cloud Platform
    • Integrate with Microsoft Azure
  • Integrate with CI/CD Systems
    • Terraform Cloud (Sentinel)
    • Terraform Cloud (Run Tasks)
    • Github Actions
    • Jenkins
    • CircleCI
    • AWS CodeBuild
    • Checkov
    • Bridgecrew CLI
    • GitHub Code Scanning
    • GitLab Runner
    • Azure Pipelines
    • Kubernetes Clusters
    • AWS CDK templates
    • Kubernetes Admission Controller
    • Terraform Enterprise (Sentinel)
    • Terraform Enterprise (Run Tasks)
  • Integrate with IDE
    • Visual Studio Code
    • Jetbrains
  • Integrate with Kubernetes

Code Analysis

  • Infrastructure-as-Code
  • Images
  • Open Source (SCA)
  • Secrets
  • Supply Chain
  • Code-to-Cloud
    • Drift Detection
    • Unmanaged Resource Detection
    • Unused Resource Detection

Advanced Setup

  • Plan & Track
    • Dashboard
    • Incidents
    • Projects
    • Development Pipelines
    • Resource Explorer
    • Enforcement
    • Compliance Reports
    • Code Repository Badges
  • Custom Policies
    • Definition Structure
    • Visual Editor
    • Code Editor
    • Examples (Code-Based)
  • Fix
    • IaC Resources
    • Runtime Resources
    • Suppress
    • Create Issue
  • Manage Tags
    • Traceability
    • Manage Tag Rules
  • Integrations
  • API Access
  • SBOM Generation

Organization Management

  • Notification Systems
    • Set Up Slack
    • Set Up Jira
    • Set Up Splunk
    • Weekly Email Messages
  • SSO Systems
    • OneLogin
    • Azure AD
    • ADFS On-Premises
    • Okta
  • User Management
  • Billing
    • What Happens If My Payment Failed?
    • How do I delete my account?

