| Account Does Not Have Auto Scaling Groups | Checks whether an AWS account that has EC2 instances includes at least one Auto Scaling group. This reduces attacker dwell time, increases resiliency, and improves vulnerability management.... | AWS | Account | | | CSMM v1 WKL-03.2 | 1 | Custom::AWS::Account | | |
| Account Does Not Have An Incident Response Admin Role | Checks that an AWS account has at least one full admin role for incident responders to use during critical incidents.... | AWS | Account | The name of the admin role for incident responders. | | CSMM v1 IR-04.3 | 1 | Custom::AWS::Account | | |
| Account Does Not Have An Incident Response Reader Role | Checks that an AWS account has at least one full read-only role for incident responders to use during critical incidents.... | AWS | Account | The name of the reader role for incident responders. | | CSMM v1 IR-03.2 | 1 | Custom::AWS::Account | | |
| Most Compute Workloads Are Not Serverless or Autoscaled | Most compute workloads, including instances and containers, are autoscaled. Autoscaling is a cloud-native architectural pattern that increases resliency of running workloads. Autoscaling can be i... | AWS | Account | | | CSMM v1 BCR-04.1 | 2 | Custom::AWS::Account | | |
| Accounts Are Not Used To Manage Blast Radius | Multiple accounts should be used within a hierarchical structure (multiple OUs) to reduce the impact of security issues within any single account.... | AWS | Account | | | CSMM v1 ORM-04.1 | 2 | Custom::AWS::Account | | |
| Service Control Policies Are Not Adequately Used Within AWS Organizations | Service Control Policies (SCPs) are essential for centrally managing permissions across all accounts in your organization, acting as guardrails that limit the actions administrators can delegate to IA... | AWS | Account | | | CSMM v1 ORM-04.2 | 2 | Custom::AWS::Account | | |
| Macie Is Not Enabled | Checks that an AWS account has AWS Macie enabled.... | AWS | Account | | | CSMM v1 DAT-05.1 | 1 | Custom::AWS::Account | | |
| Account Does Not Have Properly Configured Service Control Policies | Checks whether the following conditions are met: * An SCP for the account exists and denies certain regions * An SCP for the account exists and denies more than 3 services ... | AWS | Account | | | CSMM v1 CA-04.2 | 2 | Custom::AWS::Account | | |
| Account Does Not Have Sufficient Security Sources Enabled | Checks that more than 3 of the following security sources are enabled: * S3 data events * Lambda data events * Security Hub * Access Analyzer * VPC Flow Logs * Config * Security Lake * AWS WAF Log... | AWS | Account | | | CSMM v1 LOG-04.1 | 1 | Custom::AWS::Account | | |
| Identity Provider Is Not In Use | This is an informational check that determines if any identity providers are in use. This information is used in CSMM controls.... | AWS | Account | | | CSMM v1 IAM-02.2 | 1 | Custom::AWS::Account | Custom::AWS::IAM::IdentityCenter, AWS::IAM::OIDCProvider, AWS::IAM::SAMLProvider | |
| Fault Injection Simulator Is Not Used In Account | This check determines if FIS is in use in an account to provide continuous security monitoring against malicious or unauthorized activity. Enabling FIS enhances threat detection and helps safeguard AW... | AWS | FIS | | | CSMM v1 BCR-05.2 | 1 | Custom::AWS::Account | AWS::Fis::Experiment | |
| ACM Certificate Pending Validation | There is an SSL/TLS certificate present that is in renewal state "Pending Validation." This condition arises when the ACM service has not yet been able to validate one or more domain names in the cert... | AWS | ACM | | | | 2 | AWS::CertificateManager::Certificate | | |
| ACM Certificate Has Transparency Logs Disabled | ACM Certificate Transparency logging is required by Google Chrome and other browsers. Although enabled by default, it can be disabled on a per-certificate basis. This could be problematic for certi... | AWS | ACM | | | | 3 | AWS::CertificateManager::Certificate | | |
| ACM Certificate To Expire In Specific Days Or Less | Amazon Certificate Manager certificates may expire without active intervention. This could potentially break existing application and service functionality. This finding will trigger 1 week before ... | AWS | ACM | | | ACM.1 | 4 | AWS::CertificateManager::Certificate | | |
| ACM Managed RSA Certificate Does Not Use Key Bit Length Of 2048 Or Larger | This check evaluates AWS Certificate Manager-managed RSA certificates to ensure that their key length is a minimum of 2,048 bits. Failure of the control occurs when the key length falls below the 2... | AWS | ACM | | | | 4 | AWS::CertificateManager::Certificate | | |
| API Gateway API Key Needs to Be Rotated | Changing API Gateway API keys on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if it is com... | AWS | API Gateway | Max API key age in days | | | 3 | AWS::ApiGateway::ApiKey | | |
| API Gateway Endpoint is Public | Checks if API Gateway endpoint configuration is private or not. API Gateway endpoints should only be accessible over the Internet if required. API endpoints are a common attack vector and, genera... | AWS | API Gateway | | | | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway Client Certificate is Disabled | Checks whether the API Gateway Stage has client certificates enabled for accessing your backend endpoint. API Gateways support the use of client certificates for specific APIs and stages. These a... | AWS | API Gateway | | | APIGateway.2 | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway Logging is Disabled | Check if API Gateway Stage has logging enabled. API Gateway supports both execution and access logging. Without logging enabling, service usage monitoring becomes impossible. To achieve real-tim... | AWS | API Gateway | | | APIGateway.1 | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway Authorizer is not Enabled | An API Gateway without an authorizer allows connections to potentially trigger any of the supported APIs. Unless other API authorization techniques are used behind the API Gateway this could allow ... | AWS | API Gateway | | | | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway Does Not Have WAF ACL Attached | Checks if API Gateway Stage has a WAF ACL attached. Amazon supports protecting API Gateways with the AWS WAF. This is especially important for Internet-accessible API endpoints. However, you may ... | AWS | API Gateway | | | APIGateway.4, CSMM v1 APP-03.3 | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway REST API Stage Does Not Have X-Ray Tracing Enabled | This check assesses whether active tracing with AWS X-Ray is turned on for the stages within your Amazon API Gateway REST API. Enabling X-Ray active tracing allows for a quicker response to fluctua... | AWS | API Gateway | | | APIGateway.3 | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway REST API Cache Data Is Not Encrypted | This checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The check fails if any method in an API Gateway REST API stage is configured to cache and the cach... | AWS | API Gateway | | | APIGateway.5 | 3 | AWS::ApiGateway::RestApi | | |
| API Gateway V2 Does Not Have Access Logging Enabled | This check verifies whether access logging is configured for stages within Amazon API Gateway V2. The control reports a failure if access log settings are not defined. Access logs in API Gateway... | AWS | API Gateway V2 | | | APIGateway.9 | 3 | AWS::ApiGatewayV2::Api | | |
| Athena Data Catalog Is Not Tagged | This check ensures that an AWS Athena DataCatalog has tags with the specific keys defined in the parameter Required Tag Keys. The control fails if the DataCatalog doesn't have any tag keys or if it ... | AWS | Athena | Required Tag Keys | | Athena.2 | 3 | AWS::Athena::DataCatalog | | |
| Athena Workgroup Is Not Encrypted At Rest | UPDATE: Security Hub retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption... | AWS | Athena | | | | 1 | AWS::Athena::WorkGroup | | |
| Athena Workgroup Configuration Is Not Enforced | This Athena WorkGroup does not enforce the workgroup configuration, so it can be overridden by the client-side settings.... | AWS | Athena | | | | 3 | AWS::Athena::WorkGroup | | |
| Athena WorkGroup Does Not Have CloudWatch Logging Enabled | Enabling logging for a workgroup provides valuable insights into query activity, including user actions, query execution details, and potential security events. Without logging enabled, it can be diff... | AWS | Athena | | | Athena.4 | 3 | AWS::Athena::WorkGroup | | |
| Athena WorkGroup Is Not Tagged | This check ensures that an AWS Athena WorkGroup has tags with the specific keys defined in the parameter Required Tag Keys. The control fails if the WorkGroup doesn't have any tag keys or if it does... | AWS | Athena | Required Tag Keys | | Athena.3 | 3 | AWS::Athena::WorkGroup | | |
