diff --git a/README.md b/README.md index 9e142819e..1a86026db 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,9 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Notebook Direct Internet Access](en/aws/sagemaker/notebook-direct-internet-access.md) * Azure * Active Directory + * [Ensure No Guest User](en/azure/activedirectory/ensure-no-guest-user.md) * [Minimum Password Length](en/azure/activedirectory/minimum-password-length.md) + * [No Custom Owner Roles](en/azure/activedirectory/no-custom-owner-roles.md) * [Password Requires Lowercase](en/azure/activedirectory/password-requires-lowercase.md) * [Password Requires Numbers](en/azure/activedirectory/password-requires-numbers.md) * [Password Requires Symbols](en/azure/activedirectory/password-requires-symbols.md) @@ -167,20 +169,24 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * CDN Profiles * [Detect Insecure Custom Origin](en/azure/cdnprofiles/detect-insecure-custom-origin.md) * [Endpoint Logging Enabled](en/azure/cdnprofiles/endpoint-logging-enabled.md) - * Disks - * [Unmanaged Disk Encryption](en/azure/disks/unmanaged-disk-encryption.md) + * Container Registry + * [ACR Admin User](en/azure/containerregistry/acr-admin-user.md) * File Service * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md) - * Key Vault - * [Key Expiration Enabled](en/azure/keyvault/key-expiration-enabled.md) - * [Key Vault Recovery Enabled](en/azure/keyvault/key-vault-recovery-enabled.md) + * Key Vaults + * [Key Expiration Enabled](en/azure/keyvaults/key-expiration-enabled.md) + * [Key Vault Recovery Enabled](en/azure/keyvaults/key-vault-recovery-enabled.md) + * [Secret Expiration Enabled](en/azure/keyvaults/secret-expiration-enabled.md) * Kubernetes Service + * [Kubernetes Latest Version](en/azure/kubernetesservice/kubernetes-latest-version.md) * [Kubernetes RBAC Enabled](en/azure/kubernetesservice/kubernetes-rbac-enabled.md) * Load Balancer * [LB HTTPS Only](en/azure/loadbalancer/lb-https-only.md) * [LB No Instances](en/azure/loadbalancer/lb-no-instances.md) * Log Alerts * [Network Security Groups Logging Enabled](en/azure/logalerts/network-security-groups-logging-enabled.md) + * [Network Security Groups Rule Logging Enabled](en/azure/logalerts/network-security-groups-rule-logging-enabled.md) + * [Policy Assignment Alerts Enabled](en/azure/logalerts/policy-assignment-alerts-enabled.md) * [SQL Server Firewall Rule Alerts Monitor](en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md) * [Security Policy Alerts Enabled](en/azure/logalerts/security-policy-alerts-enabled.md) * [Security Solution Logging](en/azure/logalerts/security-solution-logging.md) @@ -191,9 +197,10 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Log Profile Archive Data](en/azure/monitor/log-profile-archive-data.md) * [Log Profile Retention Policy](en/azure/monitor/log-profile-retention-policy.md) * [NSG Log Analytics Enabled](en/azure/monitor/nsg-log-analytics-enabled.md) + * MySQL Server + * [Enforce MySQL SSL Connection](en/azure/mysqlserver/enforce-mysql-ssl-connection.md) * Network Security Groups * [Default Security Group](en/azure/networksecuritygroups/default-security-group.md) - * [Deny SSH Access](en/azure/networksecuritygroups/deny-ssh-access.md) * [Excessive Security Groups](en/azure/networksecuritygroups/excessive-security-groups.md) * [Network Watcher Enabled](en/azure/networksecuritygroups/network-watcher-enabled.md) * [Open All Ports](en/azure/networksecuritygroups/open-all-ports.md) @@ -219,7 +226,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Open VNC Server](en/azure/networksecuritygroups/open-vnc-server.md) * PostgreSQL Server * [Connection Throttling Enabled](en/azure/postgresqlserver/connection-throttling-enabled.md) - * [Enforce SSL Connection Enabled](en/azure/postgresqlserver/enforce-ssl-connection-enabled.md) + * [Enforce PostgreSQL SSL Connection](en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md) * [Log Checkpoints Enabled](en/azure/postgresqlserver/log-checkpoints-enabled.md) * [Log Connections Enabled](en/azure/postgresqlserver/log-connections-enabled.md) * [Log Disconnections Enabled](en/azure/postgresqlserver/log-disconnections-enabled.md) @@ -237,15 +244,18 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * SQL Server * [Advanced Data Security Enabled](en/azure/sqlserver/advanced-data-security-enabled.md) * [Audit Action Groups Enabled](en/azure/sqlserver/audit-action-groups-enabled.md) + * [Audit Retention Policy](en/azure/sqlserver/audit-retention-policy.md) + * [Azure Active Directory Admin Enabled](en/azure/sqlserver/azure-active-directory-admin-enabled.md) + * [Email Account Admins Enabled](en/azure/sqlserver/email-account-admins-enabled.md) * [SQL Server Public Access](en/azure/sqlserver/sql-server-public-access.md) + * [Send Alerts Enabled](en/azure/sqlserver/send-alerts-enabled.md) + * [Server Auditing Enabled](en/azure/sqlserver/server-auditing-enabled.md) * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md) - * SQL Servers - * [Audit Retention Policy](en/azure/sqlservers/audit-retention-policy.md) - * [Server Auditing Enabled](en/azure/sqlservers/server-auditing-enabled.md) * Security Center * [Admin Security Alerts Enabled](en/azure/securitycenter/admin-security-alerts-enabled.md) * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md) * [Auto Provisioning Enabled](en/azure/securitycenter/auto-provisioning-enabled.md) + * [High Severity Alerts Enabled](en/azure/securitycenter/high-severity-alerts-enabled.md) * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md) * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md) * [Monitor Endpoint Protection](en/azure/securitycenter/monitor-endpoint-protection.md) @@ -257,6 +267,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md) * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md) * [Security Contacts Enabled](en/azure/securitycenter/security-contacts-enabled.md) + * [Standard Pricing Enabled](en/azure/securitycenter/standard-pricing-enabled.md) * Storage Accounts * [Blob Service Encryption](en/azure/storageaccounts/blob-service-encryption.md) * [File Service Encryption](en/azure/storageaccounts/file-service-encryption.md) @@ -293,25 +304,62 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Autoscale Enabled](en/google/compute/autoscale-enabled.md) * [CSEK Encryption Enabled](en/google/compute/csek-encryption-enabled.md) * [Connect Serial Ports Disabled](en/google/compute/connect-serial-ports-disabled.md) + * [IP Forwarding Disabled](en/google/compute/ip-forwarding-disabled.md) * [Instance Level SSH Only](en/google/compute/instance-level-ssh-only.md) * [Instances Multi AZ](en/google/compute/instances-multi-az.md) - * [Ip Forwarding Disabled](en/google/compute/ip-forwarding-disabled.md) - * [VM Instances with No Access](en/google/compute/vm-instances-with-no-access.md) + * [OS Login Enabled](en/google/compute/os-login-enabled.md) + * [VM Instances Least Privilege](en/google/compute/vm-instances-least-privilege.md) * [VM Max Instances](en/google/compute/vm-max-instances.md) * Cryptographic Keys * [Key Rotation](en/google/cryptographickeys/key-rotation.md) * DNS * [DNS Security Enabled](en/google/dns/dns-security-enabled.md) + * [DNS Security Signing Algorithm](en/google/dns/dns-security-signing-algorithm.md) * IAM + * [Corporate Emails Only](en/google/iam/corporate-emails-only.md) + * [KMS User Separation](en/google/iam/kms-user-separation.md) + * [Service Account Admin](en/google/iam/service-account-admin.md) + * [Service Account Key Rotation](en/google/iam/service-account-key-rotation.md) + * [Service Account Managed Keys](en/google/iam/service-account-managed-keys.md) + * [Service Account Separation](en/google/iam/service-account-separation.md) + * [Service Account User](en/google/iam/service-account-user.md) * [Service Limits](en/google/iam/service-limits.md) * Kubernetes + * [Alias IP Ranges Enabled](en/google/kubernetes/alias-ip-ranges-enabled.md) + * [Automatic Node Repair Enabled](en/google/kubernetes/automatic-node-repair-enabled.md) + * [Automatic Node Upgrades Enabled](en/google/kubernetes/automatic-node-upgrades-enabled.md) + * [Basic Authentication Disabled](en/google/kubernetes/basic-authentication-disabled.md) + * [COS Image Enabled](en/google/kubernetes/cos-image-enabled.md) + * [Cluster Labels Added](en/google/kubernetes/cluster-labels-added.md) + * [Cluster Least Privilege](en/google/kubernetes/cluster-least-privilege.md) + * [Default Service Account](en/google/kubernetes/default-service-account.md) + * [Legacy Authorization Disabled](en/google/kubernetes/legacy-authorization-disabled.md) + * [Logging Enabled](en/google/kubernetes/logging-enabled.md) + * [Master Authorized Network](en/google/kubernetes/master-authorized-network.md) * [Monitoring Enabled](en/google/kubernetes/monitoring-enabled.md) + * [Network Policy Enabled](en/google/kubernetes/network-policy-enabled.md) + * [Pod Security Policy Enabled](en/google/kubernetes/pod-security-policy-enabled.md) + * [Private Cluster Enabled](en/google/kubernetes/private-cluster-enabled.md) * [Private Endpoint](en/google/kubernetes/private-endpoint.md) + * [Web Dashboard Disabled](en/google/kubernetes/web-dashboard-disabled.md) + * Logging + * [Audit Configuration Logging](en/google/logging/audit-configuration-logging.md) + * [Audit Logging Enabled](en/google/logging/audit-logging-enabled.md) + * [Custom Role Logging](en/google/logging/custom-role-logging.md) + * [Log Sinks Enabled](en/google/logging/log-sinks-enabled.md) + * [Project Ownership Logging](en/google/logging/project-ownership-logging.md) + * [SQL Configuration Logging](en/google/logging/sql-configuration-logging.md) + * [Storage Permissions Logging](en/google/logging/storage-permissions-logging.md) + * [VPC Firewall Rule Logging](en/google/logging/vpc-firewall-rule-logging.md) + * [VPC Network Logging](en/google/logging/vpc-network-logging.md) + * [VPC Network Route Logging](en/google/logging/vpc-network-route-logging.md) * SQL + * [Any Host Root Access](en/google/sql/any-host-root-access.md) * [DB Automated Backups](en/google/sql/db-automated-backups.md) - * [DB Multiple Az](en/google/sql/db-multiple-az.md) + * [DB Multiple AZ](en/google/sql/db-multiple-az.md) * [DB Publicly Accessible](en/google/sql/db-publicly-accessible.md) * [DB Restorable](en/google/sql/db-restorable.md) + * [Database SSL Enabled](en/google/sql/database-ssl-enabled.md) * Storage * [Bucket Logging](en/google/storage/bucket-logging.md) * [Bucket Versioning](en/google/storage/bucket-versioning.md) diff --git a/en/azure/activedirectory/ensure-no-guest-user.md b/en/azure/activedirectory/ensure-no-guest-user.md new file mode 100644 index 000000000..c50dd4189 --- /dev/null +++ b/en/azure/activedirectory/ensure-no-guest-user.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Ensure No Guest User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Ensure No Guest User | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that there are no guest users in the subscription | +| **More Info** | Guest users are usually users that are invited from outside the company structure, these users are not part of the onboarding/offboarding process and could be overlooked, causing security vulnerabilities. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator | +| **Recommended Action** | Remove all guest users unless they are required to be members of the Active Directory account. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/activedirectory/minimum-password-length.md b/en/azure/activedirectory/minimum-password-length.md index 2f9d2e5cd..30c99b240 100644 --- a/en/azure/activedirectory/minimum-password-length.md +++ b/en/azure/activedirectory/minimum-password-length.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/no-custom-owner-roles.md b/en/azure/activedirectory/no-custom-owner-roles.md new file mode 100644 index 000000000..b9705ac4d --- /dev/null +++ b/en/azure/activedirectory/no-custom-owner-roles.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / No Custom Owner Roles + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | No Custom Owner Roles | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that no custom owner roles exist. | +| **More Info** | Subscription owners should not include permissions to create custom owner roles. This follows the principle of least privilege. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles | +| **Recommended Action** | Remove roles that allow permissions to create custom owner roles. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/activedirectory/password-requires-lowercase.md b/en/azure/activedirectory/password-requires-lowercase.md index 3f58e8e93..a4d106388 100644 --- a/en/azure/activedirectory/password-requires-lowercase.md +++ b/en/azure/activedirectory/password-requires-lowercase.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-numbers.md b/en/azure/activedirectory/password-requires-numbers.md index 90f92e075..6bda99e1f 100644 --- a/en/azure/activedirectory/password-requires-numbers.md +++ b/en/azure/activedirectory/password-requires-numbers.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-symbols.md b/en/azure/activedirectory/password-requires-symbols.md index 4014bf32b..3aaf45f64 100644 --- a/en/azure/activedirectory/password-requires-symbols.md +++ b/en/azure/activedirectory/password-requires-symbols.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/activedirectory/password-requires-uppercase.md b/en/azure/activedirectory/password-requires-uppercase.md index 89c1a8ad1..811f990c1 100644 --- a/en/azure/activedirectory/password-requires-uppercase.md +++ b/en/azure/activedirectory/password-requires-uppercase.md @@ -15,6 +15,7 @@ | **Recommended Action** | No action necessary. Azure handles password requirement settings. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Azure Active Directory.
