| Rule Number | Section | Description | Status | Type |
|---|---|---|---|---|
| 1.1.1 | Control Plane Node Configuration Files | Ensure that the API server pod specification file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.10 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file ownership is set to root:root | ❌ | Manual |
| 1.1.11 | Control Plane Node Configuration Files | Ensure that the etcd data directory permissions are set to 700 or more restrictive | ✅ | Automated |
| 1.1.12 | Control Plane Node Configuration Files | Ensure that the etcd data directory ownership is set to etcd:etcd | ✅ | Automated |
| 1.1.13 | Control Plane Node Configuration Files | Ensure that the admin.conf file permissions are set to 600 | ✅ | Automated |
| 1.1.14 | Control Plane Node Configuration Files | Ensure that the admin.conf file ownership is set to root:root | ✅ | Automated |
| 1.1.15 | Control Plane Node Configuration Files | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.16 | Control Plane Node Configuration Files | Ensure that the scheduler.conf file ownership is set to root:root | ✅ | Automated |
| 1.1.17 | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.18 | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file ownership is set to root:root | ✅ | Automated |
| 1.1.19 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI directory and file ownership is set to root:root | ✅ | Automated |
| 1.1.2 | Control Plane Node Configuration Files | Ensure that the API server pod specification file ownership is set to root:root | ✅ | Automated |
| 1.1.20 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive | ✅ | Manual |
| 1.1.21 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI key file permissions are set to 600 | ✅ | Manual |
| 1.1.3 | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.4 | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file ownership is set to root:root | ✅ | Automated |
| 1.1.5 | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.6 | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file ownership is set to root:root | ✅ | Automated |
| 1.1.7 | Control Plane Node Configuration Files | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive | ✅ | Automated |
| 1.1.8 | Control Plane Node Configuration Files | Ensure that the etcd pod specification file ownership is set to root:root | ✅ | Automated |
| 1.1.9 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file permissions are set to 644 or more restrictive | ❌ | Manual |
| 1.2.1 | API Server | Ensure that the --anonymous-auth argument is set to false | ❌ | Manual |
| 1.2.10 | API Server | Ensure that the admission control plugin EventRateLimit is set | ✅ | Manual |
| 1.2.11 | API Server | Ensure that the admission control plugin AlwaysAdmit is not set | ✅ | Automated |
| 1.2.12 | API Server | Ensure that the admission control plugin AlwaysPullImages is set | ✅ | Manual |
| 1.2.13 | API Server | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | ✅ | Manual |
| 1.2.14 | API Server | Ensure that the admission control plugin ServiceAccount is set | ✅ | Automated |
| 1.2.15 | API Server | Ensure that the admission control plugin NamespaceLifecycle is set | ✅ | Automated |
| 1.2.16 | API Server | Ensure that the admission control plugin NodeRestriction is set | ✅ | Automated |
| 1.2.17 | API Server | Ensure that the --secure-port argument is not set to 0 | ✅ | Automated |
| 1.2.18 | API Server | Ensure that the --profiling argument is set to false | ✅ | Automated |
| 1.2.19 | API Server | Ensure that the --audit-log-path argument is set | ✅ | Automated |
| 1.2.2 | API Server | Ensure that the --token-auth-file parameter is not set | ✅ | Automated |
| 1.2.20 | API Server | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | ✅ | Automated |
| 1.2.21 | API Server | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | ✅ | Automated |
| 1.2.22 | API Server | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | ✅ | Automated |
| 1.2.23 | API Server | Ensure that the --request-timeout argument is set as appropriate | ✅ | Manual |
| 1.2.24 | API Server | Ensure that the --service-account-lookup argument is set to true | ✅ | Automated |
| 1.2.25 | API Server | Ensure that the --service-account-key-file argument is set as appropriate | ✅ | Automated |
| 1.2.26 | API Server | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | ✅ | Automated |
| 1.2.27 | API Server | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | ✅ | Automated |
| 1.2.28 | API Server | Ensure that the --client-ca-file argument is set as appropriate | ✅ | Automated |
| 1.2.29 | API Server | Ensure that the --etcd-cafile argument is set as appropriate | ✅ | Automated |
| 1.2.3 | API Server | Ensure that the --DenyServiceExternalIPs is not set | ❌ | Automated |
| 1.2.30 | API Server | Ensure that the --encryption-provider-config argument is set as appropriate | ❌ | Manual |
| 1.2.31 | API Server | Ensure that encryption providers are appropriately configured | ❌ | Manual |
| 1.2.32 | API Server | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | ✅ | Manual |
| 1.2.4 | API Server | Ensure that the --kubelet-https argument is set to true | ✅ | Automated |
| 1.2.5 | API Server | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | ✅ | Automated |
| 1.2.6 | API Server | Ensure that the --kubelet-certificate-authority argument is set as appropriate | ✅ | Automated |
| 1.2.7 | API Server | Ensure that the --authorization-mode argument is not set to AlwaysAllow | ✅ | Automated |
| 1.2.8 | API Server | Ensure that the --authorization-mode argument includes Node | ✅ | Automated |
| 1.2.9 | API Server | Ensure that the --authorization-mode argument includes RBAC | ✅ | Automated |
| 1.3.1 | Controller Manager | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | ❌ | Manual |
| 1.3.2 | Controller Manager | Ensure that the --profiling argument is set to false | ✅ | Automated |
| 1.3.3 | Controller Manager | Ensure that the --use-service-account-credentials argument is set to true | ✅ | Automated |
| 1.3.4 | Controller Manager | Ensure that the --service-account-private-key-file argument is set as appropriate | ✅ | Automated |
