Security Policies

Note:Click the link in the Policy Name column to access the corresponding policy template.

Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.

Policy Name	Description
AWS EBS Ensure Encryption By Default	Reports if EBS volumes are not set to be encrypted by default.
AWS Ensure AWS Config Enabled In All Regions	Reports if AWS Config is not enabled in all regions.
AWS Ensure CloudTrail Enabled In All Regions	Reports if CloudTrail is not fully enabled in all regions.
AWS Ensure CloudTrail Integrated With Cloudwatch	Reports if CloudTrail trails are not integrated with CloudWatch logs.
AWS Ensure CloudTrail Logs Encrypted At Rest	Reports if CloudTrail logs are not encrypted at rest.
AWS Ensure CloudTrail S3 Buckets Have Access Logging	Reports if CloudTrail stores logs in S3 bucket(s) without access logging enabled.
AWS Ensure CloudTrail S3 Buckets Non-Public	Reports if CloudTrail stores logs in publicly accessible S3 bucket(s).
AWS Ensure IAM Users Receive Permissions Only Through Groups	Reports if any IAM users have policies assigned directly instead of through groups.
AWS Ensure Log File Validation Enabled For All CloudTrails	Reports if any CloudTrails do not have log file validation enabled.
AWS Ensure Object-level Events Logging Enabled For CloudTrails	Reports if CloudTrail does not have object-level logging for read and write events enabled.
AWS Ensure Rotation For Customer Master Keys (CMKs) Is Enabled	Reports if CMK rotation is not enabled.
AWS IAM Ensure Access Keys Are Rotated	Reports if access keys exist that are 90 days old or older.
AWS IAM Ensure Credentials Unused For >45 days Are Disabled	Reports if credentials exist that have gone unused for 45 days or more.
AWS IAM Ensure MFA Enabled For IAM Users	Reports if MFA is not enabled for IAM users with a console password.
AWS IAM Ensure One Active Key Per IAM User	Reports if any IAM users have 2 or more active access keys.
AWS IAM Reports Attached Admin IAM Policies	Reports any admin IAM policies that are attached.
AWS IAM Reports Expired SSL/TLS Certificates	Reports any expired SSL/TLS certificates in the AWS account.
AWS IAM Reports Insufficient Password Policy	Reports if password length requirement is insufficient.
AWS IAM Reports Password Policy No Restrict Password Reuse	Reports if password policy does not restrict reusing passwords or saves fewer than 24 passwords for this purpose.
AWS IAM Reports Regions Without Access Analyzer	Reports affected regions if no Access Analyzer is enabled.
AWS IAM Reports Root Account Access Keys	Reports any access keys with root access.
AWS IAM Reports Root Accounts Without Hardware MFA	Reports root account if hardware MFA is disabled.
AWS IAM Reports Root Accounts Without MFA	Reports root account if MFA is disabled.
AWS IAM Reports Root User Doing Everyday Tasks	Reports whether the root account is being used for routine or everyday tasks.
AWS IAM Support Role Created	Reports if no support roles exist in the AWS account.
AWS Internet-facing ELBs & ALBs	Reports and remediates any Classic Load Balancers (ELBs) and Application load Balancers (ALBs) that are Internet-facing.
AWS Open S3 Buckets	Checks for S3 buckets that are open to everyone.
AWS Publicly Accessible RDS Instances	Checks for database services that are publicly accessible and terminate them after approval.
AWS S3 Buckets Without Server Access Logging	Checks for buckets that do not have server_access_logging enabled.
AWS S3 Ensure 'Block Public Access' Configured For All Buckets	Reports if Block Public Access is not configured for any S3 Buckets.
AWS S3 Ensure Bucket Policies Deny HTTP Requests	Reports any S3 buckets that do not have a policy to deny HTTP requests.
AWS S3 Ensure MFA Delete Enabled For All Buckets	Reports if MFA Delete is not enabled for any S3 Buckets.
AWS Unencrypted ELB Listeners (ALB/NLB)	Reports any AWS App/Network Load Balancers w/Internet-facing Unencrypted Listeners.
AWS Unencrypted ELB Listeners (CLB)	Reports any AWS Classic Load Balancers w/Internet-facing Unencrypted Listeners.
AWS Unencrypted RDS Instances	Reports any Relational Database Service (RDS) instances that are unencrypted.
AWS Unencrypted S3 Buckets	Reports any S3 buckets in AWS that are unencrypted and provide the option to set the default encryption after approval.
AWS Unencrypted Volumes	Reports any Elastic Block Store (EBS) volumes in AWS that are unencrypted.
AWS VPCs without FlowLogs Enabled	Reports any AWS VPCs without FlowLogs Enabled.
Azure Ensure Blob Containers Set To Private	Reports if any blob storage containers do not have their public access level set to private.