3. Select the "Azure Active Directory." On the navigation panel, select the "Users" under Manage option.
diff --git a/en/azure/appservice/.net-framework-version.md b/en/azure/appservice/.net-framework-version.md index fe91f6aaa..0d0972bf8 100644 --- a/en/azure/appservice/.net-framework-version.md +++ b/en/azure/appservice/.net-framework-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of the .NET framework for all .NET-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the “Search resources, services, and docs” option at the top and search for App Services.
3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.
diff --git a/en/azure/appservice/authentication-enabled.md b/en/azure/appservice/authentication-enabled.md index cbf662569..83f8c93eb 100644 --- a/en/azure/appservice/authentication-enabled.md +++ b/en/azure/appservice/authentication-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable App Service Authentication for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/client-certificates-enabled.md b/en/azure/appservice/client-certificates-enabled.md index a660ab337..f5fbe25a0 100644 --- a/en/azure/appservice/client-certificates-enabled.md +++ b/en/azure/appservice/client-certificates-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable incoming client certificate SSL setting for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/http-2.0-enabled.md b/en/azure/appservice/http-2.0-enabled.md index 80fbdd640..9fdc16dff 100644 --- a/en/azure/appservice/http-2.0-enabled.md +++ b/en/azure/appservice/http-2.0-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable HTTP 2.0 support in the general settings for all App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/https-only-enabled.md b/en/azure/appservice/https-only-enabled.md index a8ce6feed..1c9bce058 100644 --- a/en/azure/appservice/https-only-enabled.md +++ b/en/azure/appservice/https-only-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable HTTPS Only support SSL settings for all App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/identity-enabled.md b/en/azure/appservice/identity-enabled.md index aad569ee3..349827987 100644 --- a/en/azure/appservice/identity-enabled.md +++ b/en/azure/appservice/identity-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable system or user-assigned identities for all App Services and avoid storing credentials in code. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/java-version.md b/en/azure/appservice/java-version.md index b5d942905..6b6484a03 100644 --- a/en/azure/appservice/java-version.md +++ b/en/azure/appservice/java-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of Java for all Java-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/php-version.md b/en/azure/appservice/php-version.md index 882d21a2c..aaf90a6e6 100644 --- a/en/azure/appservice/php-version.md +++ b/en/azure/appservice/php-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of PHP for all PHP-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/python-version.md b/en/azure/appservice/python-version.md index 18e1a0cb6..5229f6e3a 100644 --- a/en/azure/appservice/python-version.md +++ b/en/azure/appservice/python-version.md @@ -15,6 +15,7 @@ | **Recommended Action** | Select the latest version of Python for all Python-based App Services | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/appservice/tls-version-check.md b/en/azure/appservice/tls-version-check.md index 825adfbdd..766873fdf 100644 --- a/en/azure/appservice/tls-version-check.md +++ b/en/azure/appservice/tls-version-check.md @@ -15,6 +15,7 @@ | **Recommended Action** | Set the minimum TLS version to 1.2 for all App Services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for App Services.
3. Select the "App Services" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/azurepolicy/resource-location-matches-resource-group.md b/en/azure/azurepolicy/resource-location-matches-resource-group.md index bd6d5bcb9..4ae3738df 100644 --- a/en/azure/azurepolicy/resource-location-matches-resource-group.md +++ b/en/azure/azurepolicy/resource-location-matches-resource-group.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the built-in Azure Policy definition: Audit resource location matches resource group location | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Policy.
3. On the "Policy" page, scroll down the left navigation panel and choose "Assignments" under "Authoring."
diff --git a/en/azure/azurepolicy/resources-allowed-locations.md b/en/azure/azurepolicy/resources-allowed-locations.md index b12a9f6ee..0093c96c3 100644 --- a/en/azure/azurepolicy/resources-allowed-locations.md +++ b/en/azure/azurepolicy/resources-allowed-locations.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that all services contain policy definitions that defined allowed locations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Policy.
3. On the "Policy" page, scroll down the left navigation panel and choose "Assignments" under "Authoring."
diff --git a/en/azure/blobservice/blob-container-private-access.md b/en/azure/blobservice/blob-container-private-access.md index 95cae6e18..e7ebe7890 100644 --- a/en/azure/blobservice/blob-container-private-access.md +++ b/en/azure/blobservice/blob-container-private-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure each blob container is configured to restrict anonymous access | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/blobservice/blob-service-immutable.md b/en/azure/blobservice/blob-service-immutable.md index a37220ae3..134a3a548 100644 --- a/en/azure/blobservice/blob-service-immutable.md +++ b/en/azure/blobservice/blob-service-immutable.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable a data immutability policy for all storage containers in the Azure storage account. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/cdnprofiles/detect-insecure-custom-origin.md b/en/azure/cdnprofiles/detect-insecure-custom-origin.md index d28d1624c..e8c93e553 100644 --- a/en/azure/cdnprofiles/detect-insecure-custom-origin.md +++ b/en/azure/cdnprofiles/detect-insecure-custom-origin.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/cdnprofiles/endpoint-logging-enabled.md b/en/azure/cdnprofiles/endpoint-logging-enabled.md index 812e35e6e..6552b84ac 100644 --- a/en/azure/cdnprofiles/endpoint-logging-enabled.md +++ b/en/azure/cdnprofiles/endpoint-logging-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/containerregistry/acr-admin-user.md b/en/azure/containerregistry/acr-admin-user.md new file mode 100644 index 000000000..780ed9e82 --- /dev/null +++ b/en/azure/containerregistry/acr-admin-user.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Container Registry / ACR Admin User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | ACR Admin User | +| **Cloud** | AZURE | +| **Category** | Container Registry | +| **Description** | Ensures that the admin user is not enabled on container registries | +| **More Info** | Azure Container Registries have an admin user that is designed for testing. This should be disabled by default to avoid sharing confidential admin credentials. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication | +| **Recommended Action** | Ensure that the admin user is disabled for each container registry. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/fileservice/file-service-all-access-acl.md b/en/azure/fileservice/file-service-all-access-acl.md index 9215ebc64..4ca6f8421 100644 --- a/en/azure/fileservice/file-service-all-access-acl.md +++ b/en/azure/fileservice/file-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/keyvaults/key-expiration-enabled.md b/en/azure/keyvaults/key-expiration-enabled.md new file mode 100644 index 000000000..37cdf1654 --- /dev/null +++ b/en/azure/keyvaults/key-expiration-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Key Expiration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Expiration Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensure that all Keys in Azure Key Vault have an expiry time set. | +| **More Info** | Setting an expiry time on all keys forces key rotation and removes unused and forgotten keys from being used. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates | +| **Recommended Action** | Ensure each Key Vault has an expiry time set that provides for sufficient rotation. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/keyvaults/key-vault-recovery-enabled.md b/en/azure/keyvaults/key-vault-recovery-enabled.md new file mode 100644 index 000000000..5ef045396 --- /dev/null +++ b/en/azure/keyvaults/key-vault-recovery-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Key Vault Recovery Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Vault Recovery Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensures that Purge Protection and Soft Delete are enabled on all Key Vaults | +| **More Info** | Purge Protection and Soft Delete are features that safeguard losing key access. With these setting enabled, key vaults have recovery actions available to restore deleted or compromised key vaults. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete | +| **Recommended Action** | Once Key Vaults are created, the Azure CLI must be used to update the vault Soft Delete and Purge Protection settings. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/keyvaults/secret-expiration-enabled.md b/en/azure/keyvaults/secret-expiration-enabled.md new file mode 100644 index 000000000..7cb9b1f99 --- /dev/null +++ b/en/azure/keyvaults/secret-expiration-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vaults / Secret Expiration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Secret Expiration Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vaults | +| **Description** | Ensures that all secrets in Azure Key Vault have an expiry time set. | +| **More Info** | Setting an expiry time on all secrets forces secret rotation and removes unused and forgotten secrets from being used. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/secret-vault/about-secrets-secrets-and-certificates | +| **Recommended Action** | Ensure each Key Vault has an expiry time set that provides for sufficient rotation. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/kubernetesservice/kubernetes-latest-version.md b/en/azure/kubernetesservice/kubernetes-latest-version.md new file mode 100644 index 000000000..a38dfe57a --- /dev/null +++ b/en/azure/kubernetesservice/kubernetes-latest-version.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Kubernetes Service / Kubernetes Latest Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Kubernetes Latest Version | +| **Cloud** | AZURE | +| **Category** | Kubernetes Service | +| **Description** | Ensures the latest version of Kubernetes is installed on AKS clusters | +| **More Info** | AKS supports provisioning clusters from several versions of Kubernetes. Clusters should be kept up to date to ensure Kubernetes security patches are applied. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/aks/aad-integration | +| **Recommended Action** | Upgrade the version of Kubernetes on all AKS clusters to the latest available version. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/kubernetesservice/kubernetes-rbac-enabled.md b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md index c733f2be3..66b6aa540 100644 --- a/en/azure/kubernetesservice/kubernetes-rbac-enabled.md +++ b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/loadbalancer/lb-https-only.md b/en/azure/loadbalancer/lb-https-only.md index 0e29519f4..7cfb3add1 100644 --- a/en/azure/loadbalancer/lb-https-only.md +++ b/en/azure/loadbalancer/lb-https-only.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that each load balancer only accepts connections on port 443. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancers.
3. Select the "Load balancer" by clicking on the "Name" as a link which needs to be configured only to accept connections on HTTPS ports.
diff --git a/en/azure/loadbalancer/lb-no-instances.md b/en/azure/loadbalancer/lb-no-instances.md index 1c81a4419..74728d8b2 100644 --- a/en/azure/loadbalancer/lb-no-instances.md +++ b/en/azure/loadbalancer/lb-no-instances.md @@ -15,6 +15,7 @@ | **Recommended Action** | Delete old load balancers that no longer have backend resources. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancers.
3. Select the "Load balancer" by clicking on the "Name" as a link which needs to be checked for active Instances.
diff --git a/en/azure/logalerts/network-security-groups-logging-enabled.md b/en/azure/logalerts/network-security-groups-logging-enabled.md index 502336f2d..2d6444313 100644 --- a/en/azure/logalerts/network-security-groups-logging-enabled.md +++ b/en/azure/logalerts/network-security-groups-logging-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Network Security Groups Logging Enabled | | **Cloud** | AZURE | | **Category** | Log Alerts | -| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group Rule events are enabled | +| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group events are enabled | | **More Info** | Monitoring for create or update and delete Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | -| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group Rule create or update and delete events. | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group create or update and delete events. | ## Detailed Remediation Steps + diff --git a/en/azure/logalerts/network-security-groups-rule-logging-enabled.md b/en/azure/logalerts/network-security-groups-rule-logging-enabled.md new file mode 100644 index 000000000..b31b341dc --- /dev/null +++ b/en/azure/logalerts/network-security-groups-rule-logging-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Network Security Groups Rule Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Security Groups Rule Logging Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group rule events are enabled | +| **More Info** | Monitoring for create or update and delete Network Security Group rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group rule create or update and delete events. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/logalerts/policy-assignment-alerts-enabled.md b/en/azure/logalerts/policy-assignment-alerts-enabled.md new file mode 100644 index 000000000..a6e342750 --- /dev/null +++ b/en/azure/logalerts/policy-assignment-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Policy Assignment Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Policy Assignment Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for create or update and delete Policy Assignment events are enabled | +| **More Info** | Monitoring for create or update and delete Policy Assignment events gives insight into policy changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Policy Assignment create or update and delete events. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/logalerts/security-policy-alerts-enabled.md b/en/azure/logalerts/security-policy-alerts-enabled.md index 671f68baf..5c40504c0 100644 --- a/en/azure/logalerts/security-policy-alerts-enabled.md +++ b/en/azure/logalerts/security-policy-alerts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Policy Rule create or update events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/security-solution-logging.md b/en/azure/logalerts/security-solution-logging.md index ca85d4978..9babe9e69 100644 --- a/en/azure/logalerts/security-solution-logging.md +++ b/en/azure/logalerts/security-solution-logging.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Solution create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md index 0e3f2c481..b44c3d96b 100644 --- a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md +++ b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for SQL Server Firewall Rules create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/logalerts/virtual-network-alerts-monitor.md b/en/azure/logalerts/virtual-network-alerts-monitor.md index 6c4c53193..cb68af119 100644 --- a/en/azure/logalerts/virtual-network-alerts-monitor.md +++ b/en/azure/logalerts/virtual-network-alerts-monitor.md @@ -15,6 +15,7 @@ | **Recommended Action** | Add a new log alert to the Alerts service that monitors for Virtual Networks create or update and delete events. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Alerts.