| 1.3.5 | Controller Manager | Ensure that the --root-ca-file argument is set as appropriate | ✅ | Automated |
| 1.3.6 | Controller Manager | Ensure that the RotateKubeletServerCertificate argument is set to true | ✅ | Automated |
| 1.3.7 | Controller Manager | Ensure that the --bind-address argument is set to 127.0.0.1 | ✅ | Automated |
| 1.4.1 | Scheduler | Ensure that the --profiling argument is set to false | ✅ | Automated |
| 1.4.2 | Scheduler | Ensure that the --bind-address argument is set to 127.0.0.1 | ✅ | Automated |
| 2.1 | etcd | Ensure that the --cert-file and --key-file arguments are set as appropriate | ✅ | Automated |
| 2.2 | etcd | Ensure that the --client-cert-auth argument is set to true | ✅ | Automated |
| 2.3 | etcd | Ensure that the --auto-tls argument is not set to true | ✅ | Automated |
| 2.4 | etcd | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | ✅ | Automated |
| 2.5 | etcd | Ensure that the --peer-client-cert-auth argument is set to true | ✅ | Automated |
| 2.6 | etcd | Ensure that the --peer-auto-tls argument is not set to true | ✅ | Automated |
| 2.7 | etcd | Ensure that a unique Certificate Authority is used for etcd | ❌ | Manual |
| 3.1.1 | Authentication and Authorization | Client certificate authentication should not be used for users | ❌ | Manual |
| 3.2.1 | Logging | Ensure that a minimal audit policy is created | ❌ | Manual |
| 3.2.2 | Logging | Ensure that the audit policy covers key security concerns | ❌ | Manual |
| 4.1.1 | Worker Node Configuration Files | Ensure that the kubelet service file permissions are set to 644 or more restrictive | ✅ | Automated |
| 4.1.10 | Worker Node Configuration Files | Ensure that the kubelet --config configuration file ownership is set to root:root | ✅ | Automated |
| 4.1.2 | Worker Node Configuration Files | Ensure that the kubelet service file ownership is set to root:root | ✅ | Automated |
| 4.1.3 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive | ❌ | Manual |
| 4.1.4 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure ownership is set to root:root | ❌ | Manual |
| 4.1.5 | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive | ✅ | Automated |
| 4.1.6 | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | ✅ | Automated |
| 4.1.7 | Worker Node Configuration Files | Ensure that the certificate authorities file permissions are set to 644 or more restrictive | ❌ | Manual |
| 4.1.8 | Worker Node Configuration Files | Ensure that the client certificate authorities file ownership is set to root:root | ❌ | Manual |
| 4.1.9 | Worker Node Configuration Files | Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive | ✅ | Automated |
| 4.2.1 | Kubelet | Ensure that the --anonymous-auth argument is set to false | ✅ | Automated |
| 4.2.10 | Kubelet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | ✅ | Manual |
| 4.2.11 | Kubelet | Ensure that the --rotate-certificates argument is not set to false | ✅ | Automated |
| 4.2.12 | Kubelet | Verify that the RotateKubeletServerCertificate argument is set to true | ✅ | Manual |
| 4.2.13 | Kubelet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | ✅ | Manual |
| 4.2.2 | Kubelet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | ✅ | Automated |
| 4.2.3 | Kubelet | Ensure that the --client-ca-file argument is set as appropriate | ✅ | Automated |
| 4.2.4 | Kubelet | Verify that the --read-only-port argument is set to 0 | ✅ | Manual |
| 4.2.5 | Kubelet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | ✅ | Manual |
| 4.2.6 | Kubelet | Ensure that the --protect-kernel-defaults argument is set to true | ✅ | Automated |
| 4.2.7 | Kubelet | Ensure that the --make-iptables-util-chains argument is set to true | ✅ | Automated |
| 4.2.8 | Kubelet | Ensure that the --hostname-override argument is not set | ✅ | Manual |
| 4.2.9 | Kubelet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | ✅ | Manual |
| 5.1.1 | RBAC and Service Accounts | Ensure that the cluster-admin role is only used where required | ❌ | Manual |
| 5.1.2 | RBAC and Service Accounts | Minimize access to secrets | ❌ | Manual |
| 5.1.3 | RBAC and Service Accounts | Minimize wildcard use in Roles and ClusterRoles | ✅ | Manual |
| 5.1.4 | RBAC and Service Accounts | Minimize access to create pods | ❌ | Manual |
| 5.1.5 | RBAC and Service Accounts | Ensure that default service accounts are not actively used. | ✅ | Manual |
| 5.1.6 | RBAC and Service Accounts | Ensure that Service Account Tokens are only mounted where necessary | ✅ | Manual |
| 5.1.7 | RBAC and Service Accounts | Avoid use of system:masters group | ❌ | Manual |
| 5.1.8 | RBAC and Service Accounts | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | ❌ | Manual |
| 5.2.1 | Pod Security Standards | Ensure that the cluster has at least one active policy control mechanism in place | ❌ | Manual |
| 5.2.10 | Pod Security Standards | Minimize the admission of containers with capabilities assigned | ✅ | Manual |
| 5.2.11 | Pod Security Standards | Minimize the admission of Windows HostProcess Containers | ❌ | Manual |
| 5.2.12 | Pod Security Standards | Minimize the admission of HostPath volumes | ❌ | Manual |
| 5.2.13 | Pod Security Standards | Minimize the admission of containers which use HostPorts | ❌ | Manual |
| 5.2.2 | Pod Security Standards | Minimize the admission of privileged containers | ✅ | Manual |
| 5.2.3 | Pod Security Standards | Minimize the admission of containers wishing to share the host process ID namespace | ✅ | Automated |
| 5.2.4 | Pod Security Standards | Minimize the admission of containers wishing to share the host IPC namespace | ✅ | Automated |
| 5.2.5 | Pod Security Standards | Minimize the admission of containers wishing to share the host network namespace | ✅ | Automated |
| 5.2.6 | Pod Security Standards | Minimize the admission of containers with allowPrivilegeEscalation | ✅ | Automated |
| 5.2.7 | Pod Security Standards | Minimize the admission of root containers | ✅ | Automated |
| 5.2.8 | Pod Security Standards | Minimize the admission of containers with the NET_RAW capability | ✅ | Automated |
| 5.2.9 | Pod Security Standards | Minimize the admission of containers with added capabilities | ✅ | Automated |
