Security Policies

Note:Click the link in the Policy Name column to access the corresponding policy template.

Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.

Policy Name

Description

AWS EBS Ensure Encryption By Default 

Reports if EBS volumes are not set to be encrypted by default.

AWS Ensure AWS Config Enabled In All Regions 

Reports if AWS Config is not enabled in all regions.

AWS Ensure CloudTrail Enabled In All Regions 

Reports if CloudTrail is not fully enabled in all regions.

AWS Ensure CloudTrail Integrated With Cloudwatch 

Reports if CloudTrail trails are not integrated with CloudWatch logs.

AWS Ensure CloudTrail Logs Encrypted At Rest 

Reports if CloudTrail logs are not encrypted at rest.

AWS Ensure CloudTrail S3 Buckets Have Access Logging 

Reports if CloudTrail stores logs in S3 bucket(s) without access logging enabled.

AWS Ensure CloudTrail S3 Buckets Non-Public 

Reports if CloudTrail stores logs in publicly accessible S3 bucket(s).

AWS Ensure IAM Users Receive Permissions Only Through Groups 

Reports if any IAM users have policies assigned directly instead of through groups.

AWS Ensure Log File Validation Enabled For All CloudTrails 

Reports if any CloudTrails do not have log file validation enabled.

AWS Ensure Object-level Events Logging Enabled For CloudTrails 

Reports if CloudTrail does not have object-level logging for read and write events enabled.

AWS Ensure Rotation For Customer Master Keys (CMKs) Is Enabled 

Reports if CMK rotation is not enabled.

AWS IAM Ensure Access Keys Are Rotated 

Reports if access keys exist that are 90 days old or older.

AWS IAM Ensure Credentials Unused For >45 days Are Disabled 

Reports if credentials exist that have gone unused for 45 days or more.

AWS IAM Ensure MFA Enabled For IAM Users 

Reports if MFA is not enabled for IAM users with a console password.

AWS IAM Ensure One Active Key Per IAM User 

Reports if any IAM users have 2 or more active access keys.

AWS IAM Reports Attached Admin IAM Policies 

Reports any admin IAM policies that are attached.

AWS IAM Reports Expired SSL/TLS Certificates 

Reports any expired SSL/TLS certificates in the AWS account.

AWS IAM Reports Insufficient Password Policy 

Reports if password length requirement is insufficient.

AWS IAM Reports Password Policy No Restrict Password Reuse 

Reports if password policy does not restrict reusing passwords or saves fewer than 24 passwords for this purpose.

AWS IAM Reports Regions Without Access Analyzer 

Reports affected regions if no Access Analyzer is enabled.

AWS IAM Reports Root Account Access Keys 

Reports any access keys with root access.

AWS IAM Reports Root Accounts Without Hardware MFA 

Reports root account if hardware MFA is disabled.

AWS IAM Reports Root Accounts Without MFA 

Reports root account if MFA is disabled.

AWS IAM Reports Root User Doing Everyday Tasks 

Reports whether the root account is being used for routine or everyday tasks.

AWS IAM Support Role Created 

Reports if no support roles exist in the AWS account.

AWS Internet-facing ELBs & ALBs 

Reports and remediates any Classic Load Balancers (ELBs) and Application load Balancers (ALBs) that are Internet-facing.

AWS Open S3 Buckets 

Checks for S3 buckets that are open to everyone.

AWS Publicly Accessible RDS Instances 

Checks for database services that are publicly accessible and terminate them after approval.

AWS S3 Buckets Without Server Access Logging 

Checks for buckets that do not have server_access_logging enabled.

AWS S3 Ensure 'Block Public Access' Configured For All Buckets 

Reports if Block Public Access is not configured for any S3 Buckets.

AWS S3 Ensure Bucket Policies Deny HTTP Requests 

Reports any S3 buckets that do not have a policy to deny HTTP requests.

AWS S3 Ensure MFA Delete Enabled For All Buckets 

Reports if MFA Delete is not enabled for any S3 Buckets.

AWS Unencrypted ELB Listeners (ALB/NLB) 

Reports any AWS App/Network Load Balancers w/Internet-facing Unencrypted Listeners.

AWS Unencrypted ELB Listeners (CLB) 

Reports any AWS Classic Load Balancers w/Internet-facing Unencrypted Listeners.

AWS Unencrypted RDS Instances 

Reports any Relational Database Service (RDS) instances that are unencrypted.

AWS Unencrypted S3 Buckets 

Reports any S3 buckets in AWS that are unencrypted and provide the option to set the default encryption after approval.

AWS Unencrypted Volumes 

Reports any Elastic Block Store (EBS) volumes in AWS that are unencrypted.