3. On the "Alerts" page, click on the "Manage alert rules" at the top panel.
diff --git a/en/azure/monitor/key-vault-log-analytics-enabled.md b/en/azure/monitor/key-vault-log-analytics-enabled.md index f958e00e3..155dd0898 100644 --- a/en/azure/monitor/key-vault-log-analytics-enabled.md +++ b/en/azure/monitor/key-vault-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Send all diagnostic logs for Key Vault from the Azure Monitor service to Log Analytics. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. On the "Monitor - Overview" page scroll down the left navigation panel and click on "Diagnostics" under Settings.
diff --git a/en/azure/monitor/load-balancer-log-analytics-enabled.md b/en/azure/monitor/load-balancer-log-analytics-enabled.md index e5cf84f6d..6e1729d97 100644 --- a/en/azure/monitor/load-balancer-log-analytics-enabled.md +++ b/en/azure/monitor/load-balancer-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Send all diagnostic logs for Load Balancers from the Azure Monitor service to Log Analytics. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Load balancer.
3. Select the "Load balancer" which needs to be verified.
diff --git a/en/azure/monitor/log-profile-archive-data.md b/en/azure/monitor/log-profile-archive-data.md index 5f8246268..13604a028 100644 --- a/en/azure/monitor/log-profile-archive-data.md +++ b/en/azure/monitor/log-profile-archive-data.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that all activity is logged to the Event Hub or storage account for archiving. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Log Analytics Workspace.
3. On the "Log Analytics workspaces" page select the resource accordingly.
diff --git a/en/azure/monitor/log-profile-retention-policy.md b/en/azure/monitor/log-profile-retention-policy.md index 41110a6ee..428219de4 100644 --- a/en/azure/monitor/log-profile-retention-policy.md +++ b/en/azure/monitor/log-profile-retention-policy.md @@ -12,9 +12,10 @@ | **Description** | Ensures that Log Profiles have a long retention policy. | | **More Info** | Log retention policies should be configured with sufficient retention to aid in investigation of prior security incidents and for compliance purposes. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile | -| **Recommended Action** | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 90 days. | +| **Recommended Action** | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 365 days. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. Scroll down the left navigation panel and choose "Activity Log" option in the "Monitor" page.
diff --git a/en/azure/monitor/nsg-log-analytics-enabled.md b/en/azure/monitor/nsg-log-analytics-enabled.md index ba0f7501f..d3bb48496 100644 --- a/en/azure/monitor/nsg-log-analytics-enabled.md +++ b/en/azure/monitor/nsg-log-analytics-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable sending of logs to Log Analytics for each Network Security Group resource in the Azure Monitor. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network Security Group.
3. Select the "Network Security Group" which needs to be verified.
diff --git a/en/azure/mysqlserver/enforce-mysql-ssl-connection.md b/en/azure/mysqlserver/enforce-mysql-ssl-connection.md new file mode 100644 index 000000000..32c488225 --- /dev/null +++ b/en/azure/mysqlserver/enforce-mysql-ssl-connection.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / MySQL Server / Enforce MySQL SSL Connection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce MySQL SSL Connection | +| **Cloud** | AZURE | +| **Category** | MySQL Server | +| **Description** | Ensures SSL connection is enforced on MySQL servers | +| **More Info** | MySQL servers should be set to use SSL for data transmission to ensure all data is encrypted in transit. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security | +| **Recommended Action** | Ensure the connection security of each Azure Database for MySQL is configured to enforce SSL connections. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/networksecuritygroups/default-security-group.md b/en/azure/networksecuritygroups/default-security-group.md index ea3056f71..9ffca5c51 100644 --- a/en/azure/networksecuritygroups/default-security-group.md +++ b/en/azure/networksecuritygroups/default-security-group.md @@ -15,6 +15,7 @@ | **Recommended Action** | Update the rules for the default security group to deny all traffic by default | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/excessive-security-groups.md b/en/azure/networksecuritygroups/excessive-security-groups.md index 136d1053a..783dc3de8 100644 --- a/en/azure/networksecuritygroups/excessive-security-groups.md +++ b/en/azure/networksecuritygroups/excessive-security-groups.md @@ -15,6 +15,7 @@ | **Recommended Action** | Limit the number of security groups to prevent accidental authorizations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Verify the number of Security Groups which are having the same security rules and used separately.
diff --git a/en/azure/networksecuritygroups/network-watcher-enabled.md b/en/azure/networksecuritygroups/network-watcher-enabled.md index f9e7b5e72..b26c3d0a7 100644 --- a/en/azure/networksecuritygroups/network-watcher-enabled.md +++ b/en/azure/networksecuritygroups/network-watcher-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the Network Watcher service in all locations. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network Watcher.
3. On the "Network Watcher" page, click on the Overview tab and check the status of the "Network Watcher."
diff --git a/en/azure/networksecuritygroups/open-all-ports.md b/en/azure/networksecuritygroups/open-all-ports.md index ecb77420c..8117eea38 100644 --- a/en/azure/networksecuritygroups/open-all-ports.md +++ b/en/azure/networksecuritygroups/open-all-ports.md @@ -15,6 +15,7 @@ | **Recommended Action** | Restrict ports to known IP addresses | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-cifs.md b/en/azure/networksecuritygroups/open-cifs.md index ff0fffb73..2c8435808 100644 --- a/en/azure/networksecuritygroups/open-cifs.md +++ b/en/azure/networksecuritygroups/open-cifs.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-dns.md b/en/azure/networksecuritygroups/open-dns.md index 52ace53fa..294ca7fb1 100644 --- a/en/azure/networksecuritygroups/open-dns.md +++ b/en/azure/networksecuritygroups/open-dns.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-ftp.md b/en/azure/networksecuritygroups/open-ftp.md index 76339bca9..b5e52a3fc 100644 --- a/en/azure/networksecuritygroups/open-ftp.md +++ b/en/azure/networksecuritygroups/open-ftp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md index a48a8ae6a..78aa91408 100644 --- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md +++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md index dcfc3c087..6041cdc05 100644 --- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md +++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-kibana.md b/en/azure/networksecuritygroups/open-kibana.md index a5345ba92..04fbfb934 100644 --- a/en/azure/networksecuritygroups/open-kibana.md +++ b/en/azure/networksecuritygroups/open-kibana.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-mysql.md b/en/azure/networksecuritygroups/open-mysql.md index ed5ff4cc9..e558dd59e 100644 --- a/en/azure/networksecuritygroups/open-mysql.md +++ b/en/azure/networksecuritygroups/open-mysql.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-netbios.md b/en/azure/networksecuritygroups/open-netbios.md index 14f23049b..d62f61b77 100644 --- a/en/azure/networksecuritygroups/open-netbios.md +++ b/en/azure/networksecuritygroups/open-netbios.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md index 79c15fa51..3a9e5bad3 100644 --- a/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md +++ b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md @@ -15,6 +15,7 @@ | **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-oracle.md b/en/azure/networksecuritygroups/open-oracle.md index 65c010852..6831b5ee1 100644 --- a/en/azure/networksecuritygroups/open-oracle.md +++ b/en/azure/networksecuritygroups/open-oracle.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-postgresql.md b/en/azure/networksecuritygroups/open-postgresql.md index 745bc84e8..48acdb393 100644 --- a/en/azure/networksecuritygroups/open-postgresql.md +++ b/en/azure/networksecuritygroups/open-postgresql.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-rdp.md b/en/azure/networksecuritygroups/open-rdp.md index 2990c2a8d..5c4114f16 100644 --- a/en/azure/networksecuritygroups/open-rdp.md +++ b/en/azure/networksecuritygroups/open-rdp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-rpc.md b/en/azure/networksecuritygroups/open-rpc.md index dc4cb968d..a24c38b5a 100644 --- a/en/azure/networksecuritygroups/open-rpc.md +++ b/en/azure/networksecuritygroups/open-rpc.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-smbotcp.md b/en/azure/networksecuritygroups/open-smbotcp.md index b5a6aae86..00d665275 100644 --- a/en/azure/networksecuritygroups/open-smbotcp.md +++ b/en/azure/networksecuritygroups/open-smbotcp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-smtp.md b/en/azure/networksecuritygroups/open-smtp.md index 28866fda6..b0ec80a5c 100644 --- a/en/azure/networksecuritygroups/open-smtp.md +++ b/en/azure/networksecuritygroups/open-smtp.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-sqlserver.md b/en/azure/networksecuritygroups/open-sqlserver.md index 353bda272..85c1716fa 100644 --- a/en/azure/networksecuritygroups/open-sqlserver.md +++ b/en/azure/networksecuritygroups/open-sqlserver.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-ssh.md b/en/azure/networksecuritygroups/open-ssh.md index 3e52a34a8..f8237674f 100644 --- a/en/azure/networksecuritygroups/open-ssh.md +++ b/en/azure/networksecuritygroups/open-ssh.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-telnet.md b/en/azure/networksecuritygroups/open-telnet.md index 1931de5d7..5fbaaf4d7 100644 --- a/en/azure/networksecuritygroups/open-telnet.md +++ b/en/azure/networksecuritygroups/open-telnet.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-vnc-client.md b/en/azure/networksecuritygroups/open-vnc-client.md index 1c8cb9e75..5d872119b 100644 --- a/en/azure/networksecuritygroups/open-vnc-client.md +++ b/en/azure/networksecuritygroups/open-vnc-client.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/networksecuritygroups/open-vnc-server.md b/en/azure/networksecuritygroups/open-vnc-server.md index 4e17ad072..739980b18 100644 --- a/en/azure/networksecuritygroups/open-vnc-server.md +++ b/en/azure/networksecuritygroups/open-vnc-server.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups.
3. Select the "Network security group" that needs to be verified.
diff --git a/en/azure/postgresqlserver/connection-throttling-enabled.md b/en/azure/postgresqlserver/connection-throttling-enabled.md index 37fa77baf..dd3ffbb6f 100644 --- a/en/azure/postgresqlserver/connection-throttling-enabled.md +++ b/en/azure/postgresqlserver/connection-throttling-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the connection_throttling setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md b/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md new file mode 100644 index 000000000..a7fd28eac --- /dev/null +++ b/en/azure/postgresqlserver/enforce-postgresql-ssl-connection.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Enforce PostgreSQL SSL Connection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce PostgreSQL SSL Connection | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures SSL connections are enforced on PostgreSQL Servers | +| **More Info** | SSL prevents infiltration attacks by encrypting the data stream between the server and application. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security | +| **Recommended Action** | Ensure the connection security settings of each PostgreSQL server are configured to enforce SSL connections. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/postgresqlserver/log-checkpoints-enabled.md b/en/azure/postgresqlserver/log-checkpoints-enabled.md index b47bb80bd..2ebf42fbb 100644 --- a/en/azure/postgresqlserver/log-checkpoints-enabled.md +++ b/en/azure/postgresqlserver/log-checkpoints-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_checkpoints setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-connections-enabled.md b/en/azure/postgresqlserver/log-connections-enabled.md index 2272a260c..d5577b2b0 100644 --- a/en/azure/postgresqlserver/log-connections-enabled.md +++ b/en/azure/postgresqlserver/log-connections-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_connections setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-disconnections-enabled.md b/en/azure/postgresqlserver/log-disconnections-enabled.md index 80b9b950d..542002c2a 100644 --- a/en/azure/postgresqlserver/log-disconnections-enabled.md +++ b/en/azure/postgresqlserver/log-disconnections-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_disconnections setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-duration-enabled.md b/en/azure/postgresqlserver/log-duration-enabled.md index 929cac1c9..7b21e4a2f 100644 --- a/en/azure/postgresqlserver/log-duration-enabled.md +++ b/en/azure/postgresqlserver/log-duration-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_duration setting enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/postgresqlserver/log-retention-period.md b/en/azure/postgresqlserver/log-retention-period.md index aac3cf5e5..df054f9b1 100644 --- a/en/azure/postgresqlserver/log-retention-period.md +++ b/en/azure/postgresqlserver/log-retention-period.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_retention_days setting set to 4 or more days. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for PostgreSQL.