| 5.3.1 | Network Policies and CNI | Ensure that the CNI in use supports Network Policies | ❌ | Manual |
| 5.3.2 | Network Policies and CNI | Ensure that all Namespaces have Network Policies defined | ❌ | Manual |
| 5.4.1 | Secrets Management | Prefer using secrets as files over secrets as environment variables | ❌ | Manual |
| 5.4.2 | Secrets Management | Consider external secret storage | ❌ | Manual |
| 5.5.1 | Extensible Admission Control | Configure Image Provenance using ImagePolicyWebhook admission controller | ❌ | Manual |
| 5.7.1 | General Policies | Create administrative boundaries between resources using namespaces | ❌ | Manual |
| 5.7.2 | General Policies | Ensure that the seccomp profile is set to docker/default in your pod definitions | ❌ | Manual |
| 5.7.3 | General Policies | Apply Security Context to Your Pods and Containers | ❌ | Manual |
| 5.7.4 | General Policies | The default namespace should not be used | ❌ | Manual |
| Rule Number | Section | Description | Status | Type |
|---|---|---|---|---|
| 2.1.1 | Logging | Enable audit Logs | ✅ | Manual |
| 3.1.1 | Worker Node Configuration Files | Ensure that the kubeconfig file permissions are set to 644 or more restrictive | ✅ | Manual |
| 3.1.2 | Worker Node Configuration Files | Ensure that the kubelet kubeconfig file ownership is set to root:root | ✅ | Manual |
| 3.1.3 | Worker Node Configuration Files | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive | ✅ | Manual |
| 3.1.4 | Worker Node Configuration Files | Ensure that the kubelet configuration file ownership is set to root:root | ✅ | Manual |
| 3.2.1 | Kubelet | Ensure that the --anonymous-auth argument is set to false | ✅ | Automated |
| 3.2.10 | Kubelet | Ensure that the --rotate-certificates argument is not set to false | ✅ | Manual |
| 3.2.11 | Kubelet | Ensure that the RotateKubeletServerCertificate argument is set to true | ✅ | Manual |
| 3.2.2 | Kubelet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | ✅ | Automated |
| 3.2.3 | Kubelet | Ensure that the --client-ca-file argument is set as appropriate | ✅ | Manual |
| 3.2.4 | Kubelet | Ensure that the --read-only-port is secured | ✅ | Manual |
| 3.2.5 | Kubelet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | ✅ | Manual |
| 3.2.6 | Kubelet | Ensure that the --protect-kernel-defaults argument is set to true | ✅ | Automated |
| 3.2.7 | Kubelet | Ensure that the --make-iptables-util-chains argument is set to true | ✅ | Automated |
| 3.2.8 | Kubelet | Ensure that the --hostname-override argument is not set | ✅ | Manual |
| 3.2.9 | Kubelet | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | ✅ | Automated |
| 4.1.1 | RBAC and Service Accounts | Ensure that the cluster-admin role is only used where required | ❌ | Manual |
| 4.1.2 | RBAC and Service Accounts | Minimize access to secrets | ❌ | Manual |
| 4.1.3 | RBAC and Service Accounts | Minimize wildcard use in Roles and ClusterRoles | ❌ | Manual |
| 4.1.4 | RBAC and Service Accounts | Minimize access to create pods | ❌ | Manual |
| 4.1.5 | RBAC and Service Accounts | Ensure that default service accounts are not actively used. | ❌ | Manual |
| 4.1.6 | RBAC and Service Accounts | Ensure that Service Account Tokens are only mounted where necessary | ❌ | Manual |
| 4.2.1 | Pod Security Policies | Minimize the admission of privileged containers | ✅ | Automated |
| 4.2.2 | Pod Security Policies | Minimize the admission of containers wishing to share the host process ID namespace | ✅ | Automated |
| 4.2.3 | Pod Security Policies | Minimize the admission of containers wishing to share the host IPC namespace | ✅ | Automated |
| 4.2.4 | Pod Security Policies | Minimize the admission of containers wishing to share the host network namespace | ✅ | Automated |
| 4.2.5 | Pod Security Policies | Minimize the admission of containers with allowPrivilegeEscalation | ✅ | Automated |
| 4.2.6 | Pod Security Policies | Minimize the admission of root containers | ✅ | Automated |
| 4.2.7 | Pod Security Policies | Minimize the admission of containers with the NET_RAW capability | ✅ | Automated |
| 4.2.8 | Pod Security Policies | Minimize the admission of containers with added capabilities | ✅ | Automated |
| 4.2.9 | Pod Security Policies | Minimize the admission of containers with capabilities assigned | ✅ | Manual |
| 4.3.1 | CNI Plugin | Ensure latest CNI version is used | ❌ | Manual |
| 4.3.2 | CNI Plugin | Ensure that all Namespaces have Network Policies defined | ❌ | Automated |
| 4.4.1 | Secrets Management | Prefer using secrets as files over secrets as environment variables | ❌ | Manual |
| 4.4.2 | Secrets Management | Consider external secret storage | ❌ | Manual |
| 4.5.1 | Extensible Admission Control | Configure Image Provenance using ImagePolicyWebhook admission controller | ❌ | Manual |
| 4.6.1 | General Policies | Create administrative boundaries between resources using namespaces | ❌ | Manual |
| 4.6.2 | General Policies | Apply Security Context to Your Pods and Containers | ❌ | Manual |
| 4.6.3 | General Policies | The default namespace should not be used | ❌ | Automated |
| 5.1.1 | Image Registry and Image Scanning | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | ✅ | Manual |
| 5.1.2 | Image Registry and Image Scanning | Minimize user access to Amazon ECR | ❌ | Manual |
| 5.1.3 | Image Registry and Image Scanning | Minimize cluster access to read-only for Amazon ECR | ❌ | Manual |
| 5.1.4 | Image Registry and Image Scanning | Minimize Container Registries to only those approved | ❌ | Manual |
| 5.2.1 | Identity and Access Management (IAM) | Prefer using dedicated EKS Service Accounts | ❌ | Manual |
| 5.3.1 | AWS Key Management Service (KMS) | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | ✅ | Automated |
| 5.4.1 | Cluster Networking | Restrict Access to the Control Plane Endpoint | ✅ | Manual |
| 5.4.2 | Cluster Networking | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | ✅ | Manual |
| 5.4.3 | Cluster Networking | Ensure clusters are created with Private Nodes | ✅ | Manual |
| 5.4.4 | Cluster Networking | Ensure Network Policy is Enabled and set as appropriate | ❌ | Manual |