| ELB Healthcheck not Enabled for Auto Scaling Group | Elastic Load Balancing automatically distributes your incoming application traffic across your EC2 instances. ELBs (and classic load balancers) can be attached to your Auto Scaling group. By default... | AWS | Auto Scaling | | PCI DSS 2.2 | AutoScaling.1 | 1 | AWS::AutoScaling::AutoScalingGroup | | |
| Auto Scaling Group Does Not Cover Multiple Availability Zones | This check assesses whether an Auto Scaling group extends across various Availability Zones. The assessment results in failure if the Auto Scaling group lacks presence in multiple Availability Zone... | AWS | Auto Scaling | | | CSMM v1 BCR-02.1, AutoScaling.2 | 3 | AWS::AutoScaling::AutoScalingGroup | | |
| Auto Scaling Group Launch Configuration Does Not Require IMDSv2 | His oversight verifies the activation status of IMDSv2 on every instance initiated through Amazon EC2 Auto Scaling groups. The verification is unsuccessful if the launch configuration lacks the Ins... | AWS | Auto Scaling | | | AutoScaling.3 | 4 | AWS::AutoScaling::LaunchConfiguration | | |
| Auto Scaling Group Launch Configuration Has Metadata Response Hop Limit Greater Than 1. | UPDATE: Security Hub retired this control and removed it from all standards. Metadata response hop limits for Amazon Elastic Compute Cloud (Amazon EC2) instances are workload dependent. This con... | AWS | Auto Scaling | | | | 1 | AWS::AutoScaling::LaunchConfiguration | | |
| Auto Scaling Group Does Not Use EC2 Launch Template | This check assesses whether an Amazon EC2 Auto Scaling group has been generated using an EC2 launch template. The check does not pass if an Amazon EC2 Auto Scaling group is formed without a launch ... | AWS | Auto Scaling | | | AutoScaling.9 | 3 | AWS::AutoScaling::AutoScalingGroup | | |
| Auto Scaling Group Does Not Use Multiple Instance Types Across Multiple AZs | This check verifies if an Amazon EC2 Auto Scaling group employs diverse instance types. The check does not pass if the Auto Scaling group is configured with only a single instance type. Boosting... | AWS | Auto Scaling | | | AutoScaling.6 | 3 | AWS::AutoScaling::AutoScalingGroup | | |
| Auto Scaling Group Launch Configuration Has Public IP Address | This control checks whether an Auto Scaling group's associated launch configuration assigns a public IP address to the group's instances. Amazon EC2 instances in an Auto Scaling group launch configura... | AWS | Auto Scaling | | | Autoscaling.5 | 4 | AWS::AutoScaling::LaunchConfiguration | | |
| Backup Plan Does Not Copy Vaults Cross-Region | Checks thats an AWS Backup Plan includes a rule that copies the vault to a different region for resilience.... | AWS | Backup | | | CSMM v1 BCR-04.3 | 1 | AWS::Backup::BackupPlan | | |
| CloudFormation Stack Does Not Have Termination Protection Enabled | Enable termination protection for CloudFormation stacks to prevent accidental deletion of critical resources. Termination protection acts as a safeguard, ensuring that essential stacks are not m... | AWS | CloudFormation | | | | 3 | AWS::CloudFormation::Stack | | |
| CloudFormation Stack Is Not Integrated With SNS | UPDATE: Per AWS, Integrating AWS CloudFormation stacks with Amazon SNS topics is no longer a security best practice. This check assesses the presence of an Amazon Simple Notification Service (SNS... | AWS | CloudFormation | | | | 1 | AWS::CloudFormation::Stack | | |
| CloudFront Distribution Does Not Have Field-Level Encryption Enabled | Ensure that CloudFront distributions have Field Level Encryption (FLE) enabled, which enables you to safeguard specific data during system processing, granting access only to authorized application... | AWS | CloudFront | | | CloudFront.3 | 2 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Have Geo-Restrictions Enabled | Verify whether Geo restrictions are enabled in CloudFront distributions. These restrictions are essential to comply with legal or regulatory requirements that mandate service access limitations in ... | AWS | CloudFront | | | | 2 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Have HTTPS Enabled | Ensure that CloudFront distributions are configured to use HTTPS. Failure to enable HTTPS can lead to the exposure of sensitive information during transit, posing risks such as surveillance and oth... | AWS | CloudFront | | | CloudFront.8 | 3 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Have Logging Enabled | Checks whether logging is enabled for CloudFront distributions. If logging is not enabled, monitoring the usage of the service becomes impossible. To achieve real-time monitoring, you can direct Cl... | AWS | CloudFront | | | CloudFront.5 | 3 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Is Using Deprecated SSL | This check examines if CloudFront distributions are employing outdated SSL protocols, which might compromise the security of data during transmission. It's advisable to adopt a security policy t... | AWS | CloudFront | | | CloudFront.10 | 2 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Is Not Using WAF | Check whether CloudFront distributions are utilizing AWS WAF. The presence of potential attacks or misuse of the service becomes more pronounced, especially for internet-facing applications. Employ... | AWS | CloudFront | | | CSMM v1 APP-03.3, CloudFront.6 | 3 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Has Origin Access Control Enabled | This check verifies the presence of origin access control (OAC) in an Amazon CloudFront distribution linked to an Amazon S3 origin. Failure occurs if OAC is not configured for the CloudFront distribut... | AWS | CloudFront | | | | 3 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Use Custom SSL Certificates | This assessment examines whether CloudFront distributions employ CloudFront's provided default SSL/TLS certificate. The assessment succeeds if a custom SSL/TLS certificate is utilized by the CloudFron... | AWS | CloudFront | | | CloudFront.7 | 3 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Have Origin Failover Configured | This check verifies the presence of an origin group in an Amazon CloudFront distribution that comprises a minimum of two origins. The utilization of CloudFront origin failover can enhance availabil... | AWS | CloudFront | | | CloudFront.4 | 2 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Have Default Root Object Configured | This check examines whether an Amazon CloudFront distribution is set up to deliver a particular object as the default root object. The evaluation is unsuccessful if the CloudFront distribution lacks a... | AWS | CloudFront | | | CloudFront.1 | 5 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Points to Non-existent S3 Origin | This check validates whether Amazon CloudFront distributions are associated with Amazon S3 origins that do not exist. If a CloudFront distribution is configured to direct to a non-existent bucket, thi... | AWS | CloudFront | | | CloudFront.12 | 4 | AWS::CloudFront::Distribution | | |
| CloudFront Distribution Does Not Encrypt Traffic to Custom Origins | This check verifies whether Amazon CloudFront distributions are applying encryption to traffic directed towards custom origins. The assessment result is considered a failure for a CloudFront distri... | AWS | CloudFront | | | CloudFront.9 | 3 | AWS::CloudFront::Distribution | | |
| Log Metric Filter and Alarm Do Not Exist for CloudTrail Configuration Changes | Real-time monitoring of CloudTrail configuration changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring CloudTrail... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.5, CIS3.AWS.4.5 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for AWS Management Console Authentication Failures | Real-time monitoring of AWS Management Console authentication failures can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitor... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.6, CIS3.AWS.4.6 | 1 | Custom::AWS::Account | | |
| Log Metric Filter and Alarm Do Not Exist for Disabling or Scheduled Deletion of Customer Created CMKs | Real-time monitoring of disabling or scheduled deletion of customer created CMKs can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarm... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.7, CIS3.AWS.4.7 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for IAM Policy Changes | Real-time monitoring of IAM policy changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring IAM policy changes will ... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.4, CIS3.AWS.4.4 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Usage of Root Account | Real-time monitoring of usage of root account can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring usage of root account... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.3, CIS3.AWS.4.3 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Management Console Sign-in Without MFA | Real-time monitoring of Management Console sign-in without MFA can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring Mana... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.2, CIS AWS v1.5.0 4.2 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Unauthorized API Calls | Real-time monitoring of unauthorized API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring unauthorized API cal... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.1, CIS3.AWS.4.1 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for S3 Bucket Policy Changes | Real-time monitoring of S3 bucket policy changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring S3 bucket policy c... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.8, CIS3.AWS.4.8 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for AWS Config Changes | Real-time monitoring of AWS Config changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring AWS Config changes will ... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.9, CIS3.AWS.4.9 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Security Group Changes | Real-time monitoring of security group changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring security group chang... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.10, CIS3.AWS.4.10 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Network Access Control List Changes | Real-time monitoring of NACL changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring NACL changes will help reveal ... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.11, CIS3.AWS.4.11 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Network Gateway Changes | Real-time monitoring of Network Gateway changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring Network Gateway cha... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.12, CIS3.AWS.4.12 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for Route Table Changes | Real-time monitoring of route table changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring route table changes wil... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.13, CIS3.AWS.4.13 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for VPC Changes | Real-time monitoring of VPC changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring VPC changes will help reveal ap... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.14, CIS3.AWS.4.14 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| Log Metric Filter and Alarm Do Not Exist for AWS Organizations Changes | Real-time monitoring of AWS Organizations changes can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring AWS Organizations... | AWS | CloudTrail | | | CIS AWS v1.5.0 4.15, CIS3.AWS.4.15 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| CloudTrail Does Not Track All API Activity In All Regions | An AWS account should contain at least one CloudTrail Trail that meets the following requirements: - Logging enabled - Multi-region enabled - Records all API Activity (i.e. Read and Write Managemen... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.1, CSMM v1 LOG-03.1, CloudTrail.1 | 4 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| CloudTrail Trail Insights Exist | CloudTrail Insights provides a powerful way to search and analyze CloudTrail log data using pre-built queries and machine learning algorithms. This can help you to identify potential security th... | AWS | CloudTrail | | | | 1 | AWS::CloudTrail::Trail | | |
| CloudTrail Trail Log File Integrity Validation Not Enabled | CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was cha... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.2, CloudTrail.4 | 3 | AWS::CloudTrail::Trail | | |
| CloudTrail Trail Not Sending Events to CloudWatch Logs | AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP addres... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.4, CSMM v1 LOG-02.1, CloudTrail.5 | 1 | AWS::CloudTrail::Trail | | |
| S3 Bucket for CloudTrail Logs Is Public | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.3 | 4 | AWS::CloudTrail::Trail | | |
| CloudTrail Logs Are Not Encrypted With a Customer Managed Key From KMS | Note that although this is a common compliance requirement, it is not always recommended when you need to send logs to an external provider. AWS CloudTrail is a web service that records AWS API calls ... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.7, CloudTrail.2 | 2 | AWS::CloudTrail::Trail | | |
| CloudTrail Log Storage Bucket Does Not Have Access Logging Enabled | S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the re... | AWS | CloudTrail | | | CIS AWS v1.5.0 3.6, CloudTrail.7 | 2 | AWS::CloudTrail::Trail | | |
| CloudTrail Trails Do Not Send Logs To Centralized S3 Bucket | This check verifies that one of the AWS CloudTrail trails in this account is configured to send logs to a specified centralized S3 bucket. Centralizing CloudTrail logs is essential for security, troub... | AWS | CloudTrail | S3 Buckets for CloudTrail Logs | | CSMM v1 LOG-03.1 | 1 | Custom::AWS::Account | AWS::CloudTrail::Trail | |
| CloudWatch Allows Cross-Account Sharing | Check if CloudWatch permits cross-account sharing. Allowing Cross-Account access to CloudWatch may heighten the risk of exposing sensitive information across accounts. To adhere to the principle... | AWS | IAM | | | | 3 | AWS::IAM::Role | | |
| CloudWatch Log Group Is Not Protected By AWS KMS | Verify whether CloudWatch log groups are secured with AWS Key Management Service (KMS). Utilizing customer-managed KMS encryption for CloudWatch log groups offers enhanced confidentiality and... | AWS | CloudWatch | | | | 3 | AWS::Logs::LogGroup | | |
| CloudWatch Log Group Has Retention Policy of Specific Days | Ensure that CloudWatch Log Groups possess a retention policy of a specific number of days. When log groups have a short retention period of fewer than the specified days, essential logs and v... | AWS | CloudWatch | | | CloudWatch.16 | 3 | AWS::Logs::LogGroup | | |
| CloudWatch Alarm Does Not Have Action Configured For Alarm State | This check assesses whether CloudWatch alarms have been configured with at least one action for the ALARM state. Failure of this control occurs when an alarm lacks an activated action for the ALARM... | AWS | CloudWatch | | | CloudWatch.15 | 4 | AWS::CloudWatch::Alarm | | |
| CloudWatch Alarm Actions Is Not Enabled | This check verifies whether CloudWatch alarm actions have been enabled (ActionEnabled set to true). Failure of the control occurs when an alarm action associated with a CloudWatch alarm is disabled... | AWS | CloudWatch | | | CloudWatch.17 | 4 | AWS::CloudWatch::Alarm | | |
| CodeBuild Project Source Repository URL Does Not Use OAuth | This check process examines whether the GitHub or Bitbucket source repository URL includes personal access tokens or a combination of a username and password. Storing or transmitting sign-in cre... | AWS | CodeBuild | | PCI DSS v3.2.1/8.2.1 | CodeBuild.1 | 5 | AWS::CodeBuild::Project | | |
| CodeBuild Project Environment Does Not Have Logging Configured | This check examines if a CodeBuild project environment includes a minimum of one activated logging option, such as S3 or CloudWatch logs. The check results in failure if the CodeBuild project envir... | AWS | CodeBuild | | | CodeBuild.4 | 3 | AWS::CodeBuild::Project | | |
| CodeBuild Project Has Privileged Mode Enabled | UPDATE: Security Hub retired this control and removed it from all standards. Enabling privileged mode in a CodeBuild project does not impose an additional risk to the customer environment This ch... | AWS | CodeBuild | | | | 1 | AWS::CodeBuild::Project | | |
| CodeBuild Project S3 Logs Are Not Encrypted | This check ensures S3 logs for an AWS CodeBuild project are encrypted. Encrypting data while it is stored is a widely advised security measure that fortifies access management for your informat... | AWS | Code Build | | | CodeBuild.3 | 2 | AWS::CodeBuild::Project | | |
| CodeBuild Project Contains Clear Text Credentials | This check ensures that the project does not contain the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. These credentials should never be stored in clear-text, as it could ... | AWS | CodeBuild | | PCI DSS v3.2.1/8.2.1 | CodeBuild.2 | 5 | AWS::CodeBuild::Project | | |
| AWS Config Service Is Not Configured | WARNING: although required in many cases for compliance, Config can dramatically increase your AWS costs for an account. AWS Config is a web service that performs configuration management of supp... | AWS | Config | | | CIS AWS v1.5.0 3.5, Config.1 | 2 | Custom::AWS::Region | AWS::Config::ConfigurationRecorder | |
| DynamoDB Table Is Not Replicated | Checks that a DynamoDB table is replicated to at least one other region.... | AWS | DynamoDB | | | CSMM v1 BCR-04.3 | 1 | AWS::DynamoDB::Table | | |
| DynamoDB Table Does Not Have Encryption At Rest Enabled Using CMK KMS | Check if encryption at rest with a KMS customer managed key (CMK) is enabled for the DynamoDB table. All user data stored in Amazon DynamoDB is entirely secured when it is not in active use. This feat... | AWS | DynamoDB | | | | 3 | AWS::DynamoDB::Table | | |
| DynamoDB Table Does Not Have Point-In-Time Recovery Enabled | This check assesses the activation status of point-in-time recovery (PITR) for an Amazon DynamoDB table. Enabling backups plays a crucial role in expediting recovery from security incidents and f... | AWS | DynamoDB | | | DynamoDB.2 | 3 | AWS::DynamoDB::Table | | |
| DynamoDB Accelerator Cluster Is Not Encrypted At Rest | This check verifies if a DAX cluster encrypts data at rest, enhancing security by limiting access to authenticated AWS users. Encryption requires specific API permissions for data decryption before re... | AWS | DAX | | | DynamoDB.3 | 3 | AWS::DAX::Cluster | | |
| DynamoDB Table is Public | This check helps ensure DynamoDB tables are secure by verifying they're not openly accessible when using DynamoDB's resource-based policies for fine-grained access control.... | AWS | DynamoDB | | | | 4 | AWS::DynamoDB::Table | | |
| EC2 Instance Exposes an Administrative Port to Internet | This EC2 instance exposes a port commonly used for system administration to all IP addresses (0.0.0.0/0) on the internet. If SSH, RDP, or a similar service is running on the instance, an attacker cou... | AWS | EC2 | Ports | | | 5 | AWS::EC2::Instance | AWS::EC2::SecurityGroup, AWS::EC2::RouteTable | Remove Failed Security Groups |
| AMI Is Public | An Amazon Machine Image is public. This could result in a data exposure and is also a common exfiltration technique in attacks. AMIs that are not properly created may contain sensitive information, cr... | AWS | EC2 | | | | 5 | AWS::EC2::Image | | Set AMI to Private |
| AMI Is Shared Externally | An Amazon Machine Image (AMI) is shared with untrusted AWS accounts (i.e. accounts not known to Cloud Defense). This could indicate a data exposure if the sharing is not intended.... | AWS | EC2 | Trust All Known Accounts, Trusted AWS Account IDs | | | 3 | AWS::EC2::Image | | Revoke Access to Untrusted Accounts |
| Autoscaled Instance Has SSH/RDP Ports Enabled | This check ensures that EC2 instances in an Auto Scaling group do not have SSH or RDP ports open. Open SSH or RDP ports expose instances to potential unauthorized access and malicious activities. By l... | AWS | EC2 | | | CSMM v1 WKL-05.1 | 1 | AWS::EC2::Instance | AWS::AutoScaling::AutoScalingGroup, AWS::EC2::SecurityGroup | |
| Default EC2 Security Group Allows Access | A default security group for a VPC allows ingress and/or egress access. The default security group is applied to any resource in a VPC that is not explicitly assigned a security group on creation (typ... | AWS | EC2 | | | CIS AWS v1.5.0 5.4, EC2.2 | 3 | AWS::EC2::SecurityGroup | | |
| EBS Default Encryption Disabled | Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While each EBS volume's encryption can be configured individually, there is also a per-region ... | AWS | EC2 | | | CIS AWS v1.5.0 2.2.1, CSMM v1 DAT-02.2, EC2.7 | 2 | Custom::AWS::Region | | Enable EBS Encryption By Default |
| EBS Snapshot Is Publicly Accessible | A snapshot of an EBS storage volume should not allow public access. Public EBS snapshots could result in a data exposure and is also a common exfiltration technique in attacks.... | AWS | EC2 | | | EC2.1 | 5 | AWS::EC2::Snapshot | | |
| EBS Snapshot Is Not Encrypted | This check verifies if EC2 Elastic Block Store (EBS) snapshots are encrypted. Unencrypted snapshots may expose sensitive data to unauthorized users, leading to potential data breaches or compliance vi... | AWS | EC2 | | | | 4 | AWS::EC2::Snapshot | | |
| Elastic IP Is Not In Use | This Elastic IP is not associated with any resources and may be able to be released to reduce cost.... | AWS | EC2 | | | EC2.12 | 1 | AWS::EC2::EIP | | Release IP Address |
| EC2 Security Group Has Excessive Host Rules | There are multiple ways security groups can have overly-broad permissions that lead to increased security risks. A large number of rules, especially /32 rules, often indicate developers or administra... | AWS | EC2 | Maximum host rules | | | 2 | AWS::EC2::SecurityGroup | | |
| Instances Are Assessed For Vulnerabilities By Inspector | This check ensures the security of your instances by confirming that they undergo regular vulnerability assessments conducted by Amazon Inspector. By routinely assessing instances, you can proactively... | AWS | EC2 | | | CSMM v1 WKL-02.2, CSMM v1 WKL-04.4 | 2 | AWS::EC2::Instance | Custom::AWS::InspectorV2::CoveredResource | |
| EC2 Instance Does Not Have Recent Snapshot | This check assesses if an EC2 instance has a recent snapshot taken within the last 30 days. Having a recent snapshot is important for ensuring data recoverability and resilience, particularly for inst... | AWS | EC2 | | | CSMM v1 BCR-03.1 | 2 | AWS::EC2::Instance | | |
| EC2 Instance IMDSV2 Is Not Enabled | Checks if EC2 Instance Metadata Service Version 2 (IMDSv2) is enabled and required. Using IMDSv2 will protect from misconfigurations and SSRF vulnerabilities. IMDSv1 will not.... | AWS | EC2 | | | EC2.8 | 2 | AWS::EC2::Instance | | |
| Instance Is Not In An Auto Scaling Group | This check ensures that EC2 instances are in an Auto Scaling group. Auto Scaling groups ensure that EC2 instances are automatically replaced if they become unhealthy or are terminated. This not only e... | AWS | EC2 | | | CSMM v1 WKL-05.1 | 1 | AWS::EC2::Instance | | |
| EC2 Instance Uses Multiple ENIs | This control examines whether an EC2 instance utilizes multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). It succeeds when a single network adapter is in use. An optional pa... | AWS | EC2 | | | EC2.17 | 2 | AWS::EC2::Instance | | |
| EC2 Instance Is Older Than Specific Days | Checks if an EC2 instance is older than the specified number of days. Older instances can potentially pose a security risk if they are not updated or patched regularly.... | AWS | EC2 | Max Age (days) | | CSMM v1 WKL-03.3 | 3 | AWS::EC2::Instance | | |
| EC2 Instance has a Public IP Address | Check to see if an instance has a public IP address (of any type) attached. Instances should not be assigned a public IP address since this potentially exposes them directly to the Internet.... | AWS | EC2 | | | CSMM v1 NET-03.1, EC2.9 | 3 | AWS::EC2::Instance | | |
| EC2 Instance Is Not Managed By Systems Manager | This checks whether the stopped and running EC2 instances in your account are managed by AWS Systems Manager. Systems Manager is an AWS service that you can use to view and control your AWS infrastruc... | AWS | EC2 | | | CSMM v1 WKL-02.1, SSM.1 | 3 | AWS::EC2::Instance | | |
| EC2 Instance Does Not Have an IAM Role Assigned | EC2 Instances that perform IAM actions should have a role assigned that is used to perform those actions... | AWS | EC2 | | | CIS AWS v1.5.0 1.18, CIS3.AWS.1.18 | 3 | AWS::EC2::Instance | | |
| EC2 Instance Is Internet Facing With Instance Profile | Checks if an EC2 instance is internet-facing and has an instance profile, a configuration that might lead to unauthorized access or exposure of sensitive information. If an EC2 instance is publi... | AWS | EC2 | | | | 2 | AWS::EC2::Instance | | |
| EC2 Instance Has Security Group That Would Expose an Administrative Port to Internet | This EC2 instance does not currently have a public IP address assigned, but it has a security group that will expose an ... | AWS | EC2 | Ports, Known CIDRs | | | 3 | AWS::EC2::Instance | AWS::EC2::SecurityGroup | |
| NACL Allows Unrestricted Access To Admin Ports | The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to... | AWS | EC2 | Admin ports | | CIS AWS v1.5.0 5.1, EC2.21 | 3 | AWS::EC2::NetworkAcl | | |
| Unused NACL Is Not Removed | This control assesses the presence of unused network access control lists (ACLs). It examines the configuration of the AWS::EC2::NetworkAcl resource, analyzing the relationships associated with the... | AWS | EC2 | | | EC2.16 | 2 | AWS::EC2::NetworkAcl | | |
| EC2 Instance Type Is Paravirtual | This control verifies if an EC2 instance is paravirtual. It fails if the instance's virtualizationType is set to paravirtual. Linux Amazon Machine Images (AMIs) use either paravirtual (PV) or har... | AWS | EC2 | | | EC2.24 | 3 | AWS::EC2::Instance | | |
| Route Table Trusts Overly Broad IP Range | Ensuring that route tables have appropriately restrictive rules is a key aspect of implementing a Minimum Viable Network. This check identifies route tables that trust subnets with a prefix length sma... | AWS | EC2 | | | CSMM v1 NET-04.2 | 3 | AWS::EC2::RouteTable | | |
| Security Group Allows Ingress From 0.0.0.0/0 to Remote Server Administration Ports | Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administ... | AWS | EC2 | Ports | | CIS AWS v1.5.0 5.2, EC2.13, EC2.14, EC2.53 | 3 | AWS::EC2::SecurityGroup | | |
| Security Group Allows Ingress From ::/0 to Remote Server Administration Ports | Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administ... | AWS | EC2 | Ports | | CIS AWS v1.5.0 5.3, EC2.54 | 3 | AWS::EC2::SecurityGroup | | |
| Security Group is Created From EC2 Launch Wizard | Checks if security group name is launch-wizard. Security Groups Created on the AWS Console using the EC2 wizard may allow port 22 from 0.0.0.0/0. ... | AWS | EC2 | | | | 3 | AWS::EC2::SecurityGroup | | |
| Security Group Allows Excessive Inbound Port Ranges | Checks that the security group allows no more than five (5) TCP or UDP ports. You should minimize potential attack paths by using tightly scoped security group rules, even on non-Internet facing reso... | AWS | EC2 | | | CSMM v1 NET-03.2 | 2 | AWS::EC2::SecurityGroup | | |
| EC2 Security Group Is Not Used | Ensures there are no Security Groups not being used.... | AWS | EC2 | | | EC2.22 | 2 | AWS::EC2::SecurityGroup | | |
| Security Group Rule Allows Ingress From 0.0.0.0/0 or ::/0 to a Wide Port Range | Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Security Group Rules configured with a wide port range can indicate that network access is over-provi... | AWS | EC2 | Port Width | | | 3 | AWS::EC2::SecurityGroup | | |
| Security Group Allows Unrestricted Incoming Traffic For Unauthorized Ports | Checks whether an Amazon EC2 security group permits unrestricted incoming traffic from unauthorized ports. The result is determined as follows: If you use the default value for authorizedTcpPorts, th... | AWS | EC2 | Authorized TCP Ports, Authorized UDP Ports | NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5) | EC2.18 | 4 | AWS::EC2::SecurityGroup | | |
| Security Group Allows Unrestricted Access To Ports With High Risk | Checks whether unrestricted incoming traffic for an Amazon EC2 security group is accessible to the specified ports that are considered to be high risk. This check fails if any of the rules in a secur... | AWS | EC2 | | NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5) | EC2.19 | 5 | AWS::EC2::SecurityGroup | | |
| EC2 Security Group References Itself | Detects security groups with rules that are self-referencing and contain a wide port range. This can pose a security risk. If not needed, the rules should be revoked or restricted.... | AWS | EC2 | Maximum number of self-referencing ports per security group | | | 3 | AWS::EC2::SecurityGroup | | Revoke Security Group Rules |
| Sensitive Ports are Exposed To Internet | Checks if instance was found to be exposed to the internet, by ensuring no security groups allow ingress from 0.0.0.0/0 or ::/0 or other Internet-accessible CIDR ranges, to the following ports: - ... | AWS | EC2 | Ports | | CSMM v1 NET-02.1 | 4 | AWS::EC2::Instance | AWS::EC2::SecurityGroup | Remove Failed Security Groups |
| Sensitive Ports On Windows System Exposed To Internet | A Windows-based instance was identified that exposes sensitive ports to the Internet. These include: Port 3389, which is used for remote administration Ports 445, 139, 137, and 138 which are used... | AWS | EC2 | Ports | | | 5 | AWS::EC2::Instance | AWS::EC2::SecurityGroup | Remove Failed Security Groups |
| EC2 Transit Gateway Automatically Accept VPC Attachment Requests | This check verifies if EC2 transit gateways automatically accept shared VPC attachments, failing if they do. Enabling AutoAcceptSharedAttachments allows automatic approval of cross-account VPC a... | AWS | EC2 | | | EC2.23 | 4 | AWS::EC2::TransitGateway | | |
| Transit Gateway Flow Logs Are Not Enabled | Transit Gateway Flow Logs provide visibility into the IP traffic flowing through your transit gateway. You can use this information to troubleshoot connectivity issues, investigate security and networ... | AWS | EC2 | | | CSMM v1 NET-04.2 | 3 | AWS::EC2::TransitGateway | AWS::EC2::FlowLog | |
| EBS Volume is not Encrypted | Elastic Block Store (EBS) volumes can be configured to be encrypted by default, proving encryption at rest and in transit. Customer Master Keys (CMKs) are used to perform EBS volume encryption. The ... | AWS | EC2 | | | | 1 | AWS::EC2::Volume | | |
| VPC is Missing a VPC Endpoint | This check ensures each VPC has an Amazon EC2 service endpoint; failure occurs if one is absent. The assessment is limited to resources within a single AWS account. Due to AWS Config and Securit... | AWS | EC2 | | | EC2.10 | 3 | AWS::EC2::VPC | | |
| VPC Has Excessive Subnets | Implementing a Minimum Viable Network (MVN) is crucial for reducing the attack surface and improving the security posture of cloud infrastructure. This check identifies VPCs that have more than 20 sub... | AWS | EC2 | | | CSMM v1 NET-04.2 | 2 | AWS::EC2::VPC | AWS::EC2::Subnet | |
| VPC Does Not Have Flow Log | Note: Although VPC flow logs are required in every VPC in some compliance standards, like CIS, this is not always recommended. FireMon suggests enabling VPC Flow Logs based on the risk assessment of t... | AWS | EC2 | | | CIS AWS v1.5.0 3.9, EC2.6 | 1 | AWS::EC2::VPC | | |
| VPC Route Table Has Excessive Privileges | In cloud networking the best practice is to create a Minimum Viable Network that consists only of the routes and security group rules to support application/project functionality. This typically mea... | AWS | EC2 | | | CSMM v1 NET-04.2 | 2 | AWS::EC2::VpcPeeringConnection | | |
| VPC Subnet Automatically Assigns IP Addresses | When this is enabled, all new resources in the subnet will be assigned a public IP address when created. This could result in inadvertent Internet exposure of resources, even when security groups a... | AWS | EC2 | | | EC2.15 | 3 | AWS::EC2::Subnet | | |
| VPC Are Not Implemented Using Infrastructure as Code | This check ensures that VPCs are implemented using Infrastructure as Code (IaC). Implementing VPCs through IaC ensures that the infrastructure is consistently deployed, easily auditable, and can be ve... | AWS | EC2 | Stack tags | | CSMM v1 NET-04.1 | 1 | AWS::EC2::VPC | | |
| ECR Private Repository Does Not Have Image Scanning Configured | This check verifies the presence of image scanning configuration in a private Amazon ECR repository. The check result is unsuccessful if the private ECR repository lacks configuration for either sc... | AWS | ECR | | | ECR.1 | 4 | AWS::ECR::Repository | | |
| ECR Private Repository Does Not Have Tag Immutability Configured | This control assesses tag immutability in a private Amazon ECR repository. It fails if tag immutability is disabled and succeeds when enabled with the value "IMMUTABLE." Amazon ECR Tag Immuta... | AWS | ECR | | | ECR.2 | 3 | AWS::ECR::Repository | | |
| ECS Is Not In Use | This is an informational check that determines if ECS is in use. This information is used in CSMM controls.... | AWS | ECS | | | CSMM v1 WKL-03.1 | 1 | AWS::ECS::Task | | |
| ECS Containers Do Not Run As Non-Privileged | This validation assesses whether the "privileged" parameter in the container definition of Amazon ECS Task Definitions is configured as true. The check results in a failure if the parameter is set ... | AWS | ECS | | | ECS.4 | 4 | AWS::ECS::TaskDefinition | | |
| ECS Task Definitions Share the Host's Process Namespace | This check examines Amazon ECS task definitions to ensure they do not share the host's process namespace with containers, failing if such sharing is configured. PID namespaces ensure vital isola... | AWS | ECS | | | ECS.3 | 4 | AWS::ECS::TaskDefinition | | |
| ECS Task Definitions Do Not Have Secure Networking Modes And User Definitions | This check examines active Amazon ECS task definitions using host networking mode to detect whether they include container definitions with specific privilege configurations. This control focuse... | AWS | ECS | | | ECS.1 | 4 | AWS::ECS::TaskDefinition | | |
| ECS Containers Are Not Limited To Read-only Access To Root Filesystems | This validation examines whether Amazon ECS containers are restricted to read-only access for mounted root filesystems. The check results in a failure if the readonlyRootFilesystem parameter is con... | AWS | ECS | | | ECS.5 | 4 | AWS::ECS::TaskDefinition | | |
| ECS Task Definitions Do Not Have Logging Configuration | This check ensures that the latest active Amazon ECS task definition includes a specified logging configuration. It fails if the task definition lacks the defined logConfiguration property or if th... | AWS | ECS | | | | 4 | AWS::ECS::TaskDefinition | | |
| ECS Container Contains a Secret in Environment Variables | This check verifies that the environment variable key in container definitions does not include AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. It fails if any container de... | AWS | ECS | | | ECS.8 | 4 | AWS::ECS::TaskDefinition | | |
| EFS File System Encryption is Disabled | Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device. EFS file system data is encrypted at rest by default when creating a file system via the ... | AWS | EFS | KMS Key ARN | | CIS AWS v1.5.0 2.4.1, EFS.1 | 3 | AWS::EFS::FileSystem | | |
| EFS File System is Public | This check ensures the EFS filesystem does not have a policy that allows for public access. Public accessibility could lead to exposure of sensitive data to bad actors. ... | AWS | EFS | | | | 5 | AWS::EFS::FileSystem | | |
| EFS File System Does Not Have Backup Policy Enabled | Checks if EFS File System has backup policy enabled. For both resiliency and to limit the potential for ransomware, EFS should have backups enabled. Failure to enable backups leaves data vuln... | AWS | EFS | | | EFS.2 | 3 | AWS::EFS::FileSystem | | |
| EKS Control Plane Access is Not Restricted | EKS Cluster plane is checked if it has restricted access. Restricted access to the Kubernetes API server should be enabled to ensure API communication stays within our VPC. Endpoint access and access ... | AWS | EKS | | | | 3 | AWS::EKS::Cluster | | |
| EKS Control Plane Logging is not Enabled or Correctly Configured | Makes sure logging is specifically enabled for EKS Control Plane audit for all log types.... | AWS | EKS | | | | 3 | AWS::EKS::Cluster | | |
| EKS Endpoint Access is not Restricted | The EKS cluster endpoint access is checked if it has restricted access. Restricted access ensures all communication with the Kubernetes API is done within our own VPC. Internet access is also disabled... | AWS | EKS | | | EKS.1 | 4 | AWS::EKS::Cluster | | |
| EKS Cluster Are Not Encrypted Using Customer Master Keys (CMKs) | This check verifies that Kubernetes Secrets are encrypted using Customer Master Keys (CMKs). Adopting envelope encryption is regarded as a security best practice for applications that store s... | AWS | EKS | | | | 3 | AWS::EKS::Cluster | | |
| EKS Is Not In Use | This is an informational check that determines if EKS is in use. This information is used in CSMM controls.... | AWS | EKS | | | CSMM v1 WKL-03.1 | 1 | AWS::EKS::Cluster | | |
| EKS Cluster Does Not Run On a Supported Kubernetes Version | This check verifies if an Amazon EKS cluster operates on a Kubernetes version that is officially supported. The check results in a failure if the EKS cluster is found to be running on a version that i... | AWS | EKS | | | EKS.2 | 4 | AWS::EKS::Cluster | | |
| ElastiCache for Redis Replication Group Is Not Encrypted At Rest | This validation assesses whether ElastiCache for Redis replication groups implement encryption at rest. The check fails if an ElastiCache for Redis replication group lacks encryption at rest. ... | AWS | ElastiCache | | | ElastiCache.4 | 3 | AWS::ElastiCache::ReplicationGroup | | |
| ElastiCache for Redis Replication Group Do Not Have Automatic Failover Enabled | This verification examines whether automatic failover is enabled for ElastiCache for Redis replication groups. The check fails if automatic failover is not enabled for a Redis replication group. ... | AWS | ElastiCache | | | ElastiCache.3 | 3 | AWS::ElastiCache::ReplicationGroup | | |
| ElastiCache for Redis Replication Group Is Not Encrypted In Transit | This check assesses whether encryption in transit is implemented for ElastiCache for Redis replication groups. The check fails if the replication group lacks encryption in transit. Encrypting da... | AWS | ElastiCache | | | ElastiCache.5 | 3 | AWS::ElastiCache::ReplicationGroup | | |
| ElastiCache for Redis Replication Groups Before V6.0 Does Not Use Redis Auth | For ElastiCache Redis replication groups running versions prior to 6.0, this check verifies that Redis AUTH is enabled by confirming the presence of an AuthToken. Redis AUTH requires clients to provid... | AWS | ElastiCache | | | ElastiCache.6 | 3 | AWS::ElastiCache::ReplicationGroup | | |
| Elastic Load Balancer Is Internet Facing | This checks for internet facing Elastic Load Balancers as publicly accessible load balancers could expose sensitive data to bad actors.... | AWS | ELB | | | | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Does Not Have Logging Enabled | Check whether Elastic Load Balancers (ELBs) have logging functionality enabled. Without logging, it becomes impossible to monitor service utilization and perform threat analysis. It is advisable ... | AWS | ELB | | | | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Has Non-encrypted Listeners | Ensure that Elastic Load Balancers (ELBs) are configured with SSL listeners. Unencrypted communication can jeopardize the confidentiality of data during transit. Examine ELBs to identify those wi... | AWS | ELB | | | ELB.3 | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Has Insecure SSL Protocols | Check whether Elastic Load Balancers (ELBs) are configured with weak SSL ciphers. This check specfically looks at whether if the ssl policy is the secure policy 'ELBSecurityPolicy-TLS-1-2-2017-01'.... | AWS | ELB | | | | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Is Not Configured With Defensive Or Strictest Desync Mitigation Mode | This control assesses whether a Classic Load Balancer is set up with either defensive or the strictest desync mitigation mode. The validation does not succeed if the Classic Load Balancer is not confi... | AWS | ELB | | | ELB.14 | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Does Not Span Multiple Availability Zones | This check assesses whether a Classic Load Balancer is set up to operate across multiple Availability Zones. The validation does not succeed if the Classic Load Balancer is not configured to span mult... | AWS | ELB | | | ELB.10 | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Does Not Have Cross-Zone Load Balancing Enabled | This check examines whether cross-zone load balancing is activated for Classic Load Balancers (CLBs). The check does not pass if cross-zone load balancing is not turned on for a CLB. A load balancer ... | AWS | ELB | | | ELB.9 | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Elastic Load Balancer Does Not Have Connection Draining Enabled | This check assesses whether Classic Load Balancers have activated connection draining. Enabling connection draining guarantees that the load balancer ceases forwarding requests to instances undergoing... | AWS | ELB | | | ELB.7 | 3 | AWS::ElasticLoadBalancing::LoadBalancer | | |
| Application Load Balancer Is Not Protected By WAF | An Application Load Balancer (ALB) is responsible for distributing incoming web traffic across multiple targets, such as EC2 instances, to ensure optimal performance. This check verifies if the ALB is... | AWS | ELBv2 | | | CSMM v1 APP-03.3, ELB.16 | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Is Internet Facing | An Application Load Balancer (ALB) is responsible for distributing incoming web traffic across multiple targets, such as EC2 instances, to ensure optimal performance. This check verifies if the ALB is... | AWS | ELBv2 | | | | 2 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Elastic Load Balancer Does Not Have Listeners | This check ensures that ELBv2 has listeners underneath. The rules that are defined for a listener determine how the load balancer routes requests to its registered targets.... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Elastic Load BalancerV2 Does Not Have Logging Enabled | Check whether Elastic Load Balancers (ELBs) have logging functionality enabled. Without logging, it becomes impossible to monitor service utilization and perform threat analysis. It is advisable ... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Has Non-Encrypted Listeners | Check if Application Elastic Load Balancers have SSL listeners. Unencrypted communication may compromise the privacy of information during transit. It's recommended to examine Application Load Bala... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Does Not Have Deletion Protection Enabled | Check if Application Elastic Load Balancers has deletion protection enabled. If deletion protection is not enabled, the resource is not protected against deletion. It's important to note this attri... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Has Insecure SSL Protocols | Check if Application Elastic Load Balancers has insecure SSL ciphers. Using insecure ciphers may affect privacy of in transit information. It's recommended to drop legacy and insecure ciphers and u... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Has Invalid Desync Mitigation Mode | Check if the Application Load Balancer is set to employ either a defensive or the strictest desync mitigation mode. If not, check whether it is configured with the "drop_invalid_header_fields" attr... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Application Load Balancer Is Not Configured To Drop HTTP Headers | This check examines AWS Application Load Balancers to verify their configuration for discarding invalid HTTP headers. The control does not pass if the setting of routing.http.drop_invalid_header_fi... | AWS | ELBv2 | | | | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Load Balancer Does Not Span Multiple Availability Zones | This control checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has instances registered from multiple Availability Zones. The check does not pass if an Elastic Loa... | AWS | ELBv2 | | NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) | ELB.13 | 3 | AWS::ElasticLoadBalancingV2::LoadBalancer | | |
| Glue Connection Does Not Enforce JDBC SSL | This check determines if Secure Sockets Layer (SSL) with hostname matching is enforced for the JDBC connection on the client.... | AWS | Glue | | | | 4 | AWS::Glue::Connection | | |
| Glue Data Catalog Does Not Encrypt Connection Passwords | This check determines if connection password encryption for the data catalog is enabled.... | AWS | Glue | | | | 4 | AWS::Glue::DataCatalogEncryptionSettings | | |
| Glue Data Catalog Does Not Encrypt Metadata At Rest | This check determines if at-rest encryption for metadata stored in the data catalog is enabled.... | AWS | Glue | | | | 4 | AWS::Glue::DataCatalogEncryptionSettings | | |
| Glue Data Catalog Is Publicly Accessible | This check determines if a data catalog is publicly accessible due to its resource policy.... | AWS | Glue | | | | 4 | AWS::Glue::ResourcePolicy | | |
| Glue Development Endpoint Data Is Not Encrypted | A security configuration in AWS Glue contains the properties that are needed when you write encrypted data. You create security configurations on the AWS Glue console to provide the encryption propert... | AWS | Glue | | | | 3 | AWS::Glue::DevEndpoint | AWS::Glue::SecurityConfiguration | |
| Glue Job Data Is Not Encrypted | A security configuration in AWS Glue contains the properties that are needed when you write encrypted data. You create security configurations on the AWS Glue console to provide the encryption propert... | AWS | Glue | | | | 3 | AWS::Glue::Job | AWS::Glue::SecurityConfiguration | |
| Glue Job Does Not Have CloudWatch Logging Enabled | UPDATE: Security Hub retired this control and removed it from all standards. This control checks whether an AWS Glue job has logging enabled. The control fails if the job doesn't have logging enabled... | AWS | Glue | | | | 1 | AWS::Glue::Job | | |
| Glue Job Is Not Tagged | This check ensures that an AWS Glue Job has tags with the specific keys defined in the parameter Required Tag Keys. The control fails if the Job doesn't have any tag keys or if it doesn't have all t... | AWS | Glue | Required Tag Keys | | Glue.1 | 4 | AWS::Glue::Job | | |
| Glue Machine Learning Transform Does Not Encrypt Data At Rest | This check determines if an AWS Glue machine learning transform is encrypted at rest. The control fails if the machine learning transform isn't encrypted at rest.... | AWS | Glue | | | Glue.3 | 4 | AWS::Glue::MLTransform | | |
| GuardDuty Is Not Enabled | This check determines if GuardDuty is enabled to provide continuous security monitoring against malicious or unauthorized activity. Enabling GuardDuty enhances threat detection and helps safeguard AWS... | AWS | GuardDuty | | | CSMM v1 LOG-03.2, GuardDuty.1 | 1 | Custom::AWS::Region | AWS::GuardDuty::Detector | |
| IAM User Has Access Key(s) That Are Publicly Available Online | Exposure of IAM credentials poses a security risk to your AWS account and could lead to excessive charges from unauthorized activity.... | AWS | IAM | | | | 5 | AWS::IAM::User | | Disable IAM User |
| IAM Access Key Should Be Rotated | Access keys are a static credential that consists of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. Static credentials always represent a ri... | AWS | IAM | | | CIS AWS v1.5.0 1.14, IAM.3 | 3 | AWS::IAM::User | | Disable IAM Access Keys |
| IAM Account Does Not Have A Secure Password Policy | IAM password policies are crucial for ensuring strong password security and preventing unauthorized access to accounts. It is highly recommended to implement a robust password policy that enforces com... | AWS | IAM | | | IAM.7 | 3 | Custom::AWS::IAM::Account | | Enforce Password Policy Compliance |
| IAM Access Analyzer is Not Enabled for Region | Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results ... | AWS | IAM | | | CIS AWS v1.5.0 1.20, IAM.28 | 3 | Custom::AWS::Region | AWS::AccessAnalyzer::Analyzer | |
| Unused IAM User Credentials | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be dea... | AWS | IAM | | | CIS AWS v1.5.0 1.12, IAM.8, IAM.22 | 2 | AWS::IAM::User | | Disable IAM User, Quarantine IAM User |
| IAM SSL/TLS Certificate Is Expired | To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate mana... | AWS | IAM | | | CIS AWS v1.5.0 1.19, CIS3.AWS.1.19 | 2 | AWS::IAM::ServerCertificate | | |
| IAM Password Policy Does Not Require Minimum Length of 14 or Greater | Password policies are, in part, used to enforce password complexity requirements. Certain standards like CIS require a minimum password length of 14. The default in AWS is 8. IAM password policies can... | AWS | IAM | | | CIS AWS v1.5.0 1.8, IAM.15 | 3 | Custom::AWS::IAM::Account | | Enable Minimum Password Length of 14 |
| IAM Password Policy Does Not Prevent Reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account... | AWS | IAM | | | CIS AWS v1.5.0 1.9, IAM.16 | 3 | Custom::AWS::IAM::Account | | Enable Password Reuse Prevention |
| IAM Role Has Risky Permissions | Risky permissions are individual IAM permissions that are rated with a higher security risk due to their potential for abuse, or combinations of permissions (even across different IAM policies) that c... | AWS | IAM | | | | 4 | AWS::IAM::Role | | |
| Sufficient IAM Roles Using Safe Trust Conditions | This check verifies the presence of more than two IAM roles that are not associated with an EC2 instance profile and utilize one or more of the following condition keys in their trust policies: -... | AWS | IAM | | | CSMM v1 IAM-05.1 | 2 | Custom::AWS::IAM::Account | | |
| IAM Root Account Usage | The root user for this account has been used within the past 24 hours. Root access should be eliminated or minimized. With the creation of an AWS account, a 'root user' is created that cannot be ... | AWS | IAM | | | CIS AWS v1.5.0 1.7, CIS3.AWS.1.7 | 2 | Custom::AWS::IAM::Account | | |
| IAM Root Account Has Access Keys | The root user for this AWS account has an access key attached to it. If the access key is compromised, it could be used to obtain full access to the AWS account and its resources. It is a best practic... | AWS | IAM | | PCI DSS 2.1, PCI DSS 2.2, PCI DSS 7.2.1 | CIS AWS v1.5.0 1.4, IAM.4 | 4 | Custom::AWS::IAM::Account | | |
| IAM Root Account Does Not Have MFA Enabled | The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a u... | AWS | IAM | | PCI DSS 8.3.1, PCI DSS 8.3.1 | CIS AWS v1.5.0 1.5, IAM.6, IAM.9 | 4 | Custom::AWS::IAM::Account | | |
| IAM Root Account Uses Virtual MFA | The root user for this AWS account has a virtual Multifactor Authentication (MFA) token configured. You may want to replace this with a physical device to enhance security. There are a few reasonab... | AWS | IAM | | PCI DSS 8.3.1 | CIS AWS v1.5.0 1.6, IAM.6 | 4 | AWS::IAM::VirtualMFADevice | | |
| AWS Support Center Not Available to IAM Users | The AWS managed policy 'AWSSupportAccess' is not attached to an IAM user, group, or role in your AWS account. The CIS Benchmarks for AWS require that a support role exists with access to the AWS Suppo... | AWS | IAM | | | CIS AWS v1.5.0 1.17, IAM.18 | 1 | Custom::AWS::IAM::Account | | |
| IAM User Has Access Key Without MFA Enforced | IAM Users that access the AWS API using long-term credentials should have a policy applied that enforces MFA for most actions... | AWS | IAM | Allowed Services | | CSMM v1 IAM-03.2, IAM.19 | 4 | AWS::IAM::User | | Disable IAM User |
| New IAM User Has Access Keys | The AWS console does not create access keys by default when creating a new user since these are static credentials that would then need to be shared/communicated. Human users should create their own a... | AWS | IAM | | | CIS AWS v1.5.0 1.11, CIS3.AWS.1.11 | 4 | AWS::IAM::User | | Disable IAM User |
| IAM User Has Attached Policy With Admin Permissions | The IAM user has full administrative permissions. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to ... | AWS | IAM | | | CIS AWS v1.5.0 1.16, CIS3.AWS.1.16 | 4 | AWS::IAM::User | | |
| IAM User Has Attached Policies | IAM users should only receive permissions through groups. IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edi... | AWS | IAM | | | CIS AWS v1.5.0 1.15, IAM.2 | 3 | AWS::IAM::User | | |
| User MFA not Enforced and Missing MFA Device | NOTE: this check only validates MFA for AWS IAM users and it does not evaluate federated users since MFA for those users is managed at the Identity Provider, not within AWS. This check only looks for ... | AWS | IAM | | PCI DSS 8.3.1 | CIS AWS v1.5.0 1.10, CSMM v1 IAM-02.2, IAM.5, IAM.19 | 4 | AWS::IAM::User | | Disable IAM User |
| IAM User Has Multiple Active Access Keys | Multiple access keys may indicate that a user account was compromised, or that the user has an old key in less secure storage. Access keys are long-term credentials for an IAM user or the AWS account ... | AWS | IAM | | | CIS AWS v1.5.0 1.13, CIS3.AWS.1.13 | 4 | AWS::IAM::User | | |
| IAM User Has Risky Permissions | Risky permissions are individual IAM permissions that are rated with a higher security risk due to their potential for abuse, or combinations of permissions (even across different IAM policies) that c... | AWS | IAM | Whitelisted Groups | | | 4 | AWS::IAM::User | | Disable IAM User |
| IAM Policy Allows Access To KMS Privileges | Check that no IAM policies granting unrestricted KMS privileges are generated. As KMS holds significant importance, it's imperative for IAM policies to adhere to the principle of least privilege, e... | AWS | IAM | | | | 3 | AWS::IAM::ManagedPolicy | | |
| IAM Policy Allows Access To CloudTrail Privileges | Check that no IAM policies granting unrestricted CloudTrail privileges are generated. As CloudTrail holds significant importance, it's imperative for IAM policies to adhere to the principle of leas... | AWS | IAM | | | | 3 | AWS::IAM::ManagedPolicy | | |
| IAM User Has Administrator Access With MFA Disabled | Check to ensure that users with Administrator Access policy have Multi-Factor Authentication (MFA) tokens activated. The policy could potentially grant permission to unidentified users to carry out... | AWS | IAM | | | | 4 | AWS::IAM::User | | Disable IAM User |
| IAM User Uses Virtual MFA | Check whether IAM users have Hardware MFA enabled. Prioritize the use of Hardware MFA over virtual MFA. To remediate, set up a hardware MFA device for an IAM user using either the AWS Management Co... | AWS | IAM | | | | 3 | AWS::IAM::User | | |
| Attached, AWS Managed Policy Allows Admin Privileges | Check that no AWS-managed IAM policies granting complete administrative privileges are attached. IAM policies assign privileges to users, groups, or roles. Adhering to the best practice of least pr... | AWS | IAM | | | | 4 | AWS::IAM::ManagedPolicy | | |
| IAM Customer Managed Unattached Policy Allows Admin Privileges | Guarantee the absence of IAM policies that grant complete administrative privileges, as there might be eventual consistency concerns if a temporary resource is utilizing such permissions. IAM polic... | AWS | IAM | | | IAM.1 | 2 | AWS::IAM::ManagedPolicy | | |
| IAM Customer Managed Attached Policy Allows Admin Privileges | Check that no Customer-managed IAM policies granting complete administrative privileges are attached. IAM policies assign privileges to users, groups, or roles. Adhering to the best practice of lea... | AWS | IAM | | | IAM.1 | 4 | AWS::IAM::ManagedPolicy | | |
| Too Many Users Access AWS Console Without SSO | All users should access AWS accounts through Single Sign On (SSO). A small number of IAM users may have direct console access for break-glass and emergency purposes such as the SSO portal going down. ... | AWS | IAM | Maximum direct console access users | | CSMM v1 IAM-03.1 | 2 | Custom::AWS::IAM::Account | | |
| IAM Role Vulnerable to CVE-2024-28056 | This check identifies IAM roles that are vulnerable to CVE-2024-28056. The vulnerability allows an attacker to assume an IAM ro... | AWS | IAM | | | | 4 | AWS::IAM::Role | | |
| IAM Role Has ReadOnlyAccess for External AWS Accounts | The AWS-managed ReadOnlyAccess policy grants extensive permissions that can lead to data exposure if used improperly. It should be applied very carefully and only when absolutely necessary. Consider u... | AWS | IAM | | | | 4 | AWS::IAM::Role | | |
| IAM Policy Allows Overly Permissive Role Assumption | Checks whether the customer managed IAM policy allows any role to be assumed (i.e. resource of * and action of sts:AssumeRole). If this is not properly restricted, this could lead to unwante... | AWS | IAM | | | | 5 | AWS::IAM::ManagedPolicy | | |
| Kinesis Stream is Not Encrypted At Rest | This validation examines whether Kinesis Data Streams are secured with server-side encryption for data at rest. The validation does not pass if a Kinesis stream lacks encryption at rest through server... | AWS | Kinesis | | | Kinesis.1 | 3 | AWS::Kinesis::Stream | | |
| AWS Account Does Not Contain A CMK Key | Checks that the AWS Account contains at least one customer-managed key (CMK) in Key Management Service (KMS). By default, many services in cloud providers encrypt data using default keys. However, c... | AWS | KMS | | | CSMM v1 DAT-03.2 | 1 | Custom::AWS::Account | | |
| KMS Key Exposed To Public | The key policy for this Customer Managed Key (CMK) includes an asterisk (*) in the 'Principal' key for an 'Allow' statement. The policy may allow any AWS account to use the key, if not otherwis... | AWS | IAM | | | CSMM v1 DAT-04.2 | 5 | AWS::KMS::Key | | |
| KMS Key Does Not Have Key Rotation Enabled | Automatic key rotation is a best practice, and enabling it may help you satisfy compliance requirements (such as PCI DSS). The [AWS Developer Guide](https://docs.aws.amazon.com/kms/latest/develop... | AWS | KMS | | PCI DSS 3.6.4 | CIS AWS v1.5.0 3.8, KMS.4 | 1 | AWS::KMS::Key | | |
| CMK KMS Key Is Disabled | Check whether there are any Customer Master Keys (CMK) within the Key Management Service (KMS) that have not been utilized. Having unused keys could lead to higher service expenses. Prior to removi... | AWS | KMS | | | | 3 | AWS::KMS::Key | | |
| CMK KMS Key Is Deleted Intentionally | This check examines whether KMS keys are in the process of being scheduled for deletion. The validation does not succeed if a KMS key is currently marked for deletion. Once a KMS key is deleted, reco... | AWS | KMS | | | KMS.3 | 5 | AWS::KMS::Key | | |
| IAM Role is Associated With Multiple Lambda Functions | Checks whether this Lambda function's IAM execution role is also used in other Lambda functions. Best practice is to maintain a one-to-one relationship between AWS Lambda functions and their IAM execu... | AWS | Lambda | | | | 2 | AWS::Lambda::Function | | |
| Lambda Function Missing Valid VPC | Usually, Lambda functions are configured to connect to private subnets in AWS VPCs in order to use resources hosted there. A Lambda function that does not connect to any VPC could indicate an "orphane... | AWS | Lambda | | PCI DSS 1.2.1, PCI DSS 1.3.1, PCI DSS 1.3.2, PCI DSS 1.3.4 | Lambda.3 | 2 | AWS::Lambda::Function | | |
| Lambda Function has Resource-based Policy With Public Access | The resource policy for the lambda function has one of the following Allow Statement Principals: * * * AWS:* * CanonicalUser:* * Services:* * Federated:* A public resource policy allows anyone ... | AWS | Lambda | | | Lambda.1 | 4 | AWS::Lambda::Function | | |
| Lambda Has Public URL | Lambda functions can have public URLs that allow for direct invocation. This is controlled by a combination of the function URL config and one or more resource policies. To correct this finding, remov... | AWS | Lambda | | | | 3 | AWS::Lambda::Function | | |
| Lambda CORS Configuration Allows All Origins | The Lambda Function includes a wildcard ("*") in the CORS configuration AllowOrigins header, which allows all origins. This violates the principle of least privilege.... | AWS | Lambda | | | | 2 | AWS::Lambda::Function | | |
| Lambda Function Is Not Recorded by CloudTrail | Lambda function events should be recorded in CloudTrail to gain visibility into when and by whom your Lambda functions are being invoked, allowing you to audit usage, identify potential security issu... | AWS | Lambda | | | | 2 | AWS::Lambda::Function | AWS::CloudTrail::Trail | |
| Lambda Function Has Secrets in Environment | To increase security, AWS recommends using Secrets Manager instead of environment variables to store credentials and other sensitive values.... | AWS | Lambda | Environment variable keys to ignore | | CSMM v1 WKL-05.2 | 4 | AWS::Lambda::Function | | |
| Lambda Is Using Obsolete Runtime | Identify deprecated Lambda runtimes. If you have functions operating on a runtime that will become obsolete within the next 60 days, Lambda will notify you via email. In such cases, it's essenti... | AWS | Lambda | | | Lambda.2 | 3 | AWS::Lambda::Function | | |
| Lambda Function Has Risky Permissions | Serverless functions should not have excessive privileges, especially administrative privileges. This is an extension of the IAM excessive privilege control objective as applied specifically to FaaS w... | AWS | Lambda | | | CSMM v1 WKL-04.3 | 4 | AWS::Lambda::Function | | |
| Lambda Is Older Than Six Months | This check ensures that Lambda functions are not older than six months. Lambda functions should be updated regularly to ensure they are using the latest runtime and dependencies. This mitigates securi... | AWS | Lambda | | | CSMM v1 WKL-05.2 | 1 | AWS::Lambda::Function | | |
| Lambda Function In VPC Does Not Have Multi-AZ Compliance | Checks if a VPC-connected AWS Lambda function operates in at least the specified number of availability zones. The default is two availability zones.... | AWS | Lambda | Minimum availability zones | | Lambda.2 | 3 | AWS::Lambda::Function | | |
| Neptune DB Clusters Do Not Have Automatic Backups Enabled | This check verifies if a Neptune DB cluster has