3. On the "Azure Database for PostgreSQL servers" page, select the database by clicking on the "Name" as a link that needs to be examine.
diff --git a/en/azure/queueservice/queue-service-all-access-acl.md b/en/azure/queueservice/queue-service-all-access-acl.md index 30f924454..31bf6326a 100644 --- a/en/azure/queueservice/queue-service-all-access-acl.md +++ b/en/azure/queueservice/queue-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, delete policies on all queues and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/resources/management-lock-enabled.md b/en/azure/resources/management-lock-enabled.md index 318fc7ebd..fef1679e2 100644 --- a/en/azure/resources/management-lock-enabled.md +++ b/en/azure/resources/management-lock-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/resources/resources-usage-limits.md b/en/azure/resources/resources-usage-limits.md index 860be7de0..cc075ad04 100644 --- a/en/azure/resources/resources-usage-limits.md +++ b/en/azure/resources/resources-usage-limits.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/admin-security-alerts-enabled.md b/en/azure/securitycenter/admin-security-alerts-enabled.md index 35a02df4e..3bdab4d94 100644 --- a/en/azure/securitycenter/admin-security-alerts-enabled.md +++ b/en/azure/securitycenter/admin-security-alerts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that security alerts are configured to be sent to subscription owners. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/application-whitelisting-enabled.md b/en/azure/securitycenter/application-whitelisting-enabled.md index ee0dbd42c..f12807cb6 100644 --- a/en/azure/securitycenter/application-whitelisting-enabled.md +++ b/en/azure/securitycenter/application-whitelisting-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Virtual Machines from the Azure Security Center by ensuring AuditIfNotExists setting is used. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/auto-provisioning-enabled.md b/en/azure/securitycenter/auto-provisioning-enabled.md index 7c5134e7f..6794d7b08 100644 --- a/en/azure/securitycenter/auto-provisioning-enabled.md +++ b/en/azure/securitycenter/auto-provisioning-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that the data collection settings of the subscription have Auto Provisioning set to enabled. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/high-severity-alerts-enabled.md b/en/azure/securitycenter/high-severity-alerts-enabled.md new file mode 100644 index 000000000..7bd593acc --- /dev/null +++ b/en/azure/securitycenter/high-severity-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / High Severity Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | High Severity Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that high severity alerts are properly configured. | +| **More Info** | Enabling high severity alerts ensures that microsoft alerts for potential security issues are sent and allows for quick mitigation of the associated risks. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details | +| **Recommended Action** | Ensure that high severity alerts are configured to be sent. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/securitycenter/monitor-blob-encryption.md b/en/azure/securitycenter/monitor-blob-encryption.md index 611816324..fced65cec 100644 --- a/en/azure/securitycenter/monitor-blob-encryption.md +++ b/en/azure/securitycenter/monitor-blob-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Storage Accounts from the Azure Security Center by ensuring AuditIfNotExists setting is used for blob encryption. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-disk-encryption.md b/en/azure/securitycenter/monitor-disk-encryption.md index f14661906..04f968952 100644 --- a/en/azure/securitycenter/monitor-disk-encryption.md +++ b/en/azure/securitycenter/monitor-disk-encryption.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-endpoint-protection.md b/en/azure/securitycenter/monitor-endpoint-protection.md index 473479c37..c66870e56 100644 --- a/en/azure/securitycenter/monitor-endpoint-protection.md +++ b/en/azure/securitycenter/monitor-endpoint-protection.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable Adaptive Application Controls for Endpoint Protection from the Azure Security Center by ensuring AuditIfNotExists setting is used to monitor missing Endpoint Protection. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-jit-network-access.md b/en/azure/securitycenter/monitor-jit-network-access.md index 01f579703..7b786b444 100644 --- a/en/azure/securitycenter/monitor-jit-network-access.md +++ b/en/azure/securitycenter/monitor-jit-network-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure JIT Network Access monitoring is configured for compute and apps from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-nsg-enabled.md b/en/azure/securitycenter/monitor-nsg-enabled.md index e44217036..752dfc056 100644 --- a/en/azure/securitycenter/monitor-nsg-enabled.md +++ b/en/azure/securitycenter/monitor-nsg-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure Network Security Group monitoring is configured from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-sql-auditing.md b/en/azure/securitycenter/monitor-sql-auditing.md index fae891258..37404c729 100644 --- a/en/azure/securitycenter/monitor-sql-auditing.md +++ b/en/azure/securitycenter/monitor-sql-auditing.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-sql-encryption.md b/en/azure/securitycenter/monitor-sql-encryption.md index 366070e28..7de78a049 100644 --- a/en/azure/securitycenter/monitor-sql-encryption.md +++ b/en/azure/securitycenter/monitor-sql-encryption.md @@ -16,6 +16,7 @@ ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-system-updates.md b/en/azure/securitycenter/monitor-system-updates.md index 470a3f8dc..08d11644d 100644 --- a/en/azure/securitycenter/monitor-system-updates.md +++ b/en/azure/securitycenter/monitor-system-updates.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure System Update monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/monitor-vm-vulnerability.md b/en/azure/securitycenter/monitor-vm-vulnerability.md index 4b0cea29b..1ca68d6ff 100644 --- a/en/azure/securitycenter/monitor-vm-vulnerability.md +++ b/en/azure/securitycenter/monitor-vm-vulnerability.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure VM Vulnerability monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/security-configuration-monitoring.md b/en/azure/securitycenter/security-configuration-monitoring.md index 05cca0704..e26e04c62 100644 --- a/en/azure/securitycenter/security-configuration-monitoring.md +++ b/en/azure/securitycenter/security-configuration-monitoring.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure Security Configuration Monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."
diff --git a/en/azure/securitycenter/security-contacts-enabled.md b/en/azure/securitycenter/security-contacts-enabled.md index f90d0f877..cee6c0327 100644 --- a/en/azure/securitycenter/security-contacts-enabled.md +++ b/en/azure/securitycenter/security-contacts-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that email notifications are configured for the subscription from the Security Center. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. On the "Security Center" page scroll down the left navigation panel and choose "Pricing and Settings."
diff --git a/en/azure/securitycenter/standard-pricing-enabled.md b/en/azure/securitycenter/standard-pricing-enabled.md new file mode 100644 index 000000000..c558d02d4 --- /dev/null +++ b/en/azure/securitycenter/standard-pricing-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Standard Pricing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Standard Pricing Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that standard pricing is enabled in the security center | +| **More Info** | Enabling standard pricing increases the security posture of the subscription. This enables advanced security monitoring for the services covered under the security center. | +| **AZURE Link** | https://azure.microsoft.com/en-us/pricing/details/security-center/ | +| **Recommended Action** | Ensure that standard pricing is enabled in the security center. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqldatabases/database-auditing-enabled.md b/en/azure/sqldatabases/database-auditing-enabled.md index b1856fd45..8aa85fc03 100644 --- a/en/azure/sqldatabases/database-auditing-enabled.md +++ b/en/azure/sqldatabases/database-auditing-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that auditing is enabled for each SQL database. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL databases.
3. On the "SQL database" page, select the SQL database that needs to be examine.
diff --git a/en/azure/sqldatabases/db-restorable.md b/en/azure/sqldatabases/db-restorable.md index 9ed39aebb..e99eb0835 100644 --- a/en/azure/sqldatabases/db-restorable.md +++ b/en/azure/sqldatabases/db-restorable.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that each SQL database has automated backups configured with a sufficient retention period and that the last known backup operation completes successfully. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL databases.
3. On the "SQL database" page, select the SQL database that needs to be examine.
diff --git a/en/azure/sqldatabases/sql-db-multiple-az.md b/en/azure/sqldatabases/sql-db-multiple-az.md index 797f8e06c..e8acdf229 100644 --- a/en/azure/sqldatabases/sql-db-multiple-az.md +++ b/en/azure/sqldatabases/sql-db-multiple-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/advanced-data-security-enabled.md b/en/azure/sqlserver/advanced-data-security-enabled.md index f6d16dc74..a3703a23d 100644 --- a/en/azure/sqlserver/advanced-data-security-enabled.md +++ b/en/azure/sqlserver/advanced-data-security-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that Advanced Data Security is enabled for all SQL Servers. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examine.
diff --git a/en/azure/sqlserver/audit-action-groups-enabled.md b/en/azure/sqlserver/audit-action-groups-enabled.md index 46e9d4b3d..00c49b11e 100644 --- a/en/azure/sqlserver/audit-action-groups-enabled.md +++ b/en/azure/sqlserver/audit-action-groups-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | If SQL Server Audit Action and Groups is not configured properly when enabling Auditing, these settings must be configured in Powershell. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, click on the "Cloud shell" button at the top to access "Power Shell" as "Audit Action Groups Enabled" cannot be checked from A"zure UI Console".
diff --git a/en/azure/sqlserver/audit-retention-policy.md b/en/azure/sqlserver/audit-retention-policy.md new file mode 100644 index 000000000..2f08c7843 --- /dev/null +++ b/en/azure/sqlserver/audit-retention-policy.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Audit Retention Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Retention Policy | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Server Auditing retention policy is set to greater than 90 days | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. Having a long retention policy ensures that all logs are kept for auditing and legal purposes. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that the storage account retention policy for each SQL server is set to greater than 90 days. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/azure-active-directory-admin-enabled.md b/en/azure/sqlserver/azure-active-directory-admin-enabled.md new file mode 100644 index 000000000..3bf3c6155 --- /dev/null +++ b/en/azure/sqlserver/azure-active-directory-admin-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Azure Active Directory Admin Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Azure Active Directory Admin Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that Active Directory admin is enabled on all SQL servers. | +| **More Info** | Enabling Active Directory admin allows users to manage account admins in a central location, allowing key rotation and permission management to be managed in one location for all servers and databases. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure | +| **Recommended Action** | Ensure Azure Active Directory admin is enabled on all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/email-account-admins-enabled.md b/en/azure/sqlserver/email-account-admins-enabled.md new file mode 100644 index 000000000..a7d35d3a6 --- /dev/null +++ b/en/azure/sqlserver/email-account-admins-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Email Account Admins Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Email Account Admins Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that email account admins is enabled in advanced data security for SQL servers. | +| **More Info** | Enabling email account admins in advanced data security on all SQL servers ensures that monitored data for unusual activity, vulnerabilities, and threats get sent to the account admins and subscription owners. | +| **AZURE Link** | https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-advanced-data-security | +| **Recommended Action** | Ensure that also send email notification to admins and subscription owners is enabled in advanced threat protections for all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/send-alerts-enabled.md b/en/azure/sqlserver/send-alerts-enabled.md new file mode 100644 index 000000000..7d6ac096d --- /dev/null +++ b/en/azure/sqlserver/send-alerts-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Send Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Send Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that send alerts is enabled in advanced data security for SQL servers. | +| **More Info** | Enabling send alerts in advanced data security on all SQL servers ensures that monitored data for unusual activity, vulnerabilities, and threats get sent to the email addresses configured in advanced data protections. | +| **AZURE Link** | https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-advanced-data-security | +| **Recommended Action** | Ensure that an email address is activated under send alerts in advanced data security for all SQL servers. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/server-auditing-enabled.md b/en/azure/sqlserver/server-auditing-enabled.md new file mode 100644 index 000000000..f16fef4f5 --- /dev/null +++ b/en/azure/sqlserver/server-auditing-enabled.md @@ -0,0 +1,22 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Server Auditing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Server Auditing Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Server Auditing is enabled for SQL servers | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that auditing is enabled for each SQL server. | + +## Detailed Remediation Steps + + + + + diff --git a/en/azure/sqlserver/sql-server-public-access.md b/en/azure/sqlserver/sql-server-public-access.md index 9ec9cda2c..18e01964c 100644 --- a/en/azure/sqlserver/sql-server-public-access.md +++ b/en/azure/sqlserver/sql-server-public-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examined.
diff --git a/en/azure/sqlserver/tde-protector-encrypted.md b/en/azure/sqlserver/tde-protector-encrypted.md index d0e9981c9..e18ed92ee 100644 --- a/en/azure/sqlserver/tde-protector-encrypted.md +++ b/en/azure/sqlserver/tde-protector-encrypted.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for SQL servers.
3. On the "SQL server" page, select the SQL server that needs to be examine.
diff --git a/en/azure/storageaccounts/blob-service-encryption.md b/en/azure/storageaccounts/blob-service-encryption.md index 52fc73ba4..a3f0b79c5 100644 --- a/en/azure/storageaccounts/blob-service-encryption.md +++ b/en/azure/storageaccounts/blob-service-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that Blob Service is configured to use a customer-provided key vault key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for "Storage account."
3. On the "Storage account" page, scroll down the left navigation panel and choose "Containers" under the "Blob services."
diff --git a/en/azure/storageaccounts/file-service-encryption.md b/en/azure/storageaccounts/file-service-encryption.md index 6ca5266d1..d4068a9fa 100644 --- a/en/azure/storageaccounts/file-service-encryption.md +++ b/en/azure/storageaccounts/file-service-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure that data encryption is enabled for each File Service. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for "Storage account."
3. On the "Storage account" page, scroll down the left navigation panel and choose "File shares" under the "File Service."
diff --git a/en/azure/storageaccounts/log-container-public-access.md b/en/azure/storageaccounts/log-container-public-access.md index abbd1b04c..d68a4b6ff 100644 --- a/en/azure/storageaccounts/log-container-public-access.md +++ b/en/azure/storageaccounts/log-container-public-access.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the access level for the storage account containing Activity Log data is set to private. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage accounts.