| 5.4.5 | Cluster Networking | Encrypt traffic to HTTPS load balancers with TLS certificates | ✅ | Manual |
| 5.5.1 | Authentication and Authorization | Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes | ❌ | Manual |
| 5.6.1 | Other Cluster Configurations | Consider Fargate for running untrusted workloads | ❌ | Manual |
| Rule Number | Section | Description | Status | Type |
|---|---|---|---|---|
| 1.1 | Identity and Access Management | Maintain current contact details | ❌ | Manual |
| 1.10 | Identity and Access Management | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | ✅ | Automated |
| 1.11 | Identity and Access Management | Do not setup access keys during initial user setup for all IAM users that have a console password | ✅ | Automated |
| 1.12 | Identity and Access Management | Ensure credentials unused for 45 days or greater are disabled | ✅ | Automated |
| 1.13 | Identity and Access Management | Ensure there is only one active access key available for any single IAM user | ✅ | Automated |
| 1.14 | Identity and Access Management | Ensure access keys are rotated every 90 days or less | ✅ | Automated |
| 1.15 | Identity and Access Management | Ensure IAM Users Receive Permissions Only Through Groups | ✅ | Automated |
| 1.16 | Identity and Access Management | Ensure IAM policies that allow full ":" administrative privileges are not attached | ✅ | Automated |
| 1.17 | Identity and Access Management | Ensure a support role has been created to manage incidents with AWS Support | ✅ | Automated |
| 1.18 | Identity and Access Management | Ensure IAM instance roles are used for AWS resource access from instances | ❌ | Manual |
| 1.19 | Identity and Access Management | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | ✅ | Automated |
| 1.2 | Identity and Access Management | Ensure security contact information is registered | ❌ | Manual |
| 1.20 | Identity and Access Management | Ensure that IAM Access analyzer is enabled for all regions | ✅ | Automated |
| 1.21 | Identity and Access Management | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | ❌ | Manual |
| 1.3 | Identity and Access Management | Ensure security questions are registered in the AWS account | ❌ | Manual |
| 1.4 | Identity and Access Management | Ensure no 'root' user account access key exists | ✅ | Automated |
| 1.5 | Identity and Access Management | Ensure MFA is enabled for the 'root' user account | ✅ | Automated |
| 1.6 | Identity and Access Management | Ensure hardware MFA is enabled for the 'root' user account | ✅ | Automated |
| 1.7 | Identity and Access Management | Eliminate use of the 'root' user for administrative and daily tasks | ✅ | Automated |
| 1.8 | Identity and Access Management | Ensure IAM password policy requires minimum length of 14 or greater | ✅ | Automated |
| 1.9 | Identity and Access Management | Ensure IAM password policy prevents password reuse | ✅ | Automated |
| 2.1.1 | Simple Storage Service (S3) | Ensure all S3 buckets employ encryption-at-rest | ✅ | Automated |
| 2.1.2 | Simple Storage Service (S3) | Ensure S3 Bucket Policy is set to deny HTTP requests | ✅ | Automated |
| 2.1.3 | Simple Storage Service (S3) | Ensure MFA Delete is enabled on S3 buckets | ✅ | Automated |
| 2.1.4 | Simple Storage Service (S3) | Ensure all data in Amazon S3 has been discovered, classified and secured when required. | ❌ | Manual |
| 2.1.5 | Simple Storage Service (S3) | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | ✅ | Automated |
| 2.2.1 | Elastic Compute Cloud (EC2) | Ensure EBS Volume Encryption is Enabled in all Regions | ✅ | Automated |
| 2.3.1 | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS Instances | ✅ | Automated |
| 2.3.2 | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | ✅ | Automated |
| 2.3.3 | Relational Database Service (RDS) | Ensure that public access is not given to RDS Instance | ✅ | Automated |
| 2.4.1 | Elastic File System (EFS) | Ensure that encryption is enabled for EFS file systems | ❌ | Manual |
| 3.1 | Logging | Ensure CloudTrail is enabled in all regions | ✅ | Automated |
| 3.10 | Logging | Ensure that Object-level logging for write events is enabled for S3 bucket | ✅ | Automated |
| 3.11 | Logging | Ensure that Object-level logging for read events is enabled for S3 bucket | ✅ | Automated |
| 3.2 | Logging | Ensure CloudTrail log file validation is enabled | ✅ | Automated |
| 3.3 | Logging | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | ✅ | Automated |
| 3.4 | Logging | Ensure CloudTrail trails are integrated with CloudWatch Logs | ✅ | Automated |
| 3.5 | Logging | Ensure AWS Config is enabled in all regions | ✅ | Automated |
| 3.6 | Logging | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ✅ | Automated |
| 3.7 | Logging | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | ✅ | Automated |
| 3.8 | Logging | Ensure rotation for customer created symmetric CMKs is enabled | ✅ | Automated |
| 3.9 | Logging | Ensure VPC flow logging is enabled in all VPCs | ✅ | Automated |
| 4.1 | Monitoring | Ensure a log metric filter and alarm exist for unauthorized API calls | ✅ | Automated |
| 4.10 | Monitoring | Ensure a log metric filter and alarm exist for security group changes | ✅ | Automated |
| 4.11 | Monitoring | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | ✅ | Automated |
| 4.12 | Monitoring | Ensure a log metric filter and alarm exist for changes to network gateways | ✅ | Automated |
| 4.13 | Monitoring | Ensure a log metric filter and alarm exist for route table changes | ✅ | Automated |
| 4.14 | Monitoring | Ensure a log metric filter and alarm exist for VPC changes | ✅ | Automated |
| 4.15 | Monitoring | Ensure a log metric filter and alarm exists for AWS Organizations changes | ✅ | Automated |
| 4.16 | Monitoring | Ensure AWS Security Hub is enabled | ✅ | Automated |
| 4.2 | Monitoring | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | ✅ | Automated |
| 4.3 | Monitoring | Ensure a log metric filter and alarm exist for usage of 'root' account | ✅ | Automated |
| 4.4 | Monitoring | Ensure a log metric filter and alarm exist for IAM policy changes | ✅ | Automated |