AWS Policies

  • AWS Policy Index
  • General Policies
    • Ensure QLDB ledger has deletion protection enabled
    • Ensure EC2 instances have tags
    • Ensure EBS volumes are attached to an instance
    • Ensure AWS EBS volumes are encrypted
    • Ensure AWS RDS DB cluster encryption is enabled
    • Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
    • Ensure DynamoDB PITR is enabled
    • Ensure all data stored in the EBS snapshot is securely encrypted
    • Ensure ECR image scan on push is enabled
    • Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
    • Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
    • Ensure data stored in the ElastiCache Replication Group is securely encrypted in-transit
    • Ensure Instances and Launch configurations use encrypted EBS volumes
    • Ensure all data stored in SageMaker is securely encrypted at rest
    • Ensure AWS SNS topic has SSE enabled
    • Ensure AWS SQS server side encryption is enabled
    • Ensure AWS EFS with encryption for data at rest is enabled
    • Ensure Neptune storage is securely encrypted
    • Ensure all unused Elastic IPs are deleted
    • Ensure unused network interfaces are deleted
    • Ensure unused Elastic Load Balancers are deleted
    • Ensure AWS Kinesis streams are encrypted using SSE
    • Ensure DAX is securely encrypted at rest
    • Ensure ECR image tags are immutable
    • Ensure AWS Redshift cluster is encrypted
    • Ensure AWS resources that support tags have Tags
    • Ensure CloudFront distribution has WAF enabled
    • Ensure DocumentDB is encrypted at rest
    • Ensure Athena Database is encrypted at rest
    • Ensure CodeBuild project encryption is not disabled (Artifacts)
    • Ensure Instance Metadata Service version 1 is not enabled
    • Ensure MSK cluster encryption at rest and in transit is enabled
    • Ensure Athena workgroup prevents disabling encryption
    • Ensure instances with scheduled reboots are rescheduled or manually rebooted
    • Ensure PGAudit is enabled on RDS Postgres instances
    • Ensure Glue Data Catalog encryption is enabled
    • Ensure all data stored in Aurora is securely encrypted at rest
    • Ensure EFS volumes in ECS task definitions have encryption in transit enabled
    • Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
    • Ensure AWS Glue security configuration encryption is enabled
    • Ensure Neptune cluster instance is not publicly available
    • Ensure AWS Load Balancer is using TLS 1.2
    • Ensure API gateway caching is enabled
    • Ensure DynamoDB Tables have Auto Scaling enabled
    • Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
    • Ensure RDS instances have backup policy
    • Ensure Amazon EFS has an AWS Backup backup plan
    • Ensure RDS clusters have an AWS Backup backup plan
    • Ensure EBS has an AWS Backup backup plan
    • Ensure KMS has a rotation policy
    • Ensure DynamoDB tables are encrypted
    • Ensure ECR repositories are encrypted
    • Ensure RDS global clusters are encrypted
    • Ensure Redshift cluster is encrypted by KMS
    • Ensure S3 buckets are encrypted with KMS by default
    • Ensure Secret Manager secret is encrypted using KMS
    • Ensure only encrypted EBS volumes are attached to EC2 instances
    • Ensure load balancer has deletion protection enabled
    • Ensure that AWS EMR clusters have Kerberos enabled
    • Ensure AWS Lambda function is configured for function-level concurrent execution limit
    • Ensure AWS Lambda function is configured for a DLQ
    • Ensure AWS Lambda function is configured inside a VPC
    • Ensure GuardDuty is enabled to specific org/region
    • Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
    • Ensure that EC2 is EBS optimized
    • Ensure RDS clusters and instances have deletion protection enabled
    • Ensure Redshift cluster allow version upgrade by default
    • Ensure S3 bucket has lock configuration enabled by default
    • Ensure S3 bucket has cross-region replication enabled
    • Ensure RDS instances have Multi-AZ enabled
    • Ensure Route 53 DNS service modifications are detected
    • Ensure provisioned resources are not manually modified
    • Ensure DocDB has audit logs enabled
    • Ensure Redshift uses SSL
    • Ensure Session Manager data is encrypted in transit
    • Ensure that RDS database cluster snapshot is encrypted
    • Ensure that CodeBuild projects are encrypted
    • Ensure that Secrets Manager secret is encrypted using KMS CMK
    • Ensure EBS default encryption is enabled
    • Autoscaling groups should supply tags to launch configurations
    • Ensure that Workspace user volumes are encrypted
    • Ensure that Workspace root volumes are encrypted
    • Ensure that CloudWatch Log Group is encrypted by KMS
    • Ensure that Athena Workgroup is encrypted
    • Ensure that Timestream database is encrypted with KMS CMK
    • Ensure Dynamodb point in time recovery is enabled for global tables
    • Ensure Backup Vault is encrypted at rest using KMS CMK
    • Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
    • Ensure SQS queue policy is not public by only allowing specific services or principals to access it
    • Ensure SNS topic policy is not public by only allowing specific services or principals to access it
    • Ensure EMR Cluster security configuration encryption uses SSE-KMS
    • Ensure Route53 A Record has an attached resource
    • Ensure Postgres RDS has Query Logging enabled
    • Ensure QLDB ledger permissions mode is set to STANDARD
    • Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
    • Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
    • Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)
    • Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EFS file system is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
    • Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
    • Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)
    • Ensure RedShift Cluster is encrypted by KMS using a customer managed Key
    • Ensure Glue component has a security configuration associated
    • Ensure Glue component has a security configuration associated
    • Ensure Postgres RDS has Query Logging enabled
    • Ensure Session Manager logs are enabled and encrypted
    • Ensure MQ Broker minor version updates are enabled
    • Ensure AWS Codecommit is associated with an approval rule
    • Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK
    • Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)
    • Ensure AWS RDS uses a modern CaCert
    • Ensure AWS Cloudsearch uses HTTPS
    • Ensure AWS MQBroker version is up to date
    • Ensure AWS DB instance gets all minor upgrades automatically
    • Ensure AWS Key Management Service (KMS) key is enabled
    • Ensure AWS AMI copying uses a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK)
    • Ensure AWS Batch Job is not defined as a privileged container
    • Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs
    • Ensure AWS Code Artifact Domain is encrypted by KMS using a Customer Managed Key (CMK)
    • Ensure AWS API Gateway caching is enabled
    • Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP
    • Ensure AWS RDS PostgreSQL instances use a non-vulnerable version of log_fdw extension
    • Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS AuthType for your Lambda function URLs is defined
    • Ensure AWS Codecommit branch changes have at least 2 approvals
    • Ensure AWS CloudFront response header policy enforces Strict Transport Security
    • Ensure AWS Cloudsearch uses the latest (Transport Layer Security) TLS
    • Ensure AWS DLM-cross region schedules are encrypted
    • Ensure AWS Glue component is associated with a security configuration
    • Ensure AWS API Gateway Domain uses a modern security policy
    • Ensure AWS AppSync is protected by WAF
    • Ensure AWS Appsync API Cache is encrypted in transit
    • Ensure AWS DMS instance receives all minor updates automatically
    • Ensure AWS replicated backups are encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS SSM Parameter is encrypted
    • Ensure AWS DAX cluster endpoint uses (Transport Layer Security) TLS
    • Ensure AWS API deployments enable Create before Destroy
    • Ensure AWS GuardDuty detector is enabled
    • Ensure AWS EBS Volume is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS Cloudfront distribution is enabled
    • Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