Azure Ensure Correct PostgreSQL Servers Log Settings	Reports if any PostgreSQL server instances are not configured with correct log settings.
Azure Ensure High Severity Alerts	Reports if any subscriptions are not configured to Reports high severity alerts.
Azure Ensure Log Analytics Auto-Provisioning	Reports if auto-provisioning of Log Analytics agent for Azure VMs is disabled.
Azure Ensure MySQL Flexible Servers Use Secure TLS	Reports if any MySQL flexible server instances do not use a secure TLS version.
Azure Ensure MySQL Servers Enforce SSL Connections	Reports if any MySQL server instances do not enforce SSL connections.
Azure Ensure Owners Receive Security Alerts	Reports if any subscriptions are not configured to send security alerts to their owners.
Azure Ensure PostgreSQL Servers Connection Throttling Enabled	Reports if any PostgreSQL server instances do not have connection throttling enabled.
Azure Ensure PostgreSQL Servers Infrastructure Encryption	Reports if any PostgreSQL server instances do not have infrastructure encryption enabled.
Azure Ensure PostgreSQL Servers Sufficient Log Retention	Reports if any PostgreSQL server instances do not have log retention configured for more than 3 days.
Azure Ensure Secure Transfer Required	Reports if any storage accounts are not configured to require secure transfers.
Azure Ensure Security Contact Email	Reports if any subscriptions lack a security contact email address.
Azure Ensure Soft Delete Enabled For Azure Storage	Reports if the storage service does not have soft delete enabled.
Azure Ensure SQL Database Encryption	Reports if any SQL databases do not have encryption enabled.
Azure Ensure SQL Server AD Admin Configured	Reports if any SQL server instances do not have an AD (Active Directory) Admin configured.
Azure Ensure SQL Server ATP (Advanced Threat Protection) Enabled	Reports if any SQL server instances do not have ATP (Advanced Threat Protection) enabled.
Azure Ensure SQL Server Auditing Enabled	Reports if any SQL server instances do not have auditing enabled.
Azure Ensure SQL Server Minimum Auditing Retention Of 90 Days	Reports if any SQL server instances do not have auditing retention configured for 90 days or more.
Azure Ensure SQL Server VA Email Notifications	Reports if any SQL server instances do not have auditing retention configured for 90 days or more.
Azure Ensure SQL Server VA Notify Admins/Subscription Owners	Reports if any SQL server instances are not configured in VA to also notify admins and subscription owners.
Azure Ensure SQL Server VA Periodic Scans Enabled	Reports if any SQL server instances do not have Vulnerability Assessment (VA) periodic scans enabled.
Azure Ensure SQL Server Vulnerability Assessment (VA) Enabled	Reports if any SQL server instances do not have Vulnerability Assessment (VA) enabled.
Azure Ensure Storage Account Default Network Access Set To Deny	Reports if any storage accounts do not have their default network access set to deny.
Azure Ensure Storage Accounts Require Secure TLS Version	Reports if any storage accounts are not configured to require TLS 1.
Azure Ensure Storage Logging Enabled For Blob Service	Reports if any blob storage accounts are not configured to log read, write, and delete requests.
Azure Ensure Storage Logging Enabled For Queue Service	Reports if any storage queue accounts are not configured to log read, write, and delete requests.
Azure Ensure Storage Logging Enabled For Table Service	Reports if any storage table accounts are not configured to log read, write, and delete requests.
Azure Ensure Trusted Microsoft Services Enabled	Reports if any storage accounts do not have access enabled for Trusted Microsoft Services.
Azure Guest Users Audit	Reports if any guest users exist so that they can be reviewed.
Azure Network Security Groups With Inbound RDP Open	Reports when an Azure Network Security Group has RDP open to the internet.
Azure Network Security Groups With Inbound SSH Open	Reports when an Azure Network Security Group has ssh (port 22) open to the internet.
Azure Publicly Accessible Managed SQL Instance	Checks for database services that are publicly accessible and terminate them after approval.
Azure Resources With Public IP Address	Gets the Resource Group or any resources with a public IP address.
Azure Storage Accounts Without HTTPs Enforced	Checks for Azure Storage Accounts with HTTPs not enforced.
Azure Web App Minimum TLS Version	Checks for Azure Web Apps with a minimum TLS version less that the value specified.
Google Open Buckets	Checks for buckets that are open to the public.