| 4.5 | Monitoring | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | ✅ | Automated |
| 4.6 | Monitoring | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | ✅ | Automated |
| 4.7 | Monitoring | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | ✅ | Automated |
| 4.8 | Monitoring | Ensure a log metric filter and alarm exist for S3 bucket policy changes | ✅ | Automated |
| 4.9 | Monitoring | Ensure a log metric filter and alarm exist for AWS Config configuration changes | ✅ | Automated |
| 5.1 | Networking | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | ✅ | Automated |
| 5.2 | Networking | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | ✅ | Automated |
| 5.3 | Networking | Ensure no security groups allow ingress from ::/0 to remote server administration ports | ✅ | Automated |
| 5.4 | Networking | Ensure the default security group of every VPC restricts all traffic | ✅ | Automated |
| 5.5 | Networking | Ensure routing tables for VPC peering are "least access" | ❌ | Manual |
| Rule Number | Section | Description | Status | Type |
|---|---|---|---|---|
| 1.1 | Identity and Access Management | Ensure that Corporate Login Credentials are Used | ❌ | Manual |
| 1.10 | Identity and Access Management | Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | ✅ | Automated |
| 1.11 | Identity and Access Management | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | ✅ | Automated |
| 1.12 | Identity and Access Management | Ensure API Keys Only Exist for Active Services | ✅ | Automated |
| 1.13 | Identity and Access Management | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | ❌ | Manual |
| 1.14 | Identity and Access Management | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | ✅ | Automated |
| 1.15 | Identity and Access Management | Ensure API Keys Are Rotated Every 90 Days | ✅ | Automated |
| 1.16 | Identity and Access Management | Ensure Essential Contacts is Configured for Organization | ❌ | Automated |
| 1.17 | Identity and Access Management | Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | ✅ | Automated |
| 1.18 | Identity and Access Management | Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager | ❌ | Manual |
| 1.2 | Identity and Access Management | Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | ❌ | Manual |
| 1.3 | Identity and Access Management | Ensure that Security Key Enforcement is Enabled for All Admin Accounts | ❌ | Manual |
| 1.4 | Identity and Access Management | Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | ✅ | Automated |
| 1.5 | Identity and Access Management | Ensure That Service Account Has No Admin Privileges | ✅ | Automated |
| 1.6 | Identity and Access Management | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | ✅ | Automated |
| 1.7 | Identity and Access Management | Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | ✅ | Automated |
| 1.8 | Identity and Access Management | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | ✅ | Automated |
| 1.9 | Identity and Access Management | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | ✅ | Automated |
| 2.1 | Logging and Monitoring | Ensure That Cloud Audit Logging Is Configured Properly | ✅ | Automated |
| 2.10 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | ✅ | Automated |
| 2.11 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | ✅ | Automated |
| 2.12 | Logging and Monitoring | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | ✅ | Automated |
| 2.13 | Logging and Monitoring | Ensure Cloud Asset Inventory Is Enabled | ✅ | Automated |
| 2.14 | Logging and Monitoring | Ensure 'Access Transparency' is 'Enabled' | ❌ | Manual |
| 2.15 | Logging and Monitoring | Ensure 'Access Approval' is 'Enabled' | ❌ | Automated |
| 2.16 | Logging and Monitoring | Ensure Logging is enabled for HTTP(S) Load Balancer | ✅ | Automated |
| 2.2 | Logging and Monitoring | Ensure That Sinks Are Configured for All Log Entries | ✅ | Automated |
| 2.3 | Logging and Monitoring | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | ✅ | Automated |
| 2.4 | Logging and Monitoring | Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | ✅ | Automated |
| 2.5 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | ✅ | Automated |
| 2.6 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | ✅ | Automated |
| 2.7 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | ✅ | Automated |
| 2.8 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | ✅ | Automated |
| 2.9 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | ✅ | Automated |
| 3.1 | Networking | Ensure That the Default Network Does Not Exist in a Project | ✅ | Automated |
| 3.10 | Networking | Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | ❌ | Manual |
| 3.2 | Networking | Ensure Legacy Networks Do Not Exist for Older Projects | ✅ | Automated |
| 3.3 | Networking | Ensure That DNSSEC Is Enabled for Cloud DNS | ✅ | Automated |
| 3.4 | Networking | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | ✅ | Automated |
| 3.5 | Networking | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | ✅ | Automated |
| 3.6 | Networking | Ensure That SSH Access Is Restricted From the Internet | ✅ | Automated |
| 3.7 | Networking | Ensure That RDP Access Is Restricted From the Internet | ✅ | Automated |
| 3.8 | Networking | Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | ✅ | Automated |
| 3.9 | Networking | Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | ❌ | Manual |
| 4.1 | Virtual Machines | Ensure That Instances Are Not Configured To Use the Default Service Account | ✅ | Automated |
| 4.10 | Virtual Machines | Ensure That App Engine Applications Enforce HTTPS Connections | ❌ | Manual |
| 4.11 | Virtual Machines | Ensure That Compute Instances Have Confidential Computing Enabled | ✅ | Automated |
| 4.12 | Virtual Machines | Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | ❌ | Manual |
| 4.2 | Virtual Machines | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | ✅ | Automated |
| 4.3 | Virtual Machines | Ensure “Block Project-Wide SSH Keys” Is Enabled for VM Instances | ✅ | Automated |
| 4.4 | Virtual Machines | Ensure Oslogin Is Enabled for a Project | ✅ | Automated |