AWS VPCs without FlowLogs Enabled 

Reports any AWS VPCs without FlowLogs Enabled.

Azure Ensure Blob Containers Set To Private 

Reports if any blob storage containers do not have their public access level set to private.

Azure Ensure Correct PostgreSQL Servers Log Settings 

Reports if any PostgreSQL server instances are not configured with correct log settings.

Azure Ensure High Severity Alerts 

Reports if any subscriptions are not configured to Reports high severity alerts.

Azure Ensure Log Analytics Auto-Provisioning 

Reports if auto-provisioning of Log Analytics agent for Azure VMs is disabled.

Azure Ensure MySQL Flexible Servers Use Secure TLS 

Reports if any MySQL flexible server instances do not use a secure TLS version.

Azure Ensure MySQL Servers Enforce SSL Connections 

Reports if any MySQL server instances do not enforce SSL connections.

Azure Ensure Owners Receive Security Alerts 

Reports if any subscriptions are not configured to send security alerts to their owners.

Azure Ensure PostgreSQL Servers Connection Throttling Enabled 

Reports if any PostgreSQL server instances do not have connection throttling enabled.

Azure Ensure PostgreSQL Servers Infrastructure Encryption 

Reports if any PostgreSQL server instances do not have infrastructure encryption enabled.

Azure Ensure PostgreSQL Servers Sufficient Log Retention 

Reports if any PostgreSQL server instances do not have log retention configured for more than 3 days.

Azure Ensure Secure Transfer Required 

Reports if any storage accounts are not configured to require secure transfers.

Azure Ensure Security Contact Email 

Reports if any subscriptions lack a security contact email address.

Azure Ensure Soft Delete Enabled For Azure Storage 

Reports if the storage service does not have soft delete enabled.

Azure Ensure SQL Database Encryption 

Reports if any SQL databases do not have encryption enabled.

Azure Ensure SQL Server AD Admin Configured 

Reports if any SQL server instances do not have an AD (Active Directory) Admin configured.

Azure Ensure SQL Server ATP (Advanced Threat Protection) Enabled 

Reports if any SQL server instances do not have ATP (Advanced Threat Protection) enabled.

Azure Ensure SQL Server Auditing Enabled 

Reports if any SQL server instances do not have auditing enabled.

Azure Ensure SQL Server Minimum Auditing Retention Of 90 Days 

Reports if any SQL server instances do not have auditing retention configured for 90 days or more.

Azure Ensure SQL Server VA Email Notifications 

Reports if any SQL server instances do not have auditing retention configured for 90 days or more.

Azure Ensure SQL Server VA Notify Admins/Subscription Owners 

Reports if any SQL server instances are not configured in VA to also notify admins and subscription owners.

Azure Ensure SQL Server VA Periodic Scans Enabled 

Reports if any SQL server instances do not have Vulnerability Assessment (VA) periodic scans enabled.

Azure Ensure SQL Server Vulnerability Assessment (VA) Enabled 

Reports if any SQL server instances do not have Vulnerability Assessment (VA) enabled.

Azure Ensure Storage Account Default Network Access Set To Deny 

Reports if any storage accounts do not have their default network access set to deny.

Azure Ensure Storage Accounts Require Secure TLS Version 

Reports if any storage accounts are not configured to require TLS 1.

Azure Ensure Storage Logging Enabled For Blob Service 

Reports if any blob storage accounts are not configured to log read, write, and delete requests.

Azure Ensure Storage Logging Enabled For Queue Service 

Reports if any storage queue accounts are not configured to log read, write, and delete requests.

Azure Ensure Storage Logging Enabled For Table Service 

Reports if any storage table accounts are not configured to log read, write, and delete requests.

Azure Ensure Trusted Microsoft Services Enabled 

Reports if any storage accounts do not have access enabled for Trusted Microsoft Services.

Azure Guest Users Audit 

Reports if any guest users exist so that they can be reviewed.

Azure Network Security Groups With Inbound RDP Open 

Reports when an Azure Network Security Group has RDP open to the internet.

Azure Network Security Groups With Inbound SSH Open 

Reports when an Azure Network Security Group has ssh (port 22) open to the internet.

Azure Publicly Accessible Managed SQL Instance 

Checks for database services that are publicly accessible and terminate them after approval.

Azure Resources With Public IP Address 

Gets the Resource Group or any resources with a public IP address.

Azure Storage Accounts Without HTTPs Enforced 

Checks for Azure Storage Accounts with HTTPs not enforced.

Azure Web App Minimum TLS Version 

Checks for Azure Web Apps with a minimum TLS version less that the value specified.

Google Open Buckets 

Checks for buckets that are open to the public.