Security Policies
Note:
Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.
Policy Name |
Description |
Reports if EBS volumes are not set to be encrypted by default. |
|
Reports if AWS Config is not enabled in all regions. |
|
Reports if CloudTrail is not fully enabled in all regions. |
|
Reports if CloudTrail trails are not integrated with CloudWatch logs. |
|
Reports if CloudTrail logs are not encrypted at rest. |
|
Reports if CloudTrail stores logs in S3 bucket(s) without access logging enabled. |
|
Reports if CloudTrail stores logs in publicly accessible S3 bucket(s). |
|
AWS Ensure IAM Users Receive Permissions Only Through Groups |
Reports if any IAM users have policies assigned directly instead of through groups. |
Reports if any CloudTrails do not have log file validation enabled. |
|
AWS Ensure Object-level Events Logging Enabled For CloudTrails |
Reports if CloudTrail does not have object-level logging for read and write events enabled. |
AWS Ensure Rotation For Customer Master Keys (CMKs) Is Enabled |
Reports if CMK rotation is not enabled. |
Reports if access keys exist that are 90 days old or older. |
|
Reports if credentials exist that have gone unused for 45 days or more. |
|
Reports if MFA is not enabled for IAM users with a console password. |
|
Reports if any IAM users have 2 or more active access keys. |
|
Reports any admin IAM policies that are attached. |
|
Reports any expired SSL/TLS certificates in the AWS account. |
|
Reports if password length requirement is insufficient. |
|
Reports if password policy does not restrict reusing passwords or saves fewer than 24 passwords for this purpose. |
|
Reports affected regions if no Access Analyzer is enabled. |
|
Reports any access keys with root access. |
|
Reports root account if hardware MFA is disabled. |
|
Reports root account if MFA is disabled. |
|
Reports whether the root account is being used for routine or everyday tasks. |
|
Reports if no support roles exist in the AWS account. |
|
Reports and remediates any Classic Load Balancers (ELBs) and Application load Balancers (ALBs) that are Internet-facing. |
|
Checks for S3 buckets that are open to everyone. |
|
Checks for database services that are publicly accessible and terminate them after approval. |
|
Checks for buckets that do not have server_access_logging enabled. |
|
AWS S3 Ensure 'Block Public Access' Configured For All Buckets |
Reports if Block Public Access is not configured for any S3 Buckets. |
Reports any S3 buckets that do not have a policy to deny HTTP requests. |
|
Reports if MFA Delete is not enabled for any S3 Buckets. |
|
Reports any AWS App/Network Load Balancers w/Internet-facing Unencrypted Listeners. |
|
Reports any AWS Classic Load Balancers w/Internet-facing Unencrypted Listeners. |
|
Reports any Relational Database Service (RDS) instances that are unencrypted. |
|
Reports any S3 buckets in AWS that are unencrypted and provide the option to set the default encryption after approval. |
|
Reports any Elastic Block Store (EBS) volumes in AWS that are unencrypted. |
|
Reports any AWS VPCs without FlowLogs Enabled. |
|
Reports if any blob storage containers do not have their public access level set to private. |
|
Reports if any PostgreSQL server instances are not configured with correct log settings. |
|
Reports if any subscriptions are not configured to Reports high severity alerts. |
|
Reports if auto-provisioning of Log Analytics agent for Azure VMs is disabled. |
|
Reports if any MySQL flexible server instances do not use a secure TLS version. |
|
Reports if any MySQL server instances do not enforce SSL connections. |
|
Reports if any subscriptions are not configured to send security alerts to their owners. |
|
Azure Ensure PostgreSQL Servers Connection Throttling Enabled |
Reports if any PostgreSQL server instances do not have connection throttling enabled. |
Reports if any PostgreSQL server instances do not have infrastructure encryption enabled. |
|
Reports if any PostgreSQL server instances do not have log retention configured for more than 3 days. |
|
Reports if any storage accounts are not configured to require secure transfers. |
|
Reports if any subscriptions lack a security contact email address. |
|
Reports if the storage service does not have soft delete enabled. |
|
Reports if any SQL databases do not have encryption enabled. |
|
Reports if any SQL server instances do not have an AD (Active Directory) Admin configured. |
|
Azure Ensure SQL Server ATP (Advanced Threat Protection) Enabled |
Reports if any SQL server instances do not have ATP (Advanced Threat Protection) enabled. |
Reports if any SQL server instances do not have auditing enabled. |
|
Azure Ensure SQL Server Minimum Auditing Retention Of 90 Days |
Reports if any SQL server instances do not have auditing retention configured for 90 days or more. |
Reports if any SQL server instances do not have auditing retention configured for 90 days or more. |
|
Azure Ensure SQL Server VA Notify Admins/Subscription Owners |
Reports if any SQL server instances are not configured in VA to also notify admins and subscription owners. |
Reports if any SQL server instances do not have Vulnerability Assessment (VA) periodic scans enabled. |
|
Azure Ensure SQL Server Vulnerability Assessment (VA) Enabled |
Reports if any SQL server instances do not have Vulnerability Assessment (VA) enabled. |
Azure Ensure Storage Account Default Network Access Set To Deny |
Reports if any storage accounts do not have their default network access set to deny. |
Reports if any storage accounts are not configured to require TLS 1. |
|
Reports if any blob storage accounts are not configured to log read, write, and delete requests. |
|
Reports if any storage queue accounts are not configured to log read, write, and delete requests. |
|
Reports if any storage table accounts are not configured to log read, write, and delete requests. |
|
Reports if any storage accounts do not have access enabled for Trusted Microsoft Services. |
|
Reports if any guest users exist so that they can be reviewed. |
|
Reports when an Azure Network Security Group has RDP open to the internet. |
|
Reports when an Azure Network Security Group has ssh (port 22) open to the internet. |
|
Checks for database services that are publicly accessible and terminate them after approval. |
|
Gets the Resource Group or any resources with a public IP address. |
|
Checks for Azure Storage Accounts with HTTPs not enforced. |
|
Checks for Azure Web Apps with a minimum TLS version less that the value specified. |
|
Checks for buckets that are open to the public. |