    • Ensure AWS Elasticsearch domain uses an updated TLS policy
    • Ensure AWS API GATEWAY enables Create before Destroy
    • Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
    • Ensure AWS Kinesis Firehose's delivery stream is encrypted
    • Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)
    • Ensure AWS Appsync API Cache is encrypted at rest
    • Ensure AWS copied AMIs are encrypted
    • Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK)
    • Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region events are encrypted
    • Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)
    • Ensure AWS API Gateway method settings enable caching
    • Ensure AWS MemoryDB data is encrypted in transit
    • Ensure AWS AMI launch permissions are limited
    • Ensure AWS AppSync has field-level logs enabled
    • Ensure AWS MWAA environment has worker logs enabled
    • Ensure AWS MWAA environment has scheduler logs enabled
    • Ensure AWS AppSync's logging is enabled
    • Ensure AWS MWAA environment has webserver logs enabled
    • Ensure AWS ECS Cluster enables logging of ECS Exec
    • Ensure AWS CloudTrail logging is enabled
    • Ensure AWS ACM certificates has logging preference
    • Ensure AWS MQBroker audit logging is enabled
    • Ensure AWS CloudTrail defines an SNS Topic
    • Ensure AWS App Flow flow uses Customer Managed Keys (CMKs)
    • Ensure AWS App Flow connector profile uses Customer Managed Keys (CMKs)
    • Ensure AWS HTTP and HTTPS target groups define health check
    • Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)
    • Ensure AWS Keyspace Table uses Customer Managed Keys (CMKs)
    • Ensure AWS Kendra index server side encryption uses Customer Managed Keys (CMKs)
    • Ensure AWS Config recorder is enabled to record all supported resources
    • Ensure AWS Config must record all possible resources
    • Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
    • Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
  • IAM Policies
    • Ensure using AWS Account root user is avoided
    • Ensure MFA is enabled for all IAM users with a console password
    • Ensure credentials unused for 90 days or greater are disabled
    • Ensure access keys are rotated every 90 days or less
    • Ensure AWS IAM password policy has an uppercase character
    • Ensure AWS IAM password policy has a lowercase character
    • Ensure AWS IAM password policy has a symbol
    • Ensure AWS IAM password policy has a number
    • Ensure AWS IAM password policy has a minimum of 14 characters
    • Ensure AWS IAM password policy does not allow password reuse
    • Ensure AWS IAM password policy expires in 90 days or less
    • Ensure no root account access key exists
    • Ensure MFA is enabled for root account
    • Ensure hardware MFA for root account is enabled
    • Ensure security questions are registered in the AWS account
    • Ensure IAM policies are only attached to Groups and Roles
    • Ensure detailed billing is enabled
    • Ensure AWS account contact details are up-to-date
    • Ensure security contact information is registered
    • Ensure IAM instance roles are used for AWS resource access from instances
    • Ensure an IAM role has been created to manage incidents with AWS Support
    • Ensure access keys are not created during initial user setup for IAM users with a console password
    • Ensure IAM policies that allow full administrative privileges are not created
    • Ensure access keys are rotated every 30 days or less
    • Ensure access keys are rotated every 45 days or less
    • Ensure active access keys are used every 90 days or less
    • Ensure IAM users that are inactive for 30 days or more are deactivated
    • Ensure unused IAM Users and Roles for 90 days are removed
    • Ensure user accounts unused for 90 days are removed
    • Ensure AWS roles with administrative privileges unused for 90 days are removed
    • Ensure user accounts with administrative privileges unused for 90 days are removed
    • Ensure empty IAM groups are removed
    • Ensure unattached policies are removed
    • Ensure unused policies are detached from users
    • Ensure unused policies are detached from roles
    • Ensure unused policies are detached from groups
    • Ensure IAM policy documents do not allow * (asterisk) as a statement's action
    • Ensure IAM role allows only specific services or principals to be assumed
    • Ensure AWS IAM policy does not allow assume role permission across all services
    • Ensure SQS policy documents do not allow * (asterisk) as a statement's action
    • Ensure AWS IAM policy does not allow full administrative privileges
    • Ensure IAM policy documents do not allow * (asterisk) as a statement's action
    • Ensure excessive permissions are not granted for IAM users
    • Ensure excessive permissions are not granted for IAM roles
    • Ensure excessive permissions are not granted for IAM groups
    • Ensure excessive permissions are not granted for IAM policy
    • Ensure credentials unused for 180 days or greater are disabled
    • Ensure IAM policies do not allow credentials exposure for ECR
    • Ensure IAM policies do not allow data exfiltration
    • Ensure IAM policies do not allow permissions management / resource exposure without constraint
    • Ensure IAM policies does not allow write access without constraint
    • Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    • Ensure respective logs of Amazon RDS are enabled
    • Ensure IAM groups include at least one IAM user
    • Ensure all IAM users are members of at least one IAM group
    • Ensure IAM configuration modifications are detected
    • Ensure IAM policies does not allow privilege escalation
    • Ensure RDS database has IAM authentication enabled
    • Ensure RDS cluster has IAM authentication enabled
    • Ensure an IAM User does not have access to the console
    • Ensure KMS key policy does not contain wildcard (*) principal
    • Ensure the AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions
    • Ensure an IAM role is attached to EC2 instance
    • Ensure S3 Bucket does not allow access to all Authenticated users
    • Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled
  • Kubernetes Policies
    • Ensure AWS EKS cluster security group is not overly permissive to all traffic
    • Ensure AWS EKS cluster endpoint access is publicly disabled
    • Ensure AWS EKS cluster has secrets encryption enabled
    • Ensure AWS EKS control plane logging is enabled
    • Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
    • Ensure Kubernetes secrets are encrypted using CMKs managed in AWS KMS
  • Logging Policies
    • Ensure AWS CloudTrail is enabled in all regions
    • Ensure AWS CloudTrail log validation is enabled in all regions
    • Ensure the S3 bucket used to store CloudTrail logs does not have public access
    • Ensure CloudTrail and CloudWatch logs are integrated
    • Ensure AWS config is enabled in all regions
    • Ensure CloudTrail S3 bucket access logging is enabled
    • Ensure AWS CloudTrail logs are encrypted using CMKs
    • Ensure AWS CMK rotation is enabled
    • Ensure AWS VPC Flow logs are enabled
    • Ensure Amazon MQ Broker logging is enabled
    • Ensure container insights are enabled on ECS cluster
    • Ensure AWS Redshift database has audit logging enabled
    • Ensure CloudWatch log groups specify retention days
    • Ensure CloudTrail logging in All Regions is enabled
    • Ensure API Gateway has X-Ray tracing enabled
    • Ensure Global Accelerator has Flow logs enabled
    • Ensure API Gateway has access logging enabled
    • Ensure Amazon MSK cluster logging is enabled
    • Ensure AWS DocumentDB logging is enabled
    • Ensure AWS CloudFront distribution has access logging enabled
    • Ensure CloudWatch logs are encrypted at rest using KMS CMKs
    • Ensure AWS ELB (Classic) with access log is enabled
    • Ensure the ELB has access logging enabled
    • Ensure Neptune logging is enabled
    • Ensure AWS CloudFormation stacks are sending event notifications to an SNS topic
    • Ensure detailed monitoring for EC2 instances is enabled
    • Ensure CloudTrail trail is integrated with CloudWatch Log
    • Ensure enhanced monitoring for Amazon RDS instances is enabled
    • Ensure API Gateway stage have logging level defined appropriately
    • Ensure API Gateway V2 has Access Logging enabled
    • Ensure Logging is enabled for WAF Web Access Control Lists