3. Select the "Storage account" by clicking on the "Name" as a link to access the configuration.
diff --git a/en/azure/storageaccounts/log-storage-encryption.md b/en/azure/storageaccounts/log-storage-encryption.md index 38db19e8e..7ef502b9c 100644 --- a/en/azure/storageaccounts/log-storage-encryption.md +++ b/en/azure/storageaccounts/log-storage-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure the Storage Account used by Activity Logs is configured with a BYOK key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
3. Select the "Log Activity" on the "Monitor-Overview" page.
diff --git a/en/azure/storageaccounts/network-access-default-action.md b/en/azure/storageaccounts/network-access-default-action.md index 29ac271ff..ef83e4e47 100644 --- a/en/azure/storageaccounts/network-access-default-action.md +++ b/en/azure/storageaccounts/network-access-default-action.md @@ -15,6 +15,7 @@ | **Recommended Action** | Configure the firewall of each Storage Account to allow access only from known virtual networks. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/storageaccounts/storage-accounts-aad-enabled.md b/en/azure/storageaccounts/storage-accounts-aad-enabled.md index 05156dcab..3539de282 100644 --- a/en/azure/storageaccounts/storage-accounts-aad-enabled.md +++ b/en/azure/storageaccounts/storage-accounts-aad-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/storage-accounts-encryption.md b/en/azure/storageaccounts/storage-accounts-encryption.md index 53c468154..5c18a98bb 100644 --- a/en/azure/storageaccounts/storage-accounts-encryption.md +++ b/en/azure/storageaccounts/storage-accounts-encryption.md @@ -15,6 +15,7 @@ | **Recommended Action** | Ensure all Storage Accounts are configured with a BYOK key. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/storageaccounts/storage-accounts-https.md b/en/azure/storageaccounts/storage-accounts-https.md index 42c09f9f2..1ab454285 100644 --- a/en/azure/storageaccounts/storage-accounts-https.md +++ b/en/azure/storageaccounts/storage-accounts-https.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/trusted-ms-access-enabled.md b/en/azure/storageaccounts/trusted-ms-access-enabled.md index 2c4fb4cfa..e45904235 100644 --- a/en/azure/storageaccounts/trusted-ms-access-enabled.md +++ b/en/azure/storageaccounts/trusted-ms-access-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | For each Storage Account, configure an exception for trusted Microsoft services. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/tableservice/table-service-all-access-acl.md b/en/azure/tableservice/table-service-all-access-acl.md index f6405c9ac..d6a8e411f 100644 --- a/en/azure/tableservice/table-service-all-access-acl.md +++ b/en/azure/tableservice/table-service-all-access-acl.md @@ -15,6 +15,7 @@ | **Recommended Action** | Disable global read, write, and delete policies on all tables and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Storage account.
3. Select the "Storage account" by clicking on the "Name" link to access the configuration changes.
diff --git a/en/azure/virtualmachines/classic-instances.md b/en/azure/virtualmachines/classic-instances.md index e3a4cdb24..15b321609 100644 --- a/en/azure/virtualmachines/classic-instances.md +++ b/en/azure/virtualmachines/classic-instances.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-set-multi-az.md b/en/azure/virtualmachines/scale-set-multi-az.md index 810cf2b7b..3562fd909 100644 --- a/en/azure/virtualmachines/scale-set-multi-az.md +++ b/en/azure/virtualmachines/scale-set-multi-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-sets-autoscale-enabled.md b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md index bf5ede200..c6c6f9caa 100644 --- a/en/azure/virtualmachines/scale-sets-autoscale-enabled.md +++ b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-agent-enabled.md b/en/azure/virtualmachines/vm-agent-enabled.md index a6ebf7972..0c0f779d3 100644 --- a/en/azure/virtualmachines/vm-agent-enabled.md +++ b/en/azure/virtualmachines/vm-agent-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable the VM agent for all virtual machines. | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Security Center.
3. Click on the "Pricing & Settings" option and choose the "Subscription" and click on the "Name" option as a link to access the configurations.
diff --git a/en/azure/virtualmachines/vm-auto-update-enabled.md b/en/azure/virtualmachines/vm-auto-update-enabled.md index 102a4f0dc..256ed3465 100644 --- a/en/azure/virtualmachines/vm-auto-update-enabled.md +++ b/en/azure/virtualmachines/vm-auto-update-enabled.md @@ -15,6 +15,7 @@ | **Recommended Action** | Enable VM auto update on all virtual machines | ## Detailed Remediation Steps + 1. Log into the Microsoft Azure Management Console. 2. Select the "Search resources, services, and docs" option at the top and search for Virtual Machines.
3. Select the "Virtual machine" by clicking the "Name" as a link to get into the configuration chanegs.
diff --git a/en/azure/virtualmachines/vm-availability-set-enabled.md b/en/azure/virtualmachines/vm-availability-set-enabled.md index c5c7eb776..897344608 100644 --- a/en/azure/virtualmachines/vm-availability-set-enabled.md +++ b/en/azure/virtualmachines/vm-availability-set-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-availability-set-limit.md b/en/azure/virtualmachines/vm-availability-set-limit.md index 4436cd53b..c08f69cd3 100644 --- a/en/azure/virtualmachines/vm-availability-set-limit.md +++ b/en/azure/virtualmachines/vm-availability-set-limit.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-data-disk-encryption.md b/en/azure/virtualmachines/vm-data-disk-encryption.md index 8433e0c1d..5ac03b7a3 100644 --- a/en/azure/virtualmachines/vm-data-disk-encryption.md +++ b/en/azure/virtualmachines/vm-data-disk-encryption.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-endpoint-protection.md b/en/azure/virtualmachines/vm-endpoint-protection.md index 5ee6d6109..e9d1289e1 100644 --- a/en/azure/virtualmachines/vm-endpoint-protection.md +++ b/en/azure/virtualmachines/vm-endpoint-protection.md @@ -9,10 +9,11 @@ | **Plugin Title** | VM Endpoint Protection | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensures that VM Endpoint Protection is enabled for all virutal machines | +| **Description** | Ensures that VM Endpoint Protection is enabled for all virtual machines | | **More Info** | Installing endpoint protection systems provides for real-time protection capabilities that help identify and remove viruses, spyware, and other malicious software, with configurable alerts for malicious or unwanted software. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection | | **Recommended Action** | Install endpoint protection on all virtual machines. | ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-instance-limit.md b/en/azure/virtualmachines/vm-instance-limit.md index ae5aa378b..618c806f6 100644 --- a/en/azure/virtualmachines/vm-instance-limit.md +++ b/en/azure/virtualmachines/vm-instance-limit.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-os-disk-encryption.md b/en/azure/virtualmachines/vm-os-disk-encryption.md index 432ee7346..147d55769 100644 --- a/en/azure/virtualmachines/vm-os-disk-encryption.md +++ b/en/azure/virtualmachines/vm-os-disk-encryption.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/azure/virtualnetworks/multiple-subnets.md b/en/azure/virtualnetworks/multiple-subnets.md index f548abb78..ab358db71 100644 --- a/en/azure/virtualnetworks/multiple-subnets.md +++ b/en/azure/virtualnetworks/multiple-subnets.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-cdn-enabled.md b/en/google/clb/clb-cdn-enabled.md index 3b6c1b13b..ec264a0fd 100644 --- a/en/google/clb/clb-cdn-enabled.md +++ b/en/google/clb/clb-cdn-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | CLB CDN Enabled | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensure that Cloud CDN is enabled on all Load Balancers | -| **More Info** | Cloud CDN increases speed and reliability as well as lowers server costs. Enabling CDN on load balancers creates a highly available system and is part of GCP Best Practices | +| **Description** | Ensures that Cloud CDN is enabled on all load balancers | +| **More Info** | Cloud CDN increases speed and reliability as well as lowers server costs. Enabling CDN on load balancers creates a highly available system and is part of GCP best practices. | | **GOOGLE Link** | https://cloud.google.com/cdn/docs/quickstart | -| **Recommended Action** | 1.Enter the Network Services Service. 2. Select Cloud CDN. 3. Select add origin and connect a backend service. | +| **Recommended Action** | Enable Cloud CDN on all load balancers from the network services console. | ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-https-only.md b/en/google/clb/clb-https-only.md index 751794d23..77dddfd78 100644 --- a/en/google/clb/clb-https-only.md +++ b/en/google/clb/clb-https-only.md @@ -9,10 +9,11 @@ | **Plugin Title** | CLB HTTPS Only | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensures CLBs are configured to only accept connections on HTTPS ports. | +| **Description** | Ensures CLBs are configured to only accept connections on HTTPS ports | | **More Info** | For maximum security, CLBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | -| **Recommended Action** | Remove non-HTTPS listeners from load balancer. | +| **Recommended Action** | Remove non-HTTPS listeners from the load balancer. | ## Detailed Remediation Steps + diff --git a/en/google/clb/clb-no-instances.md b/en/google/clb/clb-no-instances.md index e0f793f8d..236f5e225 100644 --- a/en/google/clb/clb-no-instances.md +++ b/en/google/clb/clb-no-instances.md @@ -12,7 +12,8 @@ | **Description** | Detects CLBs that have no backend instances attached | | **More Info** | GCP does not allow for Load Balancers to be configured without backend instances attached. | | **GOOGLE Link** | https://cloud.google.com/load-balancing/docs/load-balancing-overview | -| **Recommended Action** | This Security misconfiguration is Covered by GCP. No actions necessary. | +| **Recommended Action** | This security misconfiguration is covered by GCP. No action is necessary. | ## Detailed Remediation Steps + diff --git a/en/google/clb/security-policy-enabled.md b/en/google/clb/security-policy-enabled.md index 54fe05605..28a440927 100644 --- a/en/google/clb/security-policy-enabled.md +++ b/en/google/clb/security-policy-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Security Policy Enabled | | **Cloud** | GOOGLE | | **Category** | CLB | -| **Description** | Ensure that All Backend Services have an attached Security Policy | -| **More Info** | Security Policies on Backend Services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses. | +| **Description** | Ensures all backend services have an attached security policy | +| **More Info** | Security policies on backend services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses. | | **GOOGLE Link** | https://cloud.google.com/armor/docs/security-policy-concepts | -| **Recommended Action** | 1. Enter the Network Security Service. 2. Select Cloud Armor and create a new policy. 3. Attach the newly created policy to the backend. | +| **Recommended Action** | Ensure all load balancers have an attached Cloud Armor security policy. | ## Detailed Remediation Steps + diff --git a/en/google/compute/autoscale-enabled.md b/en/google/compute/autoscale-enabled.md index 869cdef7e..0f78864a7 100644 --- a/en/google/compute/autoscale-enabled.md +++ b/en/google/compute/autoscale-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Autoscale Enabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensures instance groups have auto-scale enabled for high availability. | -| **More Info** | Enabling auto-scale increases efficiency and improves cost management for resources. | +| **Description** | Ensures instance groups have autoscale enabled for high availability | +| **More Info** | Enabling autoscale increases efficiency and improves cost management for resources. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/autoscaler/ | -| **Recommended Action** | 1. Enter the Compute service 2. Enter Instance Groups. 3. Select the Instance Group. 4. Select Edit Group and Enable Autoscaling | +| **Recommended Action** | Ensure autoscaling is enabled for all instance groups. | ## Detailed Remediation Steps + diff --git a/en/google/compute/connect-serial-ports-disabled.md b/en/google/compute/connect-serial-ports-disabled.md index beeff9724..32305ce7e 100644 --- a/en/google/compute/connect-serial-ports-disabled.md +++ b/en/google/compute/connect-serial-ports-disabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Connect Serial Ports Disabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure Enable Connecting to Serial Ports is not enabled for VM Instance | -| **More Info** | The Serial Console does not allow restricting IP Addresses, which allows any IP address to connect to instance. | +| **Description** | Ensures connecting to serial ports is not enabled for VM instances | +| **More Info** | The serial console does not allow restricting IP Addresses, which allows any IP address to connect to instance and should therefore be disabled. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/interacting-with-serial-console | -| **Recommended Action** | 1.Enter the Compute Service. 2. Select the Instance. 3. Select Edit then deselect Enable Connecting to Serial Ports. | +| **Recommended Action** | Ensure the Enable Connecting to Serial Ports option is disabled for all compute instances. | ## Detailed Remediation Steps + diff --git a/en/google/compute/csek-encryption-enabled.md b/en/google/compute/csek-encryption-enabled.md index 0e50bc8bd..4a3a06c35 100644 --- a/en/google/compute/csek-encryption-enabled.md +++ b/en/google/compute/csek-encryption-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | CSEK Encryption Enabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure Customer Supplied Encryption Key Encryption is enabled on Disks | -| **More Info** | Google encrypts all disks at rest by default. By using CSEK only the users with the key can access the disk. Anyone else, including Google, cannot access the disk ensuring maximum security on the disk. | +| **Description** | Ensures Customer Supplied Encryption Key Encryption is enabled on disks | +| **More Info** | Google encrypts all disks at rest by default. By using CSEK only the users with the key can access the disk. Anyone else, including Google, cannot access the disk data. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/customer-supplied-encryption | -| **Recommended Action** | CSEK can only be configured when creating a disk, Delete the disk in question and redeploy with CSEK. | +| **Recommended Action** | CSEK can only be configured when creating a disk. Delete the disk and redeploy with CSEK. | ## Detailed Remediation Steps + diff --git a/en/google/compute/instance-level-ssh-only.md b/en/google/compute/instance-level-ssh-only.md index 59d77fd9f..63823c475 100644 --- a/en/google/compute/instance-level-ssh-only.md +++ b/en/google/compute/instance-level-ssh-only.md @@ -9,10 +9,11 @@ | **Plugin Title** | Instance Level SSH Only | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure that instances are not configured to allow Project Wide SSH keys. | -| **More Info** | To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not accessible from project wide SSH keys. These keys are accessible through metadata and can become comprimised. | +| **Description** | Ensures that instances are not configured to allow project-wide SSH keys | +| **More Info** | To support the principle of least privilege and prevent potential privilege escalation it is recommended that instances are not give access to project-wide SSH keys through instance metadata. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys | -| **Recommended Action** | 1. Enter the Compute Service. 2. Select the Instance in question. 3. Select Edit at the top of the page. 4. Under SSH Keys ensure that Block Project-Wide SSH Keys is enabled. | +| **Recommended Action** | Ensure project-wide SSH keys are blocked for all instances. | ## Detailed Remediation Steps + diff --git a/en/google/compute/instances-multi-az.md b/en/google/compute/instances-multi-az.md index 3fc9ead00..affc1a646 100644 --- a/en/google/compute/instances-multi-az.md +++ b/en/google/compute/instances-multi-az.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/compute/ip-forwarding-disabled.md b/en/google/compute/ip-forwarding-disabled.md index 265a5b56a..130038edb 100644 --- a/en/google/compute/ip-forwarding-disabled.md +++ b/en/google/compute/ip-forwarding-disabled.md @@ -1,18 +1,19 @@ [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) -# GOOGLE / Compute / Ip Forwarding Disabled +# GOOGLE / Compute / IP Forwarding Disabled ## Quick Info | | | |-|-| -| **Plugin Title** | Ip Forwarding Disabled | +| **Plugin Title** | IP Forwarding Disabled | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensure that IP forwarding is disabled on all Instances | +| **Description** | Ensures that IP forwarding is disabled on all instances | | **More Info** | Disabling IP forwarding ensures that the instance only sends and receives packets with matching destination or source IPs. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-routes | -| **Recommended Action** | IP Forwarding settings can only be chosen when creating a new instance, Delete the affected instances and redeploy with IP Forwarding disabled | +| **Recommended Action** | IP forwarding settings can only be chosen when creating a new instance. Delete the affected instances and redeploy with IP forwarding disabled. | ## Detailed Remediation Steps + diff --git a/en/google/compute/os-login-enabled.md b/en/google/compute/os-login-enabled.md new file mode 100644 index 000000000..af6a81fc9 --- /dev/null +++ b/en/google/compute/os-login-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / OS Login Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | OS Login Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures OS login is enabled for the project | +| **More Info** | Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/managing-instance-access | +| **Recommended Action** | Set enable-oslogin in project-wide metadata so that it applies to all of the instances in the project. | + +## Detailed Remediation Steps + + diff --git a/en/google/compute/vm-instances-least-privilege.md b/en/google/compute/vm-instances-least-privilege.md new file mode 100644 index 000000000..ab1ff786a --- /dev/null +++ b/en/google/compute/vm-instances-least-privilege.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Instances Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instances Least Privilege | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures that instances are not configured to use the default service account with full access to all cloud APIs | +| **More Info** | To support the principle of least privilege and prevent potential privilege escalation, it is recommended that instances are not assigned to the default service account, Compute Engine default service account with a scope allowing full access to all cloud APIs. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances | +| **Recommended Action** | For all instances, if the default service account is used, ensure full access to all cloud APIs is not configured. | + +## Detailed Remediation Steps + + diff --git a/en/google/compute/vm-max-instances.md b/en/google/compute/vm-max-instances.md index 51e6f7e19..c2599b0f3 100644 --- a/en/google/compute/vm-max-instances.md +++ b/en/google/compute/vm-max-instances.md @@ -9,10 +9,11 @@ | **Plugin Title** | VM Max Instances | | **Cloud** | GOOGLE | | **Category** | Compute | -| **Description** | Ensures the total number of VM instances does not exceed a set threshold. | +| **Description** | Ensures the total number of VM instances does not exceed a set threshold | | **More Info** | The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched. | | **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/ | | **Recommended Action** | Ensure that the number of running VM instances matches the expected count. If instances are launched above the threshold, investigate to ensure they are legitimate. | ## Detailed Remediation Steps + diff --git a/en/google/cryptographickeys/key-rotation.md b/en/google/cryptographickeys/key-rotation.md index 007249740..7c582bb27 100644 --- a/en/google/cryptographickeys/key-rotation.md +++ b/en/google/cryptographickeys/key-rotation.md @@ -9,10 +9,11 @@ | **Plugin Title** | Key Rotation | | **Cloud** | GOOGLE | | **Category** | Cryptographic Keys | -| **Description** | Ensures Cryptographic keys are set to rotate on a regular schedule | -| **More Info** | All Cryptographic keys should have key rotation enabled. Google will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs. | +| **Description** | Ensures cryptographic keys are set to rotate on a regular schedule | +| **More Info** | All cryptographic keys should have key rotation enabled. Google will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-cryptoKeys | -| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | +| **Recommended Action** | Ensure that cryptographic keys are set to rotate. | ## Detailed Remediation Steps + diff --git a/en/google/dns/dns-security-enabled.md b/en/google/dns/dns-security-enabled.md index 8c4252644..e55918720 100644 --- a/en/google/dns/dns-security-enabled.md +++ b/en/google/dns/dns-security-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | DNS Security Enabled | | **Cloud** | GOOGLE | | **Category** | DNS | -| **Description** | Ensures that DNS Security is enabled on all managed zones. | +| **Description** | Ensures that DNS Security is enabled on all managed zones | | **More Info** | DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks. | -| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec?hl=en_US&_ga=2.190155811.-922741565.1560964300 | -| **Recommended Action** | 1. Enter the Cloud DNS Service. 2. Select the Managed Zone in question. 3. Enable DNSSEC. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec | +| **Recommended Action** | Ensure DNSSEC is enabled for all managed zones in the cloud DNS service. | ## Detailed Remediation Steps + diff --git a/en/google/dns/dns-security-signing-algorithm.md b/en/google/dns/dns-security-signing-algorithm.md new file mode 100644 index 000000000..9d35f65f0 --- /dev/null +++ b/en/google/dns/dns-security-signing-algorithm.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / DNS / DNS Security Signing Algorithm + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DNS Security Signing Algorithm | +| **Cloud** | GOOGLE | +| **Category** | DNS | +| **Description** | Ensures that DNS Security is not using the RSASHA1 algorithm for key or zone signing | +| **More Info** | DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec | +| **Recommended Action** | Ensure that all managed zones using DNSSEC are not using the RSASHA1 algorithm for key or zone signing. | + +## Detailed Remediation Steps + diff --git a/en/google/iam/corporate-emails-only.md b/en/google/iam/corporate-emails-only.md new file mode 100644 index 000000000..0f7ce47db --- /dev/null +++ b/en/google/iam/corporate-emails-only.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Corporate Emails Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Corporate Emails Only | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users are using their Gmail accounts for access to GCP. | +| **More Info** | Gmail accounts are personally created and are not controlled by organizations. Fully managed accounts are recommended for increased visiblity, auditing and control over access to resources. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no users are actively using their Gmail accounts to access GCP. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/kms-user-separation.md b/en/google/iam/kms-user-separation.md new file mode 100644 index 000000000..877810934 --- /dev/null +++ b/en/google/iam/kms-user-separation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / KMS User Separation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | KMS User Separation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have the KMS admin role and any one of the CryptoKey roles. | +| **More Info** | Ensuring that no users have the KMS admin role and any one of the CryptoKey roles follows separation of duties, where no user should have access to resources out of the scope of duty. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have both the KMS admin role and any of CryptoKey roles attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-admin.md b/en/google/iam/service-account-admin.md new file mode 100644 index 000000000..920f8d5ea --- /dev/null +++ b/en/google/iam/service-account-admin.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Admin + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Admin | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that user managed service accounts do not have any admin, owner, or write privileges. | +| **More Info** | Service accounts are primarily used for API access to Google. It is recommended to not use admin access for service accounts. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have admin, owner, or write privileges. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-key-rotation.md b/en/google/iam/service-account-key-rotation.md new file mode 100644 index 000000000..c397956c6 --- /dev/null +++ b/en/google/iam/service-account-key-rotation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Key Rotation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Key Rotation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that service account keys are rotated within 90 days of creation. | +| **More Info** | Service account keys should be rotated so older keys that that might have been lost or compromised cannot be used to access Google services. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/creating-managing-service-account-keys | +| **Recommended Action** | Rotate service account keys that have not been rotated in over 90 days. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-managed-keys.md b/en/google/iam/service-account-managed-keys.md new file mode 100644 index 000000000..83278dc18 --- /dev/null +++ b/en/google/iam/service-account-managed-keys.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Managed Keys + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Managed Keys | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that service account keys are being managed by Google. | +| **More Info** | Service account keys should be managed by Google to ensure that they are as secure as possible, including key rotations and restrictions to the accessibility of the keys. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/creating-managing-service-account-keys | +| **Recommended Action** | Ensure all user service account keys are being managed by Google. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-separation.md b/en/google/iam/service-account-separation.md new file mode 100644 index 000000000..e94211205 --- /dev/null +++ b/en/google/iam/service-account-separation.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account Separation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account Separation | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have both the Service Account User and Service Account Admin role. | +| **More Info** | Ensuring that no users have both roles follows separation of duties, where no user should have access to resources out of the scope of duty. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have both the Service Account User and Service Account Admin role attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-account-user.md b/en/google/iam/service-account-user.md new file mode 100644 index 000000000..c5a4ea7aa --- /dev/null +++ b/en/google/iam/service-account-user.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Account User + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Account User | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Ensures that no users have the Service Account User role. | +| **More Info** | The Service Account User role gives users the access to all service accounts of a project. This can result in an elevation of privileges and is not recommended. | +| **GOOGLE Link** | https://cloud.google.com/iam/docs/overview | +| **Recommended Action** | Ensure that no service accounts have the Service Account User role attached. | + +## Detailed Remediation Steps + + diff --git a/en/google/iam/service-limits.md b/en/google/iam/service-limits.md index 89cc4b14a..2f0076bcd 100644 --- a/en/google/iam/service-limits.md +++ b/en/google/iam/service-limits.md @@ -9,10 +9,11 @@ | **Plugin Title** | Service Limits | | **Cloud** | GOOGLE | | **Category** | IAM | -| **Description** | Determine if the number of resources is close to the per-account limit. | +| **Description** | Determines if the number of resources is close to the per-account limit. | | **More Info** | Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching. | | **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/limits | | **Recommended Action** | Contact GCP support to increase the number of resources available | ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/alias-ip-ranges-enabled.md b/en/google/kubernetes/alias-ip-ranges-enabled.md new file mode 100644 index 000000000..2df9f232a --- /dev/null +++ b/en/google/kubernetes/alias-ip-ranges-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Alias IP Ranges Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Alias IP Ranges Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have alias IP ranges enabled | +| **More Info** | Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface. | +| **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/ | +| **Recommended Action** | Ensure that Kubernetes clusters have alias IP ranges enabled. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/automatic-node-repair-enabled.md b/en/google/kubernetes/automatic-node-repair-enabled.md new file mode 100644 index 000000000..aeb159985 --- /dev/null +++ b/en/google/kubernetes/automatic-node-repair-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Automatic Node Repair Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic Node Repair Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have automatic repair enabled | +| **More Info** | When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair | +| **Recommended Action** | Ensure that automatic node repair is enabled on all node pools in Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/automatic-node-upgrades-enabled.md b/en/google/kubernetes/automatic-node-upgrades-enabled.md new file mode 100644 index 000000000..bc28a0b8a --- /dev/null +++ b/en/google/kubernetes/automatic-node-upgrades-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Automatic Node Upgrades Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Automatic Node Upgrades Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have automatic upgrades enabled | +| **More Info** | Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades | +| **Recommended Action** | Ensure that automatic node upgrades are enabled on all node pools in Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/basic-authentication-disabled.md b/en/google/kubernetes/basic-authentication-disabled.md new file mode 100644 index 000000000..d4b85e299 --- /dev/null +++ b/en/google/kubernetes/basic-authentication-disabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Basic Authentication Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Basic Authentication Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure basic authentication is set to disabled on Kubernetes clusters. | +| **More Info** | Basic authentication uses static passwords to authenticate, which is not the recommended method to authenticate into the Kubernetes API server. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster | +| **Recommended Action** | Disable basic authentication on all clusters | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/cluster-labels-added.md b/en/google/kubernetes/cluster-labels-added.md new file mode 100644 index 000000000..b3c97baf0 --- /dev/null +++ b/en/google/kubernetes/cluster-labels-added.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Cluster Labels Added + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cluster Labels Added | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have labels added | +| **More Info** | It is recommended to add labels to Kubernetes clusters to apply specific security settings and auto configure objects at creation. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/creating-managing-labels | +| **Recommended Action** | Ensure labels are added to Kubernetes clusters | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/cluster-least-privilege.md b/en/google/kubernetes/cluster-least-privilege.md new file mode 100644 index 000000000..34de39b6b --- /dev/null +++ b/en/google/kubernetes/cluster-least-privilege.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Cluster Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Cluster Least Privilege | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures Kubernetes clusters are created with limited service account access scopes | +| **More Info** | Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/service-accounts | +| **Recommended Action** | Ensure that all Kubernetes clusters are created with limited access scope. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/cos-image-enabled.md b/en/google/kubernetes/cos-image-enabled.md new file mode 100644 index 000000000..21bd47403 --- /dev/null +++ b/en/google/kubernetes/cos-image-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / COS Image Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | COS Image Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled | +| **More Info** | Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it. | +| **GOOGLE Link** | https://cloud.google.com/container-optimized-os/ | +| **Recommended Action** | Enable Container-Optimized OS on all Kubernetes cluster nodes | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/default-service-account.md b/en/google/kubernetes/default-service-account.md new file mode 100644 index 000000000..0bcf8b3f7 --- /dev/null +++ b/en/google/kubernetes/default-service-account.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Default Service Account + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Default Service Account | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes cluster nodes are not using the default service account. | +| **More Info** | Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster. | +| **GOOGLE Link** | https://cloud.google.com/container-optimized-os/ | +| **Recommended Action** | Ensure that no Kubernetes cluster nodes are using the default service account | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/legacy-authorization-disabled.md b/en/google/kubernetes/legacy-authorization-disabled.md new file mode 100644 index 000000000..6c2e8bcd2 --- /dev/null +++ b/en/google/kubernetes/legacy-authorization-disabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Legacy Authorization Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Legacy Authorization Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensure legacy authorization is set to disabled on Kubernetes clusters | +| **More Info** | The legacy authorizer in Kubernetes grants broad, statically defined permissions. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster | +| **Recommended Action** | Disable legacy authorization on all clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/logging-enabled.md b/en/google/kubernetes/logging-enabled.md new file mode 100644 index 000000000..143f6387e --- /dev/null +++ b/en/google/kubernetes/logging-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Logging Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have logging enabled | +| **More Info** | This setting should be enabled to ensure Kubernetes control plane logs are properly recorded. | +| **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/legacy-stackdriver/logging | +| **Recommended Action** | Ensure that logging is enabled on all Kubernetes clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/master-authorized-network.md b/en/google/kubernetes/master-authorized-network.md new file mode 100644 index 000000000..c4570ad93 --- /dev/null +++ b/en/google/kubernetes/master-authorized-network.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Master Authorized Network + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Master Authorized Network | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures master authorized networks is set to enabled on Kubernetes clusters | +| **More Info** | Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container clusters Kubernetes master endpoint. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks | +| **Recommended Action** | Enable master authorized networks on all clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/monitoring-enabled.md b/en/google/kubernetes/monitoring-enabled.md index 8e33643ca..7edeed701 100644 --- a/en/google/kubernetes/monitoring-enabled.md +++ b/en/google/kubernetes/monitoring-enabled.md @@ -9,10 +9,11 @@ | **Plugin Title** | Monitoring Enabled | | **Cloud** | GOOGLE | | **Category** | Kubernetes | -| **Description** | Ensures all Kubernetes clusters have monitoring enabled | +| **Description** | Ensures all Kubernetes clusters have monitoring enabled | | **More Info** | Kubernetes supports monitoring through Stackdriver. | | **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/ | -| **Recommended Action** | 1. Enter the Kubernetes Service. 2. Select Clusters from the left blade. 3. Select edit on the cluster. 4. Enable Stackdriver Kubernetes Engine Monitoring or Legacy Stackdriver Monitoring. | +| **Recommended Action** | Ensure monitoring is enabled on all Kubernetes clusters. | ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/network-policy-enabled.md b/en/google/kubernetes/network-policy-enabled.md new file mode 100644 index 000000000..75c893f92 --- /dev/null +++ b/en/google/kubernetes/network-policy-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Network Policy Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Policy Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have network policy enabled | +| **More Info** | Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy | +| **Recommended Action** | Enable network policy on all Kubernetes clusters. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/pod-security-policy-enabled.md b/en/google/kubernetes/pod-security-policy-enabled.md new file mode 100644 index 000000000..0e02bd5bb --- /dev/null +++ b/en/google/kubernetes/pod-security-policy-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Pod Security Policy Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Pod Security Policy Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures pod security policy is enabled for all Kubernetes clusters | +| **More Info** | Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies | +| **Recommended Action** | Ensure that all Kubernetes clusters have pod security policy enabled. | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/private-cluster-enabled.md b/en/google/kubernetes/private-cluster-enabled.md new file mode 100644 index 000000000..2c6f72cd1 --- /dev/null +++ b/en/google/kubernetes/private-cluster-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Private Cluster Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Private Cluster Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures private cluster is enabled for all Kubernetes clusters | +| **More Info** | Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters | +| **Recommended Action** | Ensure that all Kubernetes clusters have private cluster enabled. | + +## Detailed Remediation Steps + + diff --git a/en/google/kubernetes/private-endpoint.md b/en/google/kubernetes/private-endpoint.md index 1cb718b0a..819bc3466 100644 --- a/en/google/kubernetes/private-endpoint.md +++ b/en/google/kubernetes/private-endpoint.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/kubernetes/web-dashboard-disabled.md b/en/google/kubernetes/web-dashboard-disabled.md new file mode 100644 index 000000000..2efbae866 --- /dev/null +++ b/en/google/kubernetes/web-dashboard-disabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Web Dashboard Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Web Dashboard Disabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have the web dashboard disabled. | +| **More Info** | It is recommended to disable the web dashboard because it is backed by a highly privileged service account. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards | +| **Recommended Action** | Ensure that no Kubernetes clusters have the web dashboard enabled | + +## Detailed Remediation Steps + + diff --git a/en/google/logging/audit-configuration-logging.md b/en/google/logging/audit-configuration-logging.md new file mode 100644 index 000000000..430989d51 --- /dev/null +++ b/en/google/logging/audit-configuration-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Audit Configuration Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Configuration Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for audit configuration changes. | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for audit configuration changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/audit-logging-enabled.md b/en/google/logging/audit-logging-enabled.md new file mode 100644 index 000000000..0bdd66b50 --- /dev/null +++ b/en/google/logging/audit-logging-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Audit Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Logging Enabled | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that default audit logging is enabled on the project. | +| **More Info** | The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure proper delivery of all audit logs. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/audit/ | +| **Recommended Action** | Ensure that the default audit logs are enabled to log all admin activities and write and read access to data for all services. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/custom-role-logging.md b/en/google/logging/custom-role-logging.md new file mode 100644 index 000000000..e8c4a2451 --- /dev/null +++ b/en/google/logging/custom-role-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Custom Role Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Custom Role Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for custom role creation and changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in custom role should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for custom role creation and changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/log-sinks-enabled.md b/en/google/logging/log-sinks-enabled.md new file mode 100644 index 000000000..f2e020400 --- /dev/null +++ b/en/google/logging/log-sinks-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Log Sinks Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Sinks Enabled | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures a log sink is enabled to export all logs | +| **More Info** | Log sinks send log data to a storage service for archival and compliance. A log sink with no filter is necessary to ensure that all logs are being properly sent. If logs are sent to a storage bucket, the bucket must exist and bucket versioning should exist. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/export/ | +| **Recommended Action** | Ensure a log sink is configured properly with an empty filter and a destination. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/project-ownership-logging.md b/en/google/logging/project-ownership-logging.md new file mode 100644 index 000000000..956b71819 --- /dev/null +++ b/en/google/logging/project-ownership-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Project Ownership Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Project Ownership Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for project ownership assignments and changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for project ownership assignments and changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/sql-configuration-logging.md b/en/google/logging/sql-configuration-logging.md new file mode 100644 index 000000000..15d8b039c --- /dev/null +++ b/en/google/logging/sql-configuration-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / SQL Configuration Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL Configuration Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for SQL configuration changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in SQL configurations should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for SQL configuration changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/storage-permissions-logging.md b/en/google/logging/storage-permissions-logging.md new file mode 100644 index 000000000..8715936a7 --- /dev/null +++ b/en/google/logging/storage-permissions-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / Storage Permissions Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Permissions Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for storage permission changes | +| **More Info** | Storage permissions include access to the buckets that store the logs, any changes in storage permissions should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for storage permission changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-firewall-rule-logging.md b/en/google/logging/vpc-firewall-rule-logging.md new file mode 100644 index 000000000..95f1a0270 --- /dev/null +++ b/en/google/logging/vpc-firewall-rule-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Firewall Rule Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Firewall Rule Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for firewall rule changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in firewall rule should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for firewall rule changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-network-logging.md b/en/google/logging/vpc-network-logging.md new file mode 100644 index 000000000..7bd957471 --- /dev/null +++ b/en/google/logging/vpc-network-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Network Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Network Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for VPC network changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in VPC network should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for VPC network changes. | + +## Detailed Remediation Steps + diff --git a/en/google/logging/vpc-network-route-logging.md b/en/google/logging/vpc-network-route-logging.md new file mode 100644 index 000000000..9694e225d --- /dev/null +++ b/en/google/logging/vpc-network-route-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Logging / VPC Network Route Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VPC Network Route Logging | +| **Cloud** | GOOGLE | +| **Category** | Logging | +| **Description** | Ensures that logging and log alerts exist for VPC network route changes | +| **More Info** | Project Ownership is the highest level of privilege on a project, any changes in VPC network route should be heavily monitored to prevent unauthorized changes. | +| **GOOGLE Link** | https://cloud.google.com/logging/docs/logs-based-metrics/ | +| **Recommended Action** | Ensure that log alerts exist for VPC network route changes. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/any-host-root-access.md b/en/google/sql/any-host-root-access.md new file mode 100644 index 000000000..922db482f --- /dev/null +++ b/en/google/sql/any-host-root-access.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / Any Host Root Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Any Host Root Access | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances root user cannot be accessed from any host | +| **More Info** | Root access for SQL instance should only be allowed from whitelisted IPs to ensure secure access only from trusted entities. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/create-manage-users | +| **Recommended Action** | Ensure that root access for SQL instances are not allowed from any host. | + +## Detailed Remediation Steps + + diff --git a/en/google/sql/database-ssl-enabled.md b/en/google/sql/database-ssl-enabled.md new file mode 100644 index 000000000..ca738f105 --- /dev/null +++ b/en/google/sql/database-ssl-enabled.md @@ -0,0 +1,19 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / Database SSL Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Database SSL Enabled | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL databases have SSL enabled | +| **More Info** | Enabling SSL ensures that the sensitive data being transferred from the database is encrypted. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | Ensure that SSL is enabled on all SQL databases. | + +## Detailed Remediation Steps + + diff --git a/en/google/sql/db-automated-backups.md b/en/google/sql/db-automated-backups.md index ce8189582..3df41c22e 100644 --- a/en/google/sql/db-automated-backups.md +++ b/en/google/sql/db-automated-backups.md @@ -12,7 +12,8 @@ | **Description** | Ensures automated backups are enabled for SQL instances | | **More Info** | Google provides a simple method of backing up SQL instances at a regular interval. This should be enabled to provide an option for restoring data in the event of a database compromise or hardware failure. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure automate backups is checked. | +| **Recommended Action** | Ensure that all database instances are configured with automatic backups enabled. | ## Detailed Remediation Steps + diff --git a/en/google/sql/db-multiple-az.md b/en/google/sql/db-multiple-az.md index 711445cab..cbf45e413 100644 --- a/en/google/sql/db-multiple-az.md +++ b/en/google/sql/db-multiple-az.md @@ -1,18 +1,19 @@ [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) -# GOOGLE / SQL / DB Multiple Az +# GOOGLE / SQL / DB Multiple AZ ## Quick Info | | | |-|-| -| **Plugin Title** | DB Multiple Az | +| **Plugin Title** | DB Multiple AZ | | **Cloud** | GOOGLE | | **Category** | SQL | -| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. | +| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability | | **More Info** | Creating SQL instances in with a single AZ creates a single point of failure for all systems relying on that database. All SQL instances should be created in multiple AZs to ensure proper failover. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select the Replicas tab. 4. Select Create Failover Replica and follow the prompts. | +| **Recommended Action** | Ensure that all database instances have a DB replica enabled in a secondary AZ. | ## Detailed Remediation Steps + diff --git a/en/google/sql/db-publicly-accessible.md b/en/google/sql/db-publicly-accessible.md index 38c2ee23f..7b337009a 100644 --- a/en/google/sql/db-publicly-accessible.md +++ b/en/google/sql/db-publicly-accessible.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/sql/db-restorable.md b/en/google/sql/db-restorable.md index 0808f828e..475fac272 100644 --- a/en/google/sql/db-restorable.md +++ b/en/google/sql/db-restorable.md @@ -12,7 +12,8 @@ | **Description** | Ensures SQL instances can be restored to a recent point | | **More Info** | Google will maintain a point to which the database can be restored. This point should not drift too far into the past, or else the risk of irrecoverable data loss may occur. | | **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | -| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure that Enable Binary Logging is checked. | +| **Recommended Action** | Ensure all database instances are configured with automatic backups and can be restored to a recent point with binary logging enabled. | ## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-logging.md b/en/google/storage/bucket-logging.md index bd59dc07a..cb0b3dfbf 100644 --- a/en/google/storage/bucket-logging.md +++ b/en/google/storage/bucket-logging.md @@ -9,10 +9,11 @@ | **Plugin Title** | Bucket Logging | | **Cloud** | GOOGLE | | **Category** | Storage | -| **Description** | Ensures object Logging is enabled on storage buckets | +| **Description** | Ensures object logging is enabled on storage buckets | | **More Info** | Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident. | | **GOOGLE Link** | https://cloud.google.com/storage/docs/access-logs | | **Recommended Action** | Bucket Logging can only be enabled by using the Command Line Interface and the log bucket must already be created. Use this command to enable Logging: gsutil logging set on -b gs://[LOG_BUCKET_NAME] -o AccessLog gs://[BUCKET_NAME] | ## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-versioning.md b/en/google/storage/bucket-versioning.md index 4c8b2c61b..b1b0f3707 100644 --- a/en/google/storage/bucket-versioning.md +++ b/en/google/storage/bucket-versioning.