Security Policies
note
Click the link in the Policy Name column to access the corresponding policy template.
Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.
| Policy Name | Description |
|---|---|
| AWS EBS Ensure Encryption By Default | Reports if EBS volumes are not set to be encrypted by default. |
| AWS Ensure AWS Config Enabled In All Regions | Reports if AWS Config is not enabled in all regions. |
| AWS Ensure CloudTrail Enabled In All Regions | Reports if CloudTrail is not fully enabled in all regions. |
| AWS Ensure CloudTrail Integrated With Cloudwatch | Reports if CloudTrail trails are not integrated with CloudWatch logs. |
| AWS Ensure CloudTrail Logs Encrypted At Rest | Reports if CloudTrail logs are not encrypted at rest. |
| AWS Ensure CloudTrail S3 Buckets Have Access Logging | Reports if CloudTrail stores logs in S3 bucket(s) without access logging enabled. |
| AWS Ensure CloudTrail S3 Buckets Non-Public | Reports if CloudTrail stores logs in publicly accessible S3 bucket(s). |
| AWS Ensure IAM Users Receive Permissions Only Through Groups | Reports if any IAM users have policies assigned directly instead of through groups. |
| AWS Ensure Log File Validation Enabled For All CloudTrails | Reports if any CloudTrails do not have log file validation enabled. |
| AWS Ensure Object-level Events Logging Enabled For CloudTrails | Reports if CloudTrail does not have object-level logging for read and write events enabled. |
| AWS Ensure Rotation For Customer Master Keys (CMKs) Is Enabled | Reports if CMK rotation is not enabled. |
| AWS IAM Ensure Access Keys Are Rotated | Reports if access keys exist that are 90 days old or older. |
| AWS IAM Ensure Credentials Unused For >45 days Are Disabled | Reports if credentials exist that have gone unused for 45 days or more. |
| AWS IAM Ensure MFA Enabled For IAM Users | Reports if MFA is not enabled for IAM users with a console password. |
| AWS IAM Ensure One Active Key Per IAM User | Reports if any IAM users have 2 or more active access keys. |
| AWS IAM Reports Attached Admin IAM Policies | Reports any admin IAM policies that are attached. |
| AWS IAM Reports Expired SSL/TLS Certificates | Reports any expired SSL/TLS certificates in the AWS account. |
| AWS IAM Reports Insufficient Password Policy | Reports if password length requirement is insufficient. |
| AWS IAM Reports Password Policy No Restrict Password Reuse | Reports if password policy does not restrict reusing passwords or saves fewer than 24 passwords for this purpose. |
| AWS IAM Reports Regions Without Access Analyzer | Reports affected regions if no Access Analyzer is enabled. |
| AWS IAM Reports Root Account Access Keys | Reports any access keys with root access. |
| AWS IAM Reports Root Accounts Without Hardware MFA | Reports root account if hardware MFA is disabled. |
| AWS IAM Reports Root Accounts Without MFA | Reports root account if MFA is disabled. |
| AWS IAM Reports Root User Doing Everyday Tasks | Reports whether the root account is being used for routine or everyday tasks. |
| AWS IAM Support Role Created | Reports if no support roles exist in the AWS account. |
| AWS Internet-facing ELBs & ALBs | Reports and remediates any Classic Load Balancers (ELBs) and Application load Balancers (ALBs) that are Internet-facing. |
| AWS Open S3 Buckets | Checks for S3 buckets that are open to everyone. |
| AWS Publicly Accessible RDS Instances | Checks for database services that are publicly accessible and terminate them after approval. |
| AWS S3 Buckets Without Server Access Logging | Checks for buckets that do not have server_access_logging enabled. |
| AWS S3 Ensure 'Block Public Access' Configured For All Buckets | Reports if Block Public Access is not configured for any S3 Buckets. |
| AWS S3 Ensure Bucket Policies Deny HTTP Requests | Reports any S3 buckets that do not have a policy to deny HTTP requests. |
| AWS S3 Ensure MFA Delete Enabled For All Buckets | Reports if MFA Delete is not enabled for any S3 Buckets. |
| AWS Unencrypted ELB Listeners (ALB/NLB) | Reports any AWS App/Network Load Balancers w/Internet-facing Unencrypted Listeners. |
| AWS Unencrypted ELB Listeners (CLB) | Reports any AWS Classic Load Balancers w/Internet-facing Unencrypted Listeners. |
| AWS Unencrypted RDS Instances | Reports any Relational Database Service (RDS) instances that are unencrypted. |
| AWS Unencrypted S3 Buckets | Reports any S3 buckets in AWS that are unencrypted and provide the option to set the default encryption after approval. |
| AWS Unencrypted Volumes | Reports any Elastic Block Store (EBS) volumes in AWS that are unencrypted. |
| AWS VPCs without FlowLogs Enabled | Reports any AWS VPCs without FlowLogs Enabled. |
| Azure Ensure Blob Containers Set To Private | Reports if any blob storage containers do not have their public access level set to private. |