    • Ensure Postgres RDS as aws_db_instance has Query Logging enabled
    • Ensure WAF2 has a Logging Configuration
  • Networking Policies
    • Ensure AWS Security Group does not allow all traffic on SSH port 22
    • Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure AWS Default Security Group restricts all traffic
    • Ensure VPC peering routing tables have least access
    • Ensure EC2 instances do not have security groups attached
    • Ensure AWS VPC endpoints are not exposed
    • Ensure Security Groups do not have unrestricted access
    • Ensure Security Groups accept traffic only from ports 80 and 443
    • Ensure EC2 instance does not have unrestricted security group attached
    • Ensure RDS database does not have unrestricted security group attached
    • Ensure network interface does not have unrestricted security group attached
    • Ensure classical load balancer does not have unrestricted security group attached
    • Ensure application load balancer does not have unrestricted security group attached
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Do not use default settings of a VPC
    • Ensure Internet-facing ELBs are whitelisted
    • Ensure ALB protocol is HTTPS
    • Ensure every Security Group rule has a description
    • Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
    • Ensure CloudFront distributions do not use deprecated SSL protocols
    • Ensure ELBs do not allow insecure SSL protocols or ciphers
    • Ensure EC2 instances behind load balancers are not publicly accessible
    • Ensure ELBs use SSL listeners
    • Ensure DocDB TLS is not disabled
    • Ensure AWS SageMaker notebook instance is configured with direct internet access feature
    • Ensure VPC endpoint service is configured for manual acceptance
    • Ensure Amazon EMR clusters' security groups are not open to the world
    • Ensure that ALB drops HTTP headers
    • Ensure that Elasticsearch is configured inside a VPC
    • Ensure ELB has cross-zone-load-balancing enabled
    • Ensure Amazon Redshift clusters are not publicly accessible
    • Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
    • Ensure AWS EC2 instance is configured with VPC
    • Ensure all EIP addresses allocated to a VPC are attached to EC2 instances
    • Ensure ALB redirects HTTP requests into HTTPS ones
    • Ensure all NACL are attached to subnets
    • Ensure Security Groups are attached to EC2 instances or ENIs
    • Ensure S3 Bucket has public access blocks
    • Security Group modifications detected
    • Ensure public facing ALB are protected by AWS Web Application Firewall v2 (AWS WAFv2)
    • Ensure public API gateway are protected by AWS Web Application Firewall v2 (AWS WAFv2)
    • Ensure VPC subnets do not assign public IP by default
    • Ensure no default VPC is planned to be provisioned
    • Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
    • Ensure Redshift is not deployed outside of a VPC
    • Ensure Transfer Server is not exposed publicly
    • Ensure WAF prevents message lookup in Log4j2
    • Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
    • Ensure CloudFront distribution has a strict security headers policy attached
    • Ensure WAF has associated rules
    • Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    • Ensure AWS Elasticache security groups are defined
    • Ensure AWS ACM certificate enables Create before Destroy
    • Ensure AWS Elasticsearch does not use the default security group
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 22
    • Ensure AWS RDS security groups are defined
    • Ensure AWS ELB Policy uses only secure protocols
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20
    • Ensure AWS NAT Gateways are utilized for the default route
    • Ensure AWS Security Group does not allow all traffic on all ports
    • Ensure AWS CloudFront distribution uses custom SSL certificate
    • Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic
    • Ensure AWS Database Migration Service endpoints have SSL configured
  • Public Policies
    • Ensure AWS ECR repository is not exposed to public
    • Ensure AWS RDS database instance is not publicly accessible
    • Ensure Elasticsearch domains are not publicly accessible
    • Ensure SQS queue policy is not publicly accessible
    • Ensure SNS topic policy is not publicly accessible
    • Ensure API gateway methods are not publicly accessible
    • Ensure EBS snapshots are not publicly accessible
    • Ensure EC2 AMIs are not publicly accessible
    • Ensure Amazon Redshift clusters are not publicly accessible
    • Ensure RDS instances are not publicly accessible
    • Ensure AWS MQ is not publicly accessible
    • Ensure AWS EC2 instances aren't automatically made public with a public IP
    • Ensure DMS replication instance is not publicly accessible
  • Elasticsearch Policies
    • Ensure AWS Elasticsearch domain encryption for data at rest is enabled
    • Ensure AWS Elasticsearch has node-to-node encryption enabled
    • Ensure AWS Elasticsearch domains have EnforceHTTPS enabled
    • Ensure AWS Elasticsearch domain logging is enabled
  • Monitoring Policies
    • Ensure a log metric filter and alarm exist for unauthorized API calls
    • Ensure a log metric filter and alarm exist for management console sign-in without MFA
    • Ensure a log metric filter and alarm exist for root account use
    • Ensure a log metric filter and alarm exist for IAM policy changes
    • Ensure a log metric filter and alarm exist for CloudTrail configuration changes
    • Ensure a log metric filter and alarm exist for AWS Management console authentication failures
    • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
    • Ensure a log metric filter and alarm exist for S3 bucket policy changes
    • Ensure a log metric filter and alarm exist for AWS Config configuration changes
    • Ensure a log metric filter and alarm exist for Security Group changes
    • Ensure a log metric filter and alarm exist for changes to NACLs
    • Ensure a log metric filter and alarm exist for changes to network gateways
    • Ensure a log metric filter and alarm exist for route table changes
    • Ensure a log metric filter and alarm exist for VPC changes
  • S3 Policies
    • Ensure bucket ACL does not grant READ permission to everyone
    • Ensure AWS S3 bucket is not publicly writable
    • Ensure bucket ACL does not grant READ_ACP permission to everyone
    • Ensure bucket ACL does not grant WRITE_ACP permission to everyone
    • Ensure bucket ACL does not grant FULL_CONTROL permission to everyone
    • Ensure bucket ACL does not grant READ permission to AWS users
    • Ensure bucket ACL does not grant WRITE permission to AWS users
    • Ensure bucket ACL does not grant READ_ACP permission to AWS users
    • Ensure bucket ACL does not grant WRITE_ACP permission to AWS users
    • Ensure bucket ACL does not grant FULL_CONTROL permission to AWS users
    • Ensure S3 bucket policy does not grant Allow permission to everyone
    • Ensure AWS access logging is enabled on S3 buckets
    • Ensure data stored in the S3 bucket is securely encrypted at rest
    • Ensure data is transported from the S3 bucket securely
    • Ensure AWS S3 object versioning is enabled
    • Ensure bucket policy does not grant Write permissions to public
    • Ensure S3 bucket has block public ACLS enabled
    • Ensure S3 Bucket BlockPublicPolicy is set to True
    • Ensure S3 bucket IgnorePublicAcls is set to True
    • Ensure S3 bucket RestrictPublicBucket is set to True
    • Ensure S3 bucket does not allow an action with any Principal
    • Ensure S3 bucket MFA Delete is enabled
    • Ensure S3 bucket modifications can be detected
  • Secrets Policies
    • Ensure EC2 user data does not expose secrets
    • Ensure CloudFormation outputs do not expose secrets
    • Ensure Lambda function's environment variables do not expose secrets
    • Ensure ECS task definition variables do not expose secrets
    • Ensure AWS access keys and secrets are not hard coded in infrastructure
  • Serverless Policies
    • Serverless Lambda policy modifications detected
    • Ensure Lambda function does not have Admin privileges
    • Ensure Lambda function does not have cross account access
    • Lambda function should not have same IAM role for more than one Lambda function
    • Ensure AWS Lambda functions with tracing are enabled
    • Check encryption settings for Lambda environmental variable