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/storage/storage-bucket-all-users-policy.md b/en/google/storage/storage-bucket-all-users-policy.md index 1795f4398..0623e01e7 100644 --- a/en/google/storage/storage-bucket-all-users-policy.md +++ b/en/google/storage/storage-bucket-all-users-policy.md @@ -12,7 +12,8 @@ | **Description** | Ensures Storage bucket policies do not allow global write, delete, or read permissions | | **More Info** | Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts. | | **GOOGLE Link** | https://cloud.google.com/storage/docs/access-control/iam | -| **Recommended Action** | 1. Enter the Storage Service. 2. Select the ... next to the Bucket and choose Edit Bucket Permissions. 3. In each Permission, ensure that no member is allUsers or allAuthenticatedUsers | +| **Recommended Action** | Ensure that each storage bucket is configured so that no member is set to allUsers or allAuthenticatedUsers. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/default-vpc-in-use.md b/en/google/vpcnetwork/default-vpc-in-use.md index db029ec3d..2ea1b7f6d 100644 --- a/en/google/vpcnetwork/default-vpc-in-use.md +++ b/en/google/vpcnetwork/default-vpc-in-use.md @@ -9,10 +9,11 @@ | **Plugin Title** | Default VPC In Use | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determines whether the default VPC is being used for launching VM instances. | +| **Description** | Determines whether the default VPC is being used for launching VM instances | | **More Info** | The default VPC should not be used in order to avoid launching multiple services in the same network which may not require connectivity. Each application, or network tier, should use its own VPC. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | | **Recommended Action** | Move resources from the default VPC to a new VPC created for that application or resource group. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/excessive-firewall-rules.md b/en/google/vpcnetwork/excessive-firewall-rules.md index 418fb3bef..c632b964f 100644 --- a/en/google/vpcnetwork/excessive-firewall-rules.md +++ b/en/google/vpcnetwork/excessive-firewall-rules.md @@ -9,10 +9,11 @@ | **Plugin Title** | Excessive Firewall Rules | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if there are an excessive number of firewall rules in the account | +| **Description** | Determines if there are an excessive number of firewall rules in the account | | **More Info** | Keeping the number of firewall rules to a minimum helps reduce the attack surface of an account. Rather than creating new rules with the same rules for each project, common rules should be grouped under the same firewall rule. For example, instead of adding port 22 from a known IP to every firewall rule, create a single "SSH" firewall rule which can be used on multiple instances. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Limit the number of firewall rules to prevent accidental authorizations | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/flow-logs-enabled.md b/en/google/vpcnetwork/flow-logs-enabled.md index 268fdaba1..8d14f1fbf 100644 --- a/en/google/vpcnetwork/flow-logs-enabled.md +++ b/en/google/vpcnetwork/flow-logs-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/multiple-subnets.md b/en/google/vpcnetwork/multiple-subnets.md index 8b45b1ae1..7fef1c291 100644 --- a/en/google/vpcnetwork/multiple-subnets.md +++ b/en/google/vpcnetwork/multiple-subnets.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-all-ports.md b/en/google/vpcnetwork/open-all-ports.md index c3be5ff5a..b95ee06e4 100644 --- a/en/google/vpcnetwork/open-all-ports.md +++ b/en/google/vpcnetwork/open-all-ports.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open All Ports | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if all ports are open to the public | +| **Description** | Determines if all ports are open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict ports to known IP addresses | +| **Recommended Action** | Restrict ports to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-cifs.md b/en/google/vpcnetwork/open-cifs.md index 4d39ee94a..14a872694 100644 --- a/en/google/vpcnetwork/open-cifs.md +++ b/en/google/vpcnetwork/open-cifs.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open CIFS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if UDP port 445 for CIFS is open to the public | +| **Description** | Determines if UDP port 445 for CIFS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as CIFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict UDP port 445 to known IP addresses | +| **Recommended Action** | Restrict UDP port 445 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-dns.md b/en/google/vpcnetwork/open-dns.md index 4b6bb14c2..b64cdafd5 100644 --- a/en/google/vpcnetwork/open-dns.md +++ b/en/google/vpcnetwork/open-dns.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open DNS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP or UDP port 53 for DNS is open to the public | +| **Description** | Determines if TCP or UDP port 53 for DNS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as DNS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses | +| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-ftp.md b/en/google/vpcnetwork/open-ftp.md index 09b0c6fbf..7423177e7 100644 --- a/en/google/vpcnetwork/open-ftp.md +++ b/en/google/vpcnetwork/open-ftp.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open FTP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 20 or 21 for FTP is open to the public | +| **Description** | Determines if TCP port 20 or 21 for FTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as FTP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses | +| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md index 69868ec11..b918f9bcf 100644 --- a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Hadoop HDFS NameNode Metadata Service | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public. | +| **Description** | Determines if TCP port 8020 for HDFS NameNode metadata service is open to the public. | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md index fa11e743e..e8bca6677 100644 --- a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Hadoop HDFS NameNode WebUI | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | +| **Description** | Determines if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | | **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-kibana.md b/en/google/vpcnetwork/open-kibana.md index 9f4c44687..def735a2b 100644 --- a/en/google/vpcnetwork/open-kibana.md +++ b/en/google/vpcnetwork/open-kibana.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Kibana | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5601 for Kibana is open to the public | +| **Description** | Determines if TCP port 5601 for Kibana is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Kibana should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5601 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5601 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-mysql.md b/en/google/vpcnetwork/open-mysql.md index aff65e67d..8bc591b7c 100644 --- a/en/google/vpcnetwork/open-mysql.md +++ b/en/google/vpcnetwork/open-mysql.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open MySQL | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 4333 or 3306 for MySQL is open to the public | +| **Description** | Determines if TCP port 4333 or 3306 for MySQL is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MySQL should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-netbios.md b/en/google/vpcnetwork/open-netbios.md index 2a61efca7..5e80e2b0d 100644 --- a/en/google/vpcnetwork/open-netbios.md +++ b/en/google/vpcnetwork/open-netbios.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open NetBIOS | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if UDP port 137 or 138 for NetBIOS is open to the public | +| **Description** | Determines if UDP port 137 or 138 for NetBIOS is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as NetBIOS should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses | +| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md index 512064255..91cea951a 100644 --- a/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md +++ b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open Oracle Auto Data Warehouse | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | +| **Description** | Determines if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-oracle.md b/en/google/vpcnetwork/open-oracle.md index 36008a9d1..5ec2f9441 100644 --- a/en/google/vpcnetwork/open-oracle.md +++ b/en/google/vpcnetwork/open-oracle.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open Oracle | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1521 for Oracle is open to the public | +| **Description** | Determines if TCP port 1521 for Oracle is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses | +| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-postgresql.md b/en/google/vpcnetwork/open-postgresql.md index e275959be..72904da2a 100644 --- a/en/google/vpcnetwork/open-postgresql.md +++ b/en/google/vpcnetwork/open-postgresql.md @@ -9,12 +9,13 @@ | **Plugin Title** | Open PostgreSQL | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5432 for PostgreSQL is open to the public | +| **Description** | Determines if TCP port 5432 for PostgreSQL is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as PostgreSQL should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses. | ## Detailed Remediation Steps + 1. Log into the Google Cloud Platform Console. 2. Scroll down the left navigation panel and choose the "Networking" to select the "Firewall rules" option under the "VPC network."
3. On the "Firewall rules" page, select the "Firewall rule" which needs to be verified.
diff --git a/en/google/vpcnetwork/open-rdp.md b/en/google/vpcnetwork/open-rdp.md index 8be192827..4a192ddd9 100644 --- a/en/google/vpcnetwork/open-rdp.md +++ b/en/google/vpcnetwork/open-rdp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open RDP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 3389 for RDP is open to the public | +| **Description** | Determines if TCP port 3389 for RDP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RDP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-rpc.md b/en/google/vpcnetwork/open-rpc.md index aed28eec4..dd4aa37f7 100644 --- a/en/google/vpcnetwork/open-rpc.md +++ b/en/google/vpcnetwork/open-rpc.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open RPC | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 135 for RPC is open to the public | +| **Description** | Determines if TCP port 135 for RPC is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RPC should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 135 to known IP addresses | +| **Recommended Action** | Restrict TCP port 135 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smbotcp.md b/en/google/vpcnetwork/open-smbotcp.md index 5d60caa7d..04be42ac4 100644 --- a/en/google/vpcnetwork/open-smbotcp.md +++ b/en/google/vpcnetwork/open-smbotcp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SMBoTCP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 445 for Windows SMB over TCP is open to the public | +| **Description** | Determines if TCP port 445 for Windows SMB over TCP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMB should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 445 to known IP addresses | +| **Recommended Action** | Restrict TCP port 445 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smtp.md b/en/google/vpcnetwork/open-smtp.md index bf06cf457..d9c52bb1d 100644 --- a/en/google/vpcnetwork/open-smtp.md +++ b/en/google/vpcnetwork/open-smtp.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SMTP | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 25 for SMTP is open to the public | +| **Description** | Determines if TCP port 25 for SMTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMTP should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 25 to known IP addresses | +| **Recommended Action** | Restrict TCP port 25 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-sqlserver.md b/en/google/vpcnetwork/open-sqlserver.md index 0b7b4a1a4..58f25343c 100644 --- a/en/google/vpcnetwork/open-sqlserver.md +++ b/en/google/vpcnetwork/open-sqlserver.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SQLServer | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | +| **Description** | Determines if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SQL server should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses | +| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-ssh.md b/en/google/vpcnetwork/open-ssh.md index ef97257ba..c0952d860 100644 --- a/en/google/vpcnetwork/open-ssh.md +++ b/en/google/vpcnetwork/open-ssh.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open SSH | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 22 for FTP is open to the public | +| **Description** | Determines if TCP port 22 for FTP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 22 to known IP addresses | +| **Recommended Action** | Restrict TCP port 22 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-telnet.md b/en/google/vpcnetwork/open-telnet.md index 741dc4f61..7293482a2 100644 --- a/en/google/vpcnetwork/open-telnet.md +++ b/en/google/vpcnetwork/open-telnet.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open Telnet | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 23 for Telnet is open to the public | +| **Description** | Determines if TCP port 23 for Telnet is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Telnet should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 23 to known IP addresses | +| **Recommended Action** | Restrict TCP port 23 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-client.md b/en/google/vpcnetwork/open-vnc-client.md index 07b8897a3..ad91a9d6f 100644 --- a/en/google/vpcnetwork/open-vnc-client.md +++ b/en/google/vpcnetwork/open-vnc-client.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open VNC Client | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5500 for VNC Client is open to the public | +| **Description** | Determines if TCP port 5500 for VNC Client is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Client should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5500 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5500 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-server.md b/en/google/vpcnetwork/open-vnc-server.md index 4ff765326..35457e75b 100644 --- a/en/google/vpcnetwork/open-vnc-server.md +++ b/en/google/vpcnetwork/open-vnc-server.md @@ -9,10 +9,11 @@ | **Plugin Title** | Open VNC Server | | **Cloud** | GOOGLE | | **Category** | VPC Network | -| **Description** | Determine if TCP port 5900 for VNC Server is open to the public | +| **Description** | Determines if TCP port 5900 for VNC Server is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses. | | **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | -| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | +| **Recommended Action** | Restrict TCP port 5900 to known IP addresses. | ## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/private-access-enabled.md b/en/google/vpcnetwork/private-access-enabled.md index b75514385..69659ff6b 100644 --- a/en/google/vpcnetwork/private-access-enabled.md +++ b/en/google/vpcnetwork/private-access-enabled.md @@ -16,3 +16,4 @@ ## Detailed Remediation Steps + diff --git a/resources/google/vpcnetwork/open-rdp/README.md b/resources/google/vpcnetwork/open-rdp/README.md new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/resources/google/vpcnetwork/open-rdp/README.md @@ -0,0 +1 @@ + diff --git a/resources/google/vpcnetwork/open-rdp/step2.png b/resources/google/vpcnetwork/open-rdp/step2.png new file mode 100644 index 000000000..cab251b79 Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step2.png differ diff --git a/resources/google/vpcnetwork/open-rdp/step3.png b/resources/google/vpcnetwork/open-rdp/step3.png new file mode 100644 index 000000000..0c655e7e4 Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step3.png differ diff --git a/resources/google/vpcnetwork/open-rdp/step4.png b/resources/google/vpcnetwork/open-rdp/step4.png new file mode 100644 index 000000000..797e59363 Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step4.png differ diff --git a/resources/google/vpcnetwork/open-rdp/step6.png b/resources/google/vpcnetwork/open-rdp/step6.png new file mode 100644 index 000000000..97fb8b217 Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step6.png differ diff --git a/resources/google/vpcnetwork/open-rdp/step7.png b/resources/google/vpcnetwork/open-rdp/step7.png new file mode 100644 index 000000000..58c0cf421 Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step7.png differ diff --git a/resources/google/vpcnetwork/open-rdp/step8.png b/resources/google/vpcnetwork/open-rdp/step8.png new file mode 100644 index 000000000..576e30cde Binary files /dev/null and b/resources/google/vpcnetwork/open-rdp/step8.png differ