fixing missing period

README.md

@@ -149,15 +149,32 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [HTTPS Only Enabled](en/azure/appservice/https-only-enabled.md)
         * [Identity Enabled](en/azure/appservice/identity-enabled.md)
         * [Python Version](en/azure/appservice/python-version.md)
+    * Azure Policy
+        * [Resource Location Matches Resource Group](en/azure/azurepolicy/resource-location-matches-resource-group.md)
+        * [Resources Allowed Locations](en/azure/azurepolicy/resources-allowed-locations.md)
     * Blob Service
         * [Blob Container Private Access](en/azure/blobservice/blob-container-private-access.md)
         * [Blob Service Immutable](en/azure/blobservice/blob-service-immutable.md)
+    * CDN
+        * [Detect Insecure Custom Origin](en/azure/cdn/detect-insecure-custom-origin.md)
     * File Service
         * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md)
+    * Key Vault
+        * [Key Expiration Enabled](en/azure/keyvault/key-expiration-enabled.md)
+    * Kubernetes Service
+        * [RBAC Enabled](en/azure/kubernetesservice/rbac-enabled.md)
     * Log Alerts
         * [SQL Server Firewall Rule Alerts Monitor](en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md)
         * [Virtual Network Alerts Monitor](en/azure/logalerts/virtual-network-alerts-monitor.md)
+    * Monitor
+        * [Autoscale Enabled](en/azure/monitor/autoscale-enabled.md)
+        * [Log Profile Archive Data](en/azure/monitor/log-profile-archive-data.md)
+        * [NSG Log Analytics Enabled](en/azure/monitor/nsg-log-analytics-enabled.md)
+    * MySQL Server
+        * [Enforce SSL Connection Enabled](en/azure/mysqlserver/enforce-ssl-connection-enabled.md)
     * Network Security Groups
+        * [Default Security Group](en/azure/networksecuritygroups/default-security-group.md)
+        * [Open All Ports](en/azure/networksecuritygroups/open-all-ports.md)
         * [Open CIFS](en/azure/networksecuritygroups/open-cifs.md)
         * [Open DNS](en/azure/networksecuritygroups/open-dns.md)
         * [Open FTP](en/azure/networksecuritygroups/open-ftp.md)
@@ -179,15 +196,19 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [Open VNC Server](en/azure/networksecuritygroups/open-vnc-server.md)
     * Queue Service
         * [Queue Service All Access ACL](en/azure/queueservice/queue-service-all-access-acl.md)
-    * Resource Groups
-        * [Resource Groups](en/azure/resourcegroups/resource-groups.md)
+    * SQL Server
+        * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md)
     * Security Center
         * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md)
+        * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md)
         * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md)
         * [Monitor SQL Auditing](en/azure/securitycenter/monitor-sql-auditing.md)
         * [Monitor SQL Encryption](en/azure/securitycenter/monitor-sql-encryption.md)
         * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md)
+        * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md)
     * Storage Accounts
+        * [Log Container Public Access](en/azure/storageaccounts/log-container-public-access.md)
+        * [Log Storage Encryption](en/azure/storageaccounts/log-storage-encryption.md)
         * [Network Access Default Action](en/azure/storageaccounts/network-access-default-action.md)
         * [Storage Accounts Encryption](en/azure/storageaccounts/storage-accounts-encryption.md)
         * [Storage Accounts HTTPS](en/azure/storageaccounts/storage-accounts-https.md)

en/aws/cloudfront/public-s3-cloudfront-origin.md

@@ -15,7 +15,7 @@
 | **Recommended Action** | Create an origin access identity for CloudFront, then make the contents of the S3 bucket private. |
 
 ## Detailed Remediation Steps
-1.Log into the AWS Management Console.
+1. Log into the AWS Management Console.
 2. Select the "Services" option and search for CloudFront. </br> <img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step2.png"/>
 3. Select the "CloudFront Distribution" that needs to be verified.</br> <img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step3.png"/>
 4. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page. </br><img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step4.png"/>

en/azure/azurepolicy/resource-location-matches-resource-group.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Azure Policy / Resource Location Matches Resource Group
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Resource Location Matches Resource Group |
+| **Cloud** | AZURE |
+| **Category** | Azure Policy |
+| **Description** | Ensures deployed resources match the resource groups they are in, as well as ensuring the Audit resource location matches resource group location policy is assigned. |
+| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal |
+| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Audit resource location matches resource group location. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. |
+
+## Detailed Remediation Steps
+

en/azure/azurepolicy/resources-allowed-locations.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Azure Policy / Resources Allowed Locations
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Resources Allowed Locations |
+| **Cloud** | AZURE |
+| **Category** | Azure Policy |
+| **Description** | Ensures deployed resources and resource groups belong to the list set in the Allowed locations for resource groups policy. |
+| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal |
+| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Allowed locations for resource groups. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. |
+
+## Detailed Remediation Steps
+

en/azure/cdn/detect-insecure-custom-origin.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / CDN / Detect Insecure Custom Origin
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Detect Insecure Custom Origin |
+| **Cloud** | AZURE |
+| **Category** | CDN |
+| **Description** | Ensure that HTTPS is enabled when creating a new CDN endpoint with a Custom Origin. |
+| **More Info** | Detects if HTTPS is disabled for CDN endpoint of custom origins. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/cdn/cdn-create-endpoint-how-to |
+| **Recommended Action** | 1. Navigate to CDN profiles. 2. Select a profile. 3. Select an endpoint. 4. Select Settings > Origin. 5. Turn off HTTP and make sure HTTPS is turned on. |
+
+## Detailed Remediation Steps
+