Kubernetes Policies

  • Kubernetes Policy Index
    • Do not admit containers wishing to share host process ID namespace
    • Do not admit privileged containers
    • Do not admit containers wishing to share host IPC namespace
    • Do not admit containers wishing to share host network namespace
    • Do not admit root containers
    • Do not admit containers with NET_RAW capability
    • Ensure liveness probe is configured
    • Ensure readiness probe is configured
    • Ensure CPU request is set
    • Ensure CPU limits are set
    • Ensure memory requests are set
    • Ensure memory limits are set
    • Ensure image tag is set to Fixed - not Latest or Blank
    • Ensure image pull policy is set to Always
    • Ensure container is not privileged
    • Ensure containers do not share host process ID namespace
    • Ensure containers do not share host IPC namespace
    • Ensure containers do not share the host network namespace
    • Ensure containers do not run with AllowPrivilegeEscalation
    • Ensure default namespace is not used
    • Use Read-Only filesystem for containers where possible
    • Minimize admission of root containers
    • Ensure containers with added capability are not allowed
    • Ensure admission of containers with added capability is minimized
    • Do not specify hostPort unless absolutely necessary
    • Limit mounting Docker socket daemon in a container
    • Ensure admission of containers with NET_RAW capability is minimized
    • Ensure securityContext is applied to pods and containers
    • Ensure seccomp is set to Docker/Default or Runtime/Default
    • Ensure seccomp profile is set to Docker/Default or Runtime/Default
    • Ensure Kubernetes dashboard is not deployed
    • Ensure Tiller (Helm V2) is not deployed
    • Use secrets as files instead of environment variables
    • Ensure admission of containers with capabilities assigned is limited
    • Ensure service account tokens are mounted where necessary
    • Ensure CAP_SYS_ADMIN Linux capability is not used
    • Ensure containers run with a high UID to avoid host conflict
    • Ensure default service accounts are not actively used
    • Ensure images are selected using a digest
    • Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
    • Ensure Tiller (Helm v2) service is deleted
    • Ensure containers do not run with AllowPrivilegeEscalation
    • Ensure securityContext is applied to pods and containers
    • Minimize the admission of containers with capabilities assigned
    • Ensure that default service accounts are not actively used by bounding to a role or cluster role
    • Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for API servers
    • Ensure Kubelet only uses strong cryptographic ciphers
    • Ensure the --etcd-cafile argument is set appropriately
    • Ensure encryption providers are appropriately configured
    • Ensure the API server makes use of strong cryptographic ciphers
    • Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
    • Ensure the --profiling argument for controller managers is set to False
    • Ensure the --use-service-account-credentials argument for controller managers is set to True
    • Ensure the --service-account-private-key-file argument for controller managers is set appropriately
    • Ensure the --root-ca-file argument for controller managers is set appropriately
    • Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
    • Ensure the --bind-address argument for controller managers is set to 127.0.0.1
    • Ensure the --profiling argument is set to False
    • Ensure the --bind-address argument is set to 127.0.0.1
    • Ensure the --cert-file and --key-file arguments are set appropriately
    • Ensure the --client-cert-auth argument is set to True
    • Ensure the --auto-tls argument is not set to True
    • Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
    • Ensure the --peer-client-cert-auth argument is set to True
    • Ensure the --peer-auto-tls argument is not set to True
    • Ensure the --anonymous-auth argument is set to False
    • Ensure the --authorization-mode argument is not set to AlwaysAllow
    • Ensure the --client-ca-file argument for API Servers is set appropriately
    • Ensure the --read-only-port argument is set to 0
    • Ensure the --streaming-connection-idle-timeout argument is not set to 0
    • Ensure the --protect-kernel-defaults argument is set to True
    • Ensure the --make-iptables-util-chains argument is set to True
    • Ensure the --hostname-override argument is not set
    • Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
    • Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for Kubelet
    • Ensure the --rotate-certificates argument is not set to False
    • Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
    • Ensure the --anonymous-auth argument is set to False
    • Ensure the --basic-auth-file argument is not Set
    • Ensure the --token-auth-file argument is not Set
    • Ensure the --kubelet-https argument is set to True
    • Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
    • Ensure the --kubelet-certificate-authority argument is set appropriately
    • Ensure the --authorization-mode argument is not set to AlwaysAllow
    • Ensure the --authorization-mode argument includes node
    • Ensure the --authorization-mode argument includes RBAC
    • Ensure the admission control plugin EventRateLimit is set
    • Ensure the admission control plugin AlwaysAdmit is not set
    • Ensure the admission control plugin AlwaysPullImages is set
    • Ensure the admission control plugin SecurityContextDeny is sSet if PodSecurityPolicy is not used
    • Ensure the admission control plugin ServiceAccount is set
    • Ensure the admission control plugin NamespaceLifecycle is set
    • Ensure the admission control plugin PodSecurityPolicy is set
    • Ensure the admission control plugin NodeRestriction is set
    • Ensure the --insecure-bind-address argument is not set
    • Ensure the --insecure-port argument is set to 0
    • Ensure the --secure-port argument is not set to 0
    • Ensure the --profiling argument is set to False
    • Ensure the --audit-log-path argument is set
    • Ensure the --audit-log-maxage argument is set to 30 or as appropriate
    • Ensure the --audit-log-maxbackup argument is set to 10 or as appropriate
    • Ensure the --audit-log-maxsize argument is set to 100 or as appropriate
    • Ensure the --request-timeout argument is set appropriately
    • Ensure the --service-account-lookup argument is set to True
    • Ensure the --service-account-key-file argument is set appropriately
    • Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
    • Ensure minimized wildcard use in Roles and ClusterRoles
    • Ensure ClusterRoles that grant control over validating or mutating admission webhook configurations are minimized
    • Ensure ClusterRoles that grant permissions to approve CertificateSigningRequests are minimized
    • Ensure Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are minimized
    • Ensure Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are minimized
    • Prevent NGINX Ingress annotation snippets which contain LUA code execution
    • Prevent All NGINX Ingress annotation snippets
    • Prevent NGINX Ingress annotation snippets which contain alias statements
    • RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
    • Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation
    • No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts
    • ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster
    • No ServiceAccount/Node should be able to read all secrets