| 4.5 | Virtual Machines | Ensure ‘Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance | ✅ | Automated |
| 4.6 | Virtual Machines | Ensure That IP Forwarding Is Not Enabled on Instances | ✅ | Automated |
| 4.7 | Virtual Machines | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | ✅ | Automated |
| 4.8 | Virtual Machines | Ensure Compute Instances Are Launched With Shielded VM Enabled | ✅ | Automated |
| 4.9 | Virtual Machines | Ensure That Compute Instances Do Not Have Public IP Addresses | ✅ | Automated |
| 5.1 | Storage | Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | ✅ | Automated |
| 5.2 | Storage | Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | ✅ | Automated |
| 6.1.1 | MySQL Database | Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges | ❌ | Manual |
| 6.1.2 | MySQL Database | Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ | ✅ | Automated |
| 6.1.3 | MySQL Database | Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ | ✅ | Automated |
| 6.2.1 | PostgreSQL Database | Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter | ✅ | Automated |
| 6.2.2 | PostgreSQL Database | Ensure That the ‘Log_connections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ | ✅ | Automated |
| 6.2.3 | PostgreSQL Database | Ensure That the ‘Log_disconnections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ | ✅ | Automated |
| 6.2.4 | PostgreSQL Database | Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | ✅ | Automated |
| 6.2.5 | PostgreSQL Database | Ensure that the ‘Log_min_messages’ Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | ✅ | Automated |
| 6.2.6 | PostgreSQL Database | Ensure ‘Log_min_error_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘Error’ or Stricter | ✅ | Automated |
| 6.2.7 | PostgreSQL Database | Ensure That the ‘Log_min_duration_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘-1′ (Disabled) | ✅ | Automated |
| 6.2.8 | PostgreSQL Database | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | ✅ | Automated |
| 6.2.9 | PostgreSQL Database | Ensure Instance IP assignment is set to private | ✅ | Automated |
| 6.3.1 | SQL Server | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | ✅ | Automated |
| 6.3.2 | SQL Server | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | ✅ | Automated |
| 6.3.3 | SQL Server | Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value | ✅ | Automated |
| 6.3.4 | SQL Server | Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | ✅ | Automated |
| 6.3.5 | SQL Server | Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | ✅ | Automated |
| 6.3.6 | SQL Server | Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' | ✅ | Automated |
| 6.3.7 | SQL Server | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | ✅ | Automated |
| 6.4 | Cloud SQL Database Services | Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | ✅ | Automated |
| 6.5 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | ✅ | Automated |
| 6.6 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Do Not Have Public IPs | ✅ | Automated |
| 6.7 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | ✅ | Automated |
| 7.1 | BigQuery | Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | ✅ | Automated |
| 7.2 | BigQuery | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | ✅ | Automated |
| 7.3 | BigQuery | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | ✅ | Automated |
| Rule Number | Section | Description | Status | Type |
|---|---|---|---|---|
| 1.1.1 | Security Defaults | Ensure Security Defaults is enabled on Azure Active Directory | ❌ | Manual |
| 1.1.2 | Security Defaults | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | ❌ | Manual |
| 1.1.3 | Security Defaults | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | ❌ | Manual |
| 1.1.4 | Security Defaults | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | ❌ | Manual |
| 1.10 | Identity and Access Management | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | ❌ | Manual |
| 1.11 | Identity and Access Management | Ensure User consent for applications is set to Do not allow user consent |
❌ | Manual |
| 1.12 | Identity and Access Management | Ensure ‘User consent for applications’ Is Set To ‘Allow for Verified Publishers’ | ❌ | Manual |
| 1.13 | Identity and Access Management | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | ❌ | Manual |
| 1.14 | Identity and Access Management | Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ | ❌ | Manual |
| 1.15 | Identity and Access Management | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ❌ | Manual |
| 1.16 | Identity and Access Management | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | ❌ | Manual |
| 1.17 | Identity and Access Management | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | ❌ | Manual |
| 1.18 | Identity and Access Management | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | ❌ | Manual |
| 1.19 | Identity and Access Management | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | ❌ | Manual |
| 1.2.1 | Conditional Access | Ensure Trusted Locations Are Defined | ❌ | Manual |
| 1.2.2 | Conditional Access | Ensure that an exclusionary Geographic Access Policy is considered | ❌ | Manual |
| 1.2.3 | Conditional Access | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | ❌ | Manual |
| 1.2.4 | Conditional Access | Ensure that A Multi-factor Authentication Policy Exists for All Users | ❌ | Manual |
| 1.2.5 | Conditional Access | Ensure Multi-factor Authentication is Required for Risky Sign-ins | ❌ | Manual |
| 1.2.6 | Conditional Access | Ensure Multi-factor Authentication is Required for Azure Management | ❌ | Manual |
| 1.20 | Identity and Access Management | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | ❌ | Manual |
| 1.21 | Identity and Access Management | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | ❌ | Manual |
| 1.22 | Identity and Access Management | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | ❌ | Manual |
| 1.23 | Identity and Access Management | Ensure That No Custom Subscription Administrator Roles Exist | ❌ | Automated |
| 1.24 | Identity and Access Management | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | ❌ | Manual |