| Azure Ensure Correct PostgreSQL Servers Log Settings | Reports if any PostgreSQL server instances are not configured with correct log settings. |
| Azure Ensure High Severity Alerts | Reports if any subscriptions are not configured to Reports high severity alerts. |
| Azure Ensure Log Analytics Auto-Provisioning | Reports if auto-provisioning of Log Analytics agent for Azure VMs is disabled. |
| Azure Ensure MySQL Flexible Servers Use Secure TLS | Reports if any MySQL flexible server instances do not use a secure TLS version. |
| Azure Ensure MySQL Servers Enforce SSL Connections | Reports if any MySQL server instances do not enforce SSL connections. |
| Azure Ensure Owners Receive Security Alerts | Reports if any subscriptions are not configured to send security alerts to their owners. |
| Azure Ensure PostgreSQL Servers Connection Throttling Enabled | Reports if any PostgreSQL server instances do not have connection throttling enabled. |
| Azure Ensure PostgreSQL Servers Infrastructure Encryption | Reports if any PostgreSQL server instances do not have infrastructure encryption enabled. |
| Azure Ensure PostgreSQL Servers Sufficient Log Retention | Reports if any PostgreSQL server instances do not have log retention configured for more than 3 days. |
| Azure Ensure Secure Transfer Required | Reports if any storage accounts are not configured to require secure transfers. |
| Azure Ensure Security Contact Email | Reports if any subscriptions lack a security contact email address. |
| Azure Ensure Soft Delete Enabled For Azure Storage | Reports if the storage service does not have soft delete enabled. |
| Azure Ensure SQL Database Encryption | Reports if any SQL databases do not have encryption enabled. |
| Azure Ensure SQL Server AD Admin Configured | Reports if any SQL server instances do not have an AD (Active Directory) Admin configured. |
| Azure Ensure SQL Server ATP (Advanced Threat Protection) Enabled | Reports if any SQL server instances do not have ATP (Advanced Threat Protection) enabled. |
| Azure Ensure SQL Server Auditing Enabled | Reports if any SQL server instances do not have auditing enabled. |
| Azure Ensure SQL Server Minimum Auditing Retention Of 90 Days | Reports if any SQL server instances do not have auditing retention configured for 90 days or more. |
| Azure Ensure SQL Server VA Email Notifications | Reports if any SQL server instances do not have auditing retention configured for 90 days or more. |
| Azure Ensure SQL Server VA Notify Admins/Subscription Owners | Reports if any SQL server instances are not configured in VA to also notify admins and subscription owners. |
| Azure Ensure SQL Server VA Periodic Scans Enabled | Reports if any SQL server instances do not have Vulnerability Assessment (VA) periodic scans enabled. |
| Azure Ensure SQL Server Vulnerability Assessment (VA) Enabled | Reports if any SQL server instances do not have Vulnerability Assessment (VA) enabled. |
| Azure Ensure Storage Account Default Network Access Set To Deny | Reports if any storage accounts do not have their default network access set to deny. |
| Azure Ensure Storage Accounts Require Secure TLS Version | Reports if any storage accounts are not configured to require TLS 1. |
| Azure Ensure Storage Logging Enabled For Blob Service | Reports if any blob storage accounts are not configured to log read, write, and delete requests. |
| Azure Ensure Storage Logging Enabled For Queue Service | Reports if any storage queue accounts are not configured to log read, write, and delete requests. |
| Azure Ensure Storage Logging Enabled For Table Service | Reports if any storage table accounts are not configured to log read, write, and delete requests. |
| Azure Ensure Trusted Microsoft Services Enabled | Reports if any storage accounts do not have access enabled for Trusted Microsoft Services. |
| Azure Guest Users Audit | Reports if any guest users exist so that they can be reviewed. |
| Azure Network Security Groups With Inbound RDP Open | Reports when an Azure Network Security Group has RDP open to the internet. |
| Azure Network Security Groups With Inbound SSH Open | Reports when an Azure Network Security Group has ssh (port 22) open to the internet. |
| Azure Publicly Accessible Managed SQL Instance | Checks for database services that are publicly accessible and terminate them after approval. |
| Azure Resources With Public IP Address | Gets the Resource Group or any resources with a public IP address. |
| Azure Storage Accounts Without HTTPs Enforced | Checks for Azure Storage Accounts with HTTPs not enforced. |
| Azure Web App Minimum TLS Version | Checks for Azure Web Apps with a minimum TLS version less that the value specified. |
| Google Open Buckets | Checks for buckets that are open to the public. |