Azure Policies

  • Azure Policy Index
  • General Policies
    • Ensure Azure VM data disk is encrypted with ADE/CMK
    • Ensure Azure App Service Web app authentication is On
    • Ensure a security contact phone number is present
    • Ensure Send email notification for high severity alerts is enabled
    • Ensure Send email notification for high severity alerts to admins is enabled
    • Ensure Azure SQL Server threat detection alerts are enabled for all threat types
    • Ensure Azure SQL server send alerts to field value is set
    • Ensure MSSQL servers have email service and co-administrators enabled
    • Ensure standard pricing tier is selected
    • Ensure all keys have an expiration date
    • Ensure Azure key vault is recoverable
    • Ensure a retention period of less than 90 days is specified
    • Ensure Azure Linux scale set uses an SSH key
    • Ensure Virtual Machine extensions are not installed
    • Ensure FTP Deployments are disabled
    • Ensure PostgreSQL server enables geo-redundant backups
    • Ensure key vault key is backed by HSM
    • Ensure MariaDB server enables geo-redundant backups
    • Ensure My SQL server enables geo-redundant backups
    • Ensure Virtual Machines are backed up using Azure backup
    • Ensure Cosmos DB accounts have customer-managed keys to encrypt data at rest
    • Ensure Data Lake Store accounts enable encryption
    • Ensure PostgreSQL server enables infrastructure encryption
    • Ensure Automation account variables are encrypted
    • Ensure Azure Data Explorer uses disk encryption
    • Ensure Azure Data Explorer uses double encryption
    • Ensure Azure Batch account uses key vault to encrypt data
    • Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption
    • Ensure MySQL server enables infrastructure encryption
    • Ensure Azure Data Factory uses Git repository for source control
    • Ensure key vault enables purge protection
    • Ensure key vault enables soft-delete
    • Ensure key vault secrets have content_type set
    • Ensure My SQL server enables Threat Detection policy
    • Ensure PostgreSQL server enables Threat Detection policy
    • Ensure Azure Security Center Defender is set to On for servers
    • Ensure Azure function app authentication is on
    • Ensure CORS disallows resource to access app services
    • Ensure security contact emails are set
    • Ensure Azure Security Center Defender is set to On for app service
    • Ensure CORS does not allow resources to access function apps
    • Ensure function app uses the latest HTTP version
    • Ensure Azure Security Center Defender is set to On for Azure SQL database servers
    • Ensure managed identity provider is enabled for app services
    • Ensure remote debugging is not enabled for app services
    • Ensure Azure Defender is set to On for SQL servers on machines
    • Ensure Azure App Service Web app uses the latest .Net Core version
    • Ensure Azure App Service Web app uses the latest PHP version
    • Ensure Azure App Service Web app uses the latest Python version
    • Ensure Azure App Service Web app uses the latest Java version
    • Ensure Azure Security Center Defender is set to On for storage
    • Ensure Azure Security Center Defender is set to On for Kubernetes
    • Ensure Azure Defender is set to On for container registries
    • Ensure Azure Security Center Defender set to On for Key Vault
    • Ensure app services use Azure files
    • Ensure Virtual Machines are utilizing managed disks
    • Ensure automatic OS image patching is enabled for Virtual Machine scale sets
    • Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
    • Ensure SQL servers enable data security policy
    • Ensure Azure SQL server ADS Vulnerability Assessment is enabled
    • Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled
    • Ensure Azure SQL server ADS VA Send scan reports to is configured
    • Ensure Azure SQL server ADS VA Also send email notifications to admins and subscription owners is enabled
    • Ensure SQL servers have Azure Active Directory admin configured
    • Ensure Azure Virtual Machines are utilizing managed disks
    • Ensure Virtual Machine scale sets have encryption at host enabled
    • Ensure storage for critical data are encrypted with CMKs
    • Ensure Azure Data Explorer encryption at rest uses a customer-managed key
    • Ensure unattached disks are encrypted
    • Ensure Azure data factories are encrypted with a customer-managed key
    • Ensure MySQL server enables customer-managed key for encryption
    • Ensure PostgreSQL server enables customer-managed key for encryption
    • Ensure Azure storage account encryption CMKs are enabled
    • Ensure MSSQL is using the latest version of TLS encryption
    • Ensure MySQL is using the latest version of TLS encryption
    • Ensure that Active Directory is used for Service Fabric authentication
    • Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
    • Ensure that Service Fabric uses available three levels of protection available
    • Ensure Azure resources that support tags have Tags
    • Ensure Cognitive Services account encryption CMKs are enabled
    • Ensure Azure Virtual machine does not enable password authentication
    • Ensure Azure PostgreSQL Flexible Server enables geo-redundant backups
    • Ensure Azure data exfiltration protection for Azure Synapse workspace is enabled
    • Ensure Azure Client Certificates are enforced for API management
    • Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption
    • Ensure Azure built-in logging for Azure function app is enabled
    • Ensure Azure SQL Server has default auditing policy configured
  • IAM Policies
    • Ensure App Service is registered with an Azure Active Directory account
    • Ensure Azure subscriptions with custom roles have minimum permissions
    • Ensure Azure Kubernetes Service (AKS) local admin account is disabled
    • Ensure Azure ACR admin account is disabled
    • Ensure Azure Windows VM enables encryption
    • Ensure Azure CosmosDB has Local Authentication disabled
    • Ensure Azure Machine Learning Compute Cluster Local Authentication is disabled
    • Ensure Azure ACR disables anonymous image pulling
  • Kubernetes Policies
    • Ensure Azure AKS cluster monitoring is enabled
    • Ensure Azure AKS enable RBAC is enforced
    • Ensure AKS API server defines authorized IP ranges
    • Ensure AKS cluster network policies are enforced
    • Ensure Kubernetes dashboard is disabled
    • Ensure AKS enables private clusters
    • Ensure AKS uses Azure policies add-on
    • Ensure AKS uses disk encryption set
  • Logging Policies
    • Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
    • Ensure Azure SQL server auditing is enabled
    • Ensure Azure SQL server audit log retention is greater than 90 days
    • Ensure storage logging for queue service has read, write, and delete requests enabled
    • Ensure activity log retention is set to 365 days or greater
    • Ensure log profile is configured to capture all activities
    • Ensure Azure storage account logging for tables is enabled
    • Ensure app service enables HTTP logging
    • Ensure app service enables detailed error messages
    • Ensure app service enables failed request tracing
    • Ensure Azure storage account logging for blobs is enabled
    • Ensure the storage container storing activity logs is not publicly accessible
  • Networking Policies
    • Ensure Azure instance authenticates using SSH keys
    • Ensure RDP Internet access is restricted
    • Ensure SSH Internet access is restricted
    • Ensure SQL databases do not allow ingress from 0.0.0.0/0
    • Ensure Azure App Service Web app redirects HTTP to HTTPS
    • Ensure Web App uses the latest version of TLS encryption
    • Ensure Web App has incoming client certificates enabled
    • Ensure Web App uses the latest version of HTTP
    • Ensure MySQL server databases have Enforce SSL connection enabled
    • Ensure Azure PostgreSQL database server with SSL connection is enabled
    • Ensure Azure PostgreSQL database server with log checkpoints parameter is enabled
    • Ensure Azure PostgreSQL database server with log connections parameter is enabled
    • Ensure Azure PostgreSQL database server with connection throttling parameter is enabled
    • Ensure public access level for Blob Containers is set to private
    • Ensure Azure Storage Account default network access is set to Deny
    • Ensure Azure Storage Account Trusted Microsoft Services access is enabled
    • Ensure MariaDB servers have Enforce SSL connection enabled
    • Ensure that Storage accounts disallow public access
    • Ensure storage accounts have secure transfer enabled
    • Ensure PostgreSQL server disables public network access
    • Ensure function apps are only accessible over HTTPS
    • Ensure UDP Services are restricted from the Internet
    • Ensure Azure cache for Redis has public network access disabled
    • Ensure only SSL are enabled for cache for Redis
    • Ensure Azure container container group is deployed into a virtual network
    • Ensure Cosmos DB accounts have restricted access
    • Ensure Azure Synapse workspaces have no IP firewall rules attached
    • Ensure Azure Cosmos DB disables public network access
    • Ensure Azure Data factory public network access is disabled
    • Ensure Azure Event Grid domain public network access is disabled
    • Ensure API management services use virtual networks
    • Ensure Azure IoT Hub disables public network access
    • Ensure key vault allows firewall rules settings
    • Ensure SQL server disables public network access
    • Ensure Azure virtual machine NIC has IP forwarding disabled
    • Ensure network interfaces do not use public IPs
    • Ensure Azure application gateway has WAF enabled
    • Ensure Azure front door has WAF enabled
    • Ensure application gateway uses WAF in Detection or Prevention modes
    • Ensure Azure front door uses WAF in Detection or Prevention modes
    • Ensure Azure Cognitive Search disables public network access
    • Ensure Azure file sync disables public network access
    • Ensure Azure Synapse Workspaces enable managed virtual networks
    • Ensure My SQL server disables public network access
    • Ensure 'public network access enabled' is set to False for mySQL servers
    • Ensure Front Door WAF prevents message lookup in Log4j2
    • Ensure Application Gateway WAF prevents message lookup in Log4j2
    • Ensure Cognitive Services disables public network access
    • Ensure Azure Databricks workspace is not public
    • Ensure Azure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
    • Ensure Azure App's service slot uses the latest version of TLS encryption
    • Ensure Azure PostgreSQL uses the latest version of TLS encryption
    • Ensure Azure Machine Learning Workspace is not publicly accessible
    • Ensure Azure ACR is set to disable public networking
    • Ensure Azure Function app uses the latest version of TLS encryption
    • Ensure Azure Cognitive Services accounts disable public network access
    • Ensure Azure HTTP (port 80) access from the internet is restricted
    • Ensure Azure Spring Cloud API Portal Public Access is disabled
    • Ensure Azure Spring Cloud API Portal is enabled for HTTPS
    • Ensure Azure App service slot has debugging disabled
    • Ensure Azure Redis Cache uses the latest version of TLS encryption
    • Ensure Azure AKS cluster nodes do not have public IP addresses
  • Secrets Policies
    • Ensure AKV secrets have an expiration date set
    • Ensure secrets are not exposed in Azure VM customData
  • Storage Policies
    • Ensure Cosmos DB does not allow privileged escalation by restricting management plane changes
    • Ensure secure transfer required is enabled
    • Ensure storage account uses the latest version of TLS encryption
    • Ensure Storage Accounts adhere to the naming rules
  • Public Policies
    • Ensure MariaDB servers have public network access enabled set to False