en/azure/keyvault/key-expiration-enabled.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Key Vault / Key Expiration Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Key Expiration Enabled |
+| **Cloud** | AZURE |
+| **Category** | Key Vault |
+| **Description** | Ensure that all Keys in Azure Key Vault have an expiry time set. |
+| **More Info** | Setting an expiry time on all keys forces key rotation and removes unused and forgotten keys from being used. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates |
+| **Recommended Action** | 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. Ensure that each key in the vault has EXPIRATION DATE set as appropriate. |
+
+## Detailed Remediation Steps
+

en/azure/kubernetesservice/rbac-enabled.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Kubernetes Service / RBAC Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | RBAC Enabled |
+| **Cloud** | AZURE |
+| **Category** | Kubernetes Service |
+| **Description** | Ensures that RBAC is enabled on all Azure Kubernetes Services Instances |
+| **More Info** | Role Based Access Control(RBAC) provides greater control and security for Kubernetes clusters. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/aks/aad-integration |
+| **Recommended Action** | When creating a new Kubernetes Cluster, ensure that RBAC is enabled under the Authentication tab during creation. |
+
+## Detailed Remediation Steps
+

en/azure/monitor/autoscale-enabled.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / Autoscale Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Autoscale Enabled |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | Ensure Autoscaling is enabled on Resource Groups. |
+| **More Info** | Enabling Autoscale increases efficency and improves cost management for resources. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones |
+| **Recommended Action** | 1. Navigate to the Monitor category. 2. Select the autoscale blade under settings. 3. Choose the resource group. 4. Configure autoscaling. |
+
+## Detailed Remediation Steps
+

en/azure/monitor/log-profile-archive-data.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / Log Profile Archive Data
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Log Profile Archive Data |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | The Log Profile should be configured to export all activities from the control/management plane in all active locations. |
+| **More Info** | Enabling logging of all activities in a log profile ensures that cloud security best practices, as well as compliance and monitoring standards are followed. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/archive-activity-log |
+| **Recommended Action** | 1. Enter the Monitor category. 2. Select Activity Log from the left hand menu. 3. On the top of activity log select Export to Event Hub to enable activity log archiving and select the storage account or event hub to send the data to. |
+
+## Detailed Remediation Steps
+

en/azure/monitor/nsg-log-analytics-enabled.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / NSG Log Analytics Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | NSG Log Analytics Enabled |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | Ensures Network Security Groups logs are sent to the Log Analytics workspace. |
+| **More Info** | Enabling Log Analytics ensures that logs are shipped to a central repository that can be queried and audited, following cloud security best practices. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs |
+| **Recommended Action** | 1. Go to Azure Monitor. 2. Select Diagnostic setting from the settings tab on the list to the left. 3. Choose the resource. 4. If no diagnostic setting defined, add diagnostic setting and enable Send to Log Analytics, if diagnostic setting are defined, edit the setting to enable Send to Log Analytics. |
+
+## Detailed Remediation Steps
+

en/azure/mysqlserver/enforce-ssl-connection-enabled.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / MySQL Server / Enforce SSL Connection Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Enforce SSL Connection Enabled |
+| **Cloud** | AZURE |
+| **Category** | MySQL Server |
+| **Description** | Ensures SSL connection is set on MySQL Servers. |
+| **More Info** | SSL prevents infiltration attacks by encrypting the data stream between the server and app. By ensuring that SSL is enabled, security best practices are followed. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security |
+| **Recommended Action** | 1. Login to Azure Portal. 2. Go to Azure Database for MySQL server. 3. For each database, click on Connection security. 4. In SSL settings, Ensure Enforce SSL connection is set to Enabled. |
+
+## Detailed Remediation Steps
+

en/azure/networksecuritygroups/default-security-group.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Network Security Groups / Default Security Group
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Default Security Group |
+| **Cloud** | AZURE |
+| **Category** | Network Security Groups |
+| **Description** | Ensure the default security groups block all traffic by default. |
+| **More Info** | The default security group is often used for resources launched without a defined security group. For this reason, the default rules should be to block all traffic to prevent an accidental exposure. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group |
+| **Recommended Action** | Update the rules for the default security group to deny all traffic by default. |
+
+## Detailed Remediation Steps
+

en/azure/networksecuritygroups/open-all-ports.md

@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Network Security Groups / Open All Ports
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Open All Ports |
+| **Cloud** | AZURE |
+| **Category** | Network Security Groups |
+| **Description** | Determine if all ports are open to the public |
+| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group |
+| **Recommended Action** | Restrict ports to known IP addresses |
+
+## Detailed Remediation Steps
+

en/azure/networksecuritygroups/open-cifs.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict UDP port 445 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-cifs/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-cifs/step3.png"/>

en/azure/networksecuritygroups/open-dns.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-dns/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-dns/step3.png"/>

en/azure/networksecuritygroups/open-ftp.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-ftp/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-ftp/step3.png"/>

en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service/step3.png"/>

en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui/step3.png"/>

en/azure/networksecuritygroups/open-kibana.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5601 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-kibana/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-kibana/step3.png"/>

en/azure/networksecuritygroups/open-mysql.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-mysql/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-mysql/step3.png"/>

en/azure/networksecuritygroups/open-netbios.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step3.png"/>

en/azure/networksecuritygroups/open-oracle.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP ports 1521 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-oracle/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step3.png"/>

en/azure/networksecuritygroups/open-postgresql.md

@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5432 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-postgresql/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-postgresql/step3.png"/>