| 1.25 | Identity and Access Management | Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’ | ❌ | Manual |
| 1.3 | Identity and Access Management | Ensure that 'Users can create Azure AD Tenants' is set to 'No' | ❌ | Automated |
| 1.4 | Identity and Access Management | Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | ❌ | Manual |
| 1.5 | Identity and Access Management | Ensure Guest Users Are Reviewed on a Regular Basis | ❌ | Manual |
| 1.6 | Identity and Access Management | Ensure That 'Number of methods required to reset' is set to '2' | ❌ | Manual |
| 1.7 | Identity and Access Management | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | ❌ | Manual |
| 1.8 | Identity and Access Management | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ❌ | Manual |
| 1.9 | Identity and Access Management | Ensure that 'Notify users on password resets?' is set to 'Yes' | ❌ | Manual |
| 10.1 | Miscellaneous | Ensure that Resource Locks are set for Mission-Critical Azure Resources | ❌ | Manual |
| 2.1.1 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Servers Is Set to 'On' | ❌ | Manual |
| 2.1.10 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | ❌ | Manual |
| 2.1.11 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for DNS Is Set To 'On' | ❌ | Manual |
| 2.1.12 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | ❌ | Manual |
| 2.1.13 | Microsoft Defender for Cloud | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | ❌ | Manual |
| 2.1.14 | Microsoft Defender for Cloud | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | ❌ | Manual |
| 2.1.15 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | ❌ | Automated |
| 2.1.16 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | ❌ | Manual |
| 2.1.17 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | ❌ | Manual |
| 2.1.18 | Microsoft Defender for Cloud | Ensure That 'All users with the following roles' is set to 'Owner' | ❌ | Automated |
| 2.1.19 | Microsoft Defender for Cloud | Ensure 'Additional email addresses' is Configured with a Security Contact Email | ❌ | Automated |
| 2.1.2 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for App Services Is Set To 'On' | ❌ | Manual |
| 2.1.20 | Microsoft Defender for Cloud | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | ❌ | Automated |
| 2.1.21 | Microsoft Defender for Cloud | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | ❌ | Manual |
| 2.1.22 | Microsoft Defender for Cloud | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | ❌ | Manual |
| 2.1.3 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Databases Is Set To 'On' | ❌ | Manual |
| 2.1.4 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | ❌ | Manual |
| 2.1.5 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | ❌ | Manual |
| 2.1.6 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | ❌ | Manual |
| 2.1.7 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Storage Is Set To 'On' | ❌ | Manual |
| 2.1.8 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Containers Is Set To 'On' | ❌ | Manual |
| 2.1.9 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | ❌ | Manual |
| 2.2.1 | Microsoft Defender for IoT | Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | ❌ | Manual |
| 3.1 | Storage Accounts | Ensure that 'Secure transfer required' is set to 'Enabled' | ✅ | Automated |
| 3.10 | Storage Accounts | Ensure Private Endpoints are used to access Storage Accounts | ✅ | Automated |
| 3.11 | Storage Accounts | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | ❌ | Automated |
| 3.12 | Storage Accounts | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | ❌ | Manual |
| 3.13 | Storage Accounts | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | ❌ | Automated |
| 3.14 | Storage Accounts | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | ❌ | Automated |
| 3.15 | Storage Accounts | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | ✅ | Automated |
| 3.2 | Storage Accounts | Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ | ✅ | Automated |
| 3.3 | Storage Accounts | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | ❌ | Manual |
| 3.4 | Storage Accounts | Ensure that Storage Account Access Keys are Periodically Regenerated | ❌ | Manual |
| 3.5 | Storage Accounts | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | ❌ | Automated |
| 3.6 | Storage Accounts | Ensure that Shared Access Signature Tokens Expire Within an Hour | ❌ | Manual |
| 3.7 | Storage Accounts | Ensure that 'Public access level' is disabled for storage accounts with blob containers | ✅ | Automated |
| 3.8 | Storage Accounts | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | ✅ | Automated |
| 3.9 | Storage Accounts | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | ✅ | Automated |
| 4.1.1 | SQL Server - Auditing | Ensure that 'Auditing' is set to 'On' | ❌ | Automated |
| 4.1.2 | SQL Server - Auditing | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | ✅ | Automated |
| 4.1.3 | SQL Server - Auditing | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | ❌ | Automated |
| 4.1.4 | SQL Server - Auditing | Ensure that Azure Active Directory Admin is Configured for SQL Servers | ✅ | Automated |
| 4.1.5 | SQL Server - Auditing | Ensure that 'Data encryption' is set to 'On' on a SQL Database | ❌ | Automated |
| 4.1.6 | SQL Server - Auditing | Ensure that 'Auditing' Retention is 'greater than 90 days' | ❌ | Automated |
| 4.2.1 | SQL Server - Microsoft Defender for SQL | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | ❌ | Automated |
| 4.2.2 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | ❌ | Automated |
| 4.2.3 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | ❌ | Automated |
| 4.2.4 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | ❌ | Automated |
| 4.2.5 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | ❌ | Automated |
| 4.3.1 | PostgreSQL Database Server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | ✅ | Automated |
| 4.3.2 | PostgreSQL Database Server | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | ❌ | Automated |
| 4.3.3 | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | ❌ | Automated |
| 4.3.4 | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | ❌ | Automated |
| 4.3.5 | PostgreSQL Database Server | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | ❌ | Automated |
| 4.3.6 | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | ❌ | Automated |
| 4.3.7 | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | ❌ | Automated |
| 4.3.8 | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | ❌ | Automated |
| 4.4.1 | MySQL Database | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | ✅ | Automated |
| 4.4.2 | MySQL Database | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | ❌ | Automated |
| 4.4.3 | MySQL Database | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | ❌ | Manual |
| 4.4.4 | MySQL Database | Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | ❌ | Manual |
| 4.5.1 | Cosmos DB | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | ✅ | Automated |
| 4.5.2 | Cosmos DB | Ensure That Private Endpoints Are Used Where Possible | ❌ | Manual |
| 4.5.3 | Cosmos DB | Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible. | ❌ | Manual |
| 5.1.1 | Configuring Diagnostic Settings | Ensure that a 'Diagnostic Setting' exists | ❌ | Manual |
| 5.1.2 | Configuring Diagnostic Settings | Ensure Diagnostic Setting captures appropriate categories | ❌ | Automated |
| 5.1.3 | Configuring Diagnostic Settings | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | ❌ | Automated |
| 5.1.4 | Configuring Diagnostic Settings | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | ❌ | Automated |
| 5.1.5 | Configuring Diagnostic Settings | Ensure that logging for Azure Key Vault is 'Enabled' | ❌ | Automated |
| 5.1.6 | Configuring Diagnostic Settings | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | ❌ | Manual |
| 5.1.7 | Configuring Diagnostic Settings | Ensure that logging for Azure AppService 'HTTP logs' is enabled | ❌ | Manual |
| 5.2.1 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create Policy Assignment | ✅ | Automated |
| 5.2.10 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Public IP Address rule | ✅ | Automated |
| 5.2.2 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Policy Assignment | ✅ | Automated |
| 5.2.3 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Network Security Group | ✅ | Automated |
| 5.2.4 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Network Security Group | ✅ | Automated |
| 5.2.5 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Security Solution | ✅ | Automated |
| 5.2.6 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Security Solution | ✅ | Automated |
| 5.2.7 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | ✅ | Automated |
| 5.2.8 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | ✅ | Automated |
| 5.2.9 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | ✅ | Automated |
| 5.3.1 | Configuring Application Insights | Ensure Application Insights are Configured | ❌ | Automated |
| 5.4 | Logging and Monitoring | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | ❌ | Manual |
| 5.5 | Logging and Monitoring | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | ✅ | Automated |
| 6.1 | Networking | Ensure that RDP access from the Internet is evaluated and restricted | ❌ | Automated |
| 6.2 | Networking | Ensure that SSH access from the Internet is evaluated and restricted | ❌ | Automated |
| 6.3 | Networking | Ensure that UDP access from the Internet is evaluated and restricted | ❌ | Automated |
| 6.4 | Networking | Ensure that HTTP(S) access from the Internet is evaluated and restricted | ❌ | Automated |
| 6.5 | Networking | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | ✅ | Automated |
| 6.6 | Networking | Ensure that Network Watcher is 'Enabled' | ✅ | Automated |
| 6.7 | Networking | Ensure that Public IP addresses are Evaluated on a Periodic Basis | ❌ | Manual |
| 7.1 | Virtual Machines | Ensure an Azure Bastion Host Exists | ✅ | Automated |
| 7.2 | Virtual Machines | Ensure Virtual Machines are utilizing Managed Disks | ✅ | Automated |
| 7.3 | Virtual Machines | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | ✅ | Automated |
| 7.4 | Virtual Machines | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | ✅ | Automated |
| 7.5 | Virtual Machines | Ensure that Only Approved Extensions Are Installed | ❌ | Manual |
| 7.6 | Virtual Machines | Ensure that Endpoint Protection for all Virtual Machines is installed | ❌ | Manual |
| 7.7 | Virtual Machines | [Legacy] Ensure that VHDs are Encrypted | ❌ | Manual |
| 8.1 | Key Vault | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | ❌ | Automated |
| 8.2 | Key Vault | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | ❌ | Automated |
| 8.3 | Key Vault | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | ❌ | Automated |
| 8.4 | Key Vault | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | ❌ | Automated |
| 8.5 | Key Vault | Ensure the Key Vault is Recoverable | ✅ | Automated |
| 8.6 | Key Vault | Enable Role Based Access Control for Azure Key Vault | ❌ | Manual |
| 8.7 | Key Vault | Ensure that Private Endpoints are Used for Azure Key Vault | ❌ | Manual |
| 8.8 | Key Vault | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | ❌ | Manual |
| 9.1 | AppService | Ensure App Service Authentication is set up for apps in Azure App Service | ❌ | Automated |
| 9.10 | AppService | Ensure FTP deployments are Disabled | ❌ | Automated |
| 9.11 | AppService | Ensure Azure Key Vaults are Used to Store Secrets | ❌ | Manual |
| 9.2 | AppService | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | ❌ | Automated |
| 9.3 | AppService | Ensure Web App is using the latest version of TLS encryption | ❌ | Automated |
| 9.4 | AppService | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | ✅ | Automated |
| 9.5 | AppService | Ensure that Register with Azure Active Directory is enabled on App Service | ❌ | Automated |
| 9.6 | AppService | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | ❌ | Manual |
| 9.7 | AppService | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | ❌ | Manual |
| 9.8 | AppService | Ensure that 'Java version' is the latest, if used to run the Web App | ❌ | Manual |
| 9.9 | AppService | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | ❌ | Automated |