Google Cloud Policies

  • Google Cloud Policy Index
  • General Policies
    • Ensure GCP VM disks are encrypted with CSEKs
    • Ensure boot disks for instances use CSEKs
    • Ensure compute instances launch with shielded VM enabled
    • Ensure GCP KMS encryption key is rotating every 90 days
    • Ensure incoming connections to Cloud SQL database instances use SSL
    • Ensure Cloud SQL database instances have backup configuration enabled
    • Ensure GCP BigQuery dataset is not publicly accessible
    • Ensure there are only GCP-managed service account keys for each service account
    • Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
    • Ensure GCP resources that support labels have Labels
    • Ensure GCP Memorystore for Redis has AUTH enabled
    • Ensure GCP Memorystore for Redis uses intransit encryption
    • Ensure GCP SQL database uses the latest Major version
    • Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Vertex AI datasets use a Customer Manager Key (CMK)
    • Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK)
    • Ensure GCP Pub/Sub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP Artifact Registry repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP subnet has a private IP Google access
    • Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP KMS keys are protected from deletion
    • Ensure GCP data fusion instances are private
    • Ensure GCP cloud build workers are private
    • Ensure GCP DataFusion has stack driver monitoring enabled
    • Ensure GCP Cloud storage has versioning enabled
    • Ensure GCP DataFusion has stack driver logging enabled
  • IAM Policies
    • Ensure instances do not use default Compute Engine service account
    • Ensure instances do not use default service account with full access to cloud APIs
    • Ensure IAM users are not assigned Service Account User or Service Account Token creator roles at project level
    • Ensure Service Account does not have admin privileges
    • Ensure roles do not impersonate or manage Service Accounts used at folder level
    • Ensure roles do not impersonate or manage Service Accounts used at organizational level
    • Ensure default Service Account is not used at project level
    • Ensure default Service Account is not used at organization level
    • Ensure default Service Account is not used at folder level
    • Ensure roles do not impersonate or manage Service Accounts used at project level
    • Ensure a MySQL database instance does not allow anyone to connect with administrative privileges
    • Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible
  • Kubernetes Policies
    • Ensure Stackdriver logging on Kubernetes engine clusters is enabled
    • Ensure ABAC authorization on Kubernetes engine clusters is disabled
    • Ensure GCP Kubernetes engine clusters have stackdriver logging enabled
    • Ensure GCP Kubernetes cluster node auto-repair configuration is enabled
    • Ensure GCP Kubernetes cluster node auto-upgrade configuration is enabled
    • Ensure private cluster is enabled when creating Kubernetes clusters
    • Ensure GCP Kubernetes engine clusters have network policy enabled
    • Ensure client certificate authentication to Kubernetes Engine Clusters is disabled
    • Ensure PodSecurityPolicy controller is enabled on Kubernetes engine clusters
    • Ensure GKE control plane is not public
    • Ensure GCP Kubernetes engine clusters have basic authentication disabled
    • Ensure master authorized networks are enabled in GKE clusters
    • Ensure GCP Kubernetes engine clusters have label information
    • Ensure GCP Kubernetes engine clusters are using Container-Optimized OS for node image
    • Ensure Kubernetes clusters are created with alias IP ranges enabled
    • Ensure Kubernetes engine cluster nodes do not have default service account for project access
    • Ensure secure boot for shielded GKE nodes is enabled
    • Enable VPC flow logs and intranode visibility
    • Ensure GCP Kubernetes Engine Clusters are configured with private nodes feature
    • Ensure Kubernetes RBAC users are managed with Google Groups for GKE
    • Ensure binary authorization is used
    • Ensure GCP Kubernetes engine clusters have legacy compute engine metadata endpoints disabled
    • Ensure the GKE metadata server is enabled
    • Ensure shielded GKE nodes are enabled
    • Ensure integrity monitoring for shielded GKE nodes is enabled
    • Ensure the GKE Release Channel is set
  • Logging Policies
    • Ensure GCP VPC flow logs for the subnet is set to On
    • Ensure GCP log bucket retention policy is configured using bucket lock
    • Ensure GCP project audit logging is configured properly across all services and all users in a project
  • Networking Policies
    • Ensure GCP Firewall rule does not allow all traffic on SSH port 22
    • Ensure GCP Firewall rule does not allow all traffic on RDP port 3389
    • Ensure GCP HTTPS load balancer is not configured with SSL policy having TLS version 1.1 or lower
    • Ensure Cloud SQL database instances are not publicly accessible
    • Ensure GCP Cloud DNS has DNSSEC enabled
    • Ensure RSASHA1 is not used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
    • Ensure default network does not exist in a project
    • Ensure GCP VM instances have block project-wide SSH keys feature enabled
    • Ensure GCP projects have OS login enabled
    • Ensure project instance does not override the project setting enabling OSLogin
    • Ensure GCP VM instances do not have serial port access enabled
    • Ensure IP forwarding on instances is disabled
    • Ensure GCP project is not configured with legacy network
    • Ensure Cloud Armor prevents message lookup in Log4j2
    • Ensure GCP Firewall rule does not allow all traffic on MySQL port 3306
    • Ensure GCP compute firewall ingress does not allow unrestricted MySQL access
    • Ensure GCP Private Google Access is enabled for IPV6
    • Ensure GCP Google compute firewall ingress does not allow unrestricted HTTP port 80 access
    • Ensure GCP Google compute firewall ingress does not allow FTP port (20) access
    • Ensure GCP Google compute firewall ingress does not allow unrestricted FTP access
    • Ensure GCP compute firewall ingress does not allow unrestricted access to all ports
    • Ensure GCP Cloud Function HTTP trigger is secured
    • Ensure GCP GCR Container Vulnerability Scanning is enabled
  • Public Policies
    • Ensure GCP storage buckets are not publicly accessible to all authenticated users
    • Ensure compute instances do not have public IPs
    • Ensure GCP BigQuery Tables are not anonymously or publicly accessible
    • Ensure GCP Dataflow jobs are private
    • Ensure GCP Vertex AI instances are private
    • Ensure GCP Dataproc cluster is not anonymously or publicly accessible
    • Ensure GCP Cloud KMS cryptokey is not anonymously or publicly accessible
    • Ensure GCP Cloud Run services are not anonymously or publicly accessible
    • Ensure GCP Pub/Sub Topic is not anonymously or publicly accessible
    • Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible
    • Ensure GCP Container Registry repositories are not anonymously or publicly accessible
    • Ensure GCP Dataproc Clusters do not have public IPs
  • Google Cloud Storage Policies
    • Ensure Google storage buckets are encrypted
    • Ensure GCP cloud storage bucket with uniform bucket-level access are enabled
    • Ensure bucket logs access
    • Ensure bucket does not log to itself
  • Cloud SQL Policies
    • Ensure GCP MySQL instance with local_infile database flag is disabled
    • Ensure Cloud SQL PostgreSQL instances have log_checkpoints database flag set to On
    • Ensure GCP PostgreSQL instance database flag log_connections is enabled
    • Ensure GCP PostgreSQL instance database flag log_disconnections is enabled
    • Ensure GCP PostgreSQL instance database flag log_lock_waits is enabled
    • Ensure GCP PostgreSQL instance database flag log_min_messages is set
    • Ensure GCP PostgreSQL instance database flag log_temp_files is set to 0
    • Ensure GCP PostgreSQL instance database flag log_min_duration_statement is set to -1
    • Ensure Cloud SQL SQL server instance database flag cross db ownership chaining is set to Off
    • Ensure Cloud SQL SQL server instance contained database authentication database flag is set to Off
    • Ensure Cloud SQL database instances do not have public IPs

Docker Policies

  • Docker Policy Index
    • Ensure port 22 is not exposed
    • Ensure healthcheck instructions have been added to container images
    • Ensure a user for the container has been created
    • Ensure update instructions are not used alone in a Dockerfile
    • Ensure Copy is used instead of Add in Dockerfiles
    • Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
    • Ensure the base image uses a non latest version tag
    • Ensure the last USER is not root
    • Ensure Docker From alias is unique for multistage builds
    • Ensure Docker WORKDIR values are absolute paths
    • Ensure Docker APT is not used

Git Policies

  • Secrets Policy Index
    • Artifactory Credentials
    • AWS Access Keys
    • Azure Storage Account Access Keys
    • Basic Auth Credentials
    • Cloudant Credentials
    • Base64 High Entropy String
    • IBM Cloud IAM Key
    • IBM COS HMAC Credentials
    • JSON Web Token
    • Secret Keyword
    • Mailchimp Access Key
    • NPM Token
    • Private Key
    • Slack Token
    • SoftLayer Credentials
    • Square OAuth Secret
    • Stripe Access Key
    • Twilio Access Key
    • Hex High Entropy String
    • Ensure GitHub repository is private
    • Airtable API Key
    • Algolia API Key
    • Alibaba Cloud Keys
    • Asana Token
    • Atlassian Oauth2 Keys
    • Auth0 Token
    • Bitbucket Token
    • Buildkite Agent Token
    • CircleCI Personal Token
    • Codecov API key
    • Coinbase Keys
    • Confluent Keys
    • Databricks Authentication Token
    • DigitalOcean Token
    • Discord Token
    • Doppler API Key
    • DroneCI Token
    • Dropbox App Credentials
    • Dynatrace Token
    • Elastic Email Key
    • Fastly Personal Token
    • FullStory API Key
    • GitHub Token
    • GitLab Token
    • Google Cloud Keys
    • Grafana Token
    • Terraform Cloud API Token
    • Heroku Platform Key
    • HubSpot API Key
    • Intercom Access Token
    • Jira Token
    • LaunchDarkly Personal Token
    • Netlify Token
    • New Relic Key
    • Notion Integration Token
    • Okta Token
    • PagerDuty Authorization Token
    • PlanetScale Token
    • Postman API Key
    • Pulumi Access Token
    • Python Package Index Key
    • RapidAPI Key
    • Readme API Key
    • RubyGems API Key
    • Sentry Token
    • Splunk User Credentials
    • Sumo Logic Keys
    • Telegram Bot Token
    • Travis Personal Token
    • Typeform API Token
    • Vault Unseal Key
    • Yandex Predictor API key
    • Cloudflare API Credentials
    • Vercel API Token
    • Webflow API Token
    • Scalr API Token
    • MongoDB Connection String
    • GCP Service Account Auth Key
    • Random string entropy detector
    • Braintree Payments Key
    • AWS MWS Auth Token
    • Paypal Token ID
    • Paypal Token Key
    • Braintree Payments ID
    • Braintree Access Token

OCI Policies

  • Compute Policies
    • Ensure OCI Compute Instance boot volume has in-transit data encryption enabled
    • Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled
  • Secrets Policies
    • Ensure no hard coded OCI private key in provider
  • Storage Policies
    • Ensure OCI Block Storage Block Volume has backup enabled
    • Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK)
    • Ensure OCI Object Storage bucket can emit object events
    • Ensure OCI Object Storage has versioning enabled
    • Ensure OCI Object Storage is encrypted with Customer Managed Key
    • Ensure OCI Object Storage is not Public
    • Ensure OCI File System is Encrypted with a customer Managed Key
  • Logging Policies
    • Ensure OCI Compute Instance has monitoring enabled
  • Networking Policies
    • Ensure VCN has an inbound security list
    • Ensure VCN inbound security lists are stateless
    • Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure OCI security groups rules do not allow ingress from 0.0.0.0/0 to port 22
    • Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 22
    • Ensure OCI security group has stateless ingress security rules
  • IAM Policies
    • Ensure OCI IAM password policy contains lowercase characters
    • Ensure OCI IAM password policy contains numeric characters
    • Ensure OCI IAM password policy contains symbols
    • Ensure OCI IAM password policy contains uppercase characters
    • Ensure OCI IAM password policy has a minimum length of 14 characters

Alibaba Policies

  • Alibaba Policy Index
  • General Policies
    • Ensure Alibaba Cloud OSS bucket has Transfer Acceleration disabled
    • Ensure Alibaba Cloud OSS bucket is encrypted with Customer Master Key
    • Ensure Alibaba Cloud OSS bucket has versioning enabled
    • Ensure Alibaba Cloud Disk is encrypted with Customer Master Key
    • Ensure Alibaba Cloud OSS bucket is not public
    • Ensure Alibaba Cloud Disk is encrypted
    • Ensure Alibaba Cloud database instance is not public
    • Ensure Alibaba RDS instance has log_connections enabled
    • Ensure Alibaba Cloud RDS instance has log_duration enabled
    • Ensure Alibaba Cloud RDS instance has log_disconnections enabled
    • Ensure Alibaba Cloud launch template data disks are encrypted
    • Ensure Alibaba Cloud RDS instance is set to perform auto upgrades for minor versions
    • Ensure Alibaba Cloud KMS Key Rotation is enabled
    • Ensure Alibaba Cloud RDS log audit is enabled
    • Ensure Alibaba Cloud MongoDB has transparent data encryption enabled
  • IAM Policies
    • Ensure Alibaba Cloud RAM password policy requires at least one uppercase letter
    • Ensure Alibaba Cloud RAM password policy requires at least one number
    • Ensure Alibaba Cloud RAM password policy requires minimum length of 14 or greater
    • Ensure Alibaba Cloud RAM Account maximal login attempts is less than 5
    • Ensure Alibaba Cloud RAM password policy prevents password reuse
    • Ensure Alibaba Cloud RAM password policy requires at least one symbol
    • Ensure Alibaba Cloud RAM password policy requires at least one lowercase letter
    • Ensure Alibaba Cloud RAM password policy expires passwords within 90 days or less
    • Ensure Alibaba Cloud RAM enforces MFA
  • Kubernetes Policies
    • Ensure Alibaba Cloud Kubernetes installs plugin Terway or Flannel to support standard policies
    • Ensure Alibaba Cloud Kubernetes node pools are set to auto repair
  • Logging Policies
    • Ensure Alibaba Cloud Transparent Data Encryption is Enabled on instance
    • Ensure Alibaba Cloud OSS bucket has access logging enabled
    • Ensure Alibaba Cloud RDS Instance SQL Collector Retention Period should be greater than 180
    • Ensure Alibaba Cloud Action Trail Logging for all regions
    • Ensure Alibaba Cloud Action Trail Logging for all events
  • Networking Policies
    • Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 3389
    • Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22
    • Ensure Alibaba Cloud RDS instance uses SSL
    • Ensure Alibaba Cloud API Gateway API Protocol uses HTTPS
    • Ensure Alibaba Cloud Cypher Policy is secured
    • Ensure Alibaba Cloud MongoDB instance uses SSL
    • Ensure Alibaba cloud ALB ACL restricts public access
    • Ensure Alibaba Cloud MongoDB instance is not public
    • Ensure Alibaba Cloud MongoDB is deployed inside a VPC

Bridgecrew Policies

  • General
  • Ensure no hard coded API token exist in the provider
  • Open source vulnerabilities
  • Open Source package License Compliance
  • Open Source Package Unknown License

Open Source Policies

  • Supported Language Index
    • Docker
    • Go
    • HCL
    • Java
    • JavaScript
    • Kotlin
    • Python
    • Ruby
    • YAML

Build Integrity Policies

  • GitHub Policies
    • Ensure GitHub organization security settings require 2FA
    • Ensure GitHub organization security settings require SSO
    • Ensure GitHub organization security settings has IP allow list enabled
    • Ensure GitHub branch protection rules requires signed commits
    • Ensure GitHub pull requests have at least 2 approvals
    • Ensure GitHub repository webhooks use HTTPs
    • Ensure GitHub branch protection rules requires linear history
    • Ensure the GitHub repository has at least 2 admins set
    • Ensure GitHub branch protection rules are enforced on administrators
    • Ensure GitHub organization webhooks use HTTPs
    • Ensure GitHub repository is Private
    • Ensure GitHub repository has vulnerability alerts enabled
    • Ensure GitHub Actions secrets are encrypted
    • Ensure GitHub branch protection dismisses stale review on new commit
    • Ensure GitHub branch protection restricts who can dismiss PR reviews
    • Ensure GitHub branch protection requires CODEOWNER reviews
    • Ensure GitHub branch protection requires status checks
    • Ensure GitHub branch protection requires conversation resolution
    • Ensure GitHub branch protection requires push restrictions
    • Ensure GitHub branch protection rules does not allow deletions
  • GitLab Policies
    • Ensure all Gitlab groups require two factor authentication
    • Ensure Gitlab branch protection rules do not allow force pushes
    • Ensure Gitlab project merge requests has at least 2 approvals
    • Ensure Gitlab project prevents secrets
    • Ensure GitLab projects commits are signed
  • GitHub Actions Policies
    • Ensure GitHub ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
    • Ensure Github run commands are not vulnerable to shell injection
    • Suspicious use of curl with secrets
    • Suspicious use of netcat with IP address
    • Ensure GitHub Actions artifact build has cosign - sign execution in pipeline
    • Ensure GitHub Actions artifact build has SBOM attestation in pipeline
    • Ensure GitHub Actions does not contain workflow_dispatch inputs parameters
  • Bitbucket Policies
    • Ensure BitBucket pull requests require at least 2 approvals
  • GitLab CI Policies
    • Suspicious use of curl with CI environment variables in script
    • Avoid creating rules that generate double pipelines
  • Azure Pipelines Policies
    • Ensure container job uses a non latest version tag
    • Ensure container job uses a version digest
    • Ensure set variable is not marked as a secret

OpenStack Policies

  • Ensure OpenStack firewall rule has destination IP configured
  • Ensure OpenStack instance does not use basic credentials
  • Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)

API Policies

  • OpenAPI Policies
    • Ensure that securityDefinitions is defined and not empty
    • Ensure that if the security scheme is not of type 'oauth2', the array value must be empty
    • Ensure that security schemes don't allow cleartext credentials over unencrypted channel
    • Ensure that the global security field has rules defined
    • Ensure that security operations is not empty
    • Ensure that security requirement defined in securityDefinitions

Public Policies

Suggest Edits

How to Use this Page

This page lists the Azure Public Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure MariaDB servers have public network access enabled set to False
Policy ID: BC_AZR_PUBLIC_1

Updated almost 2 years ago


  • Table of Contents
    • How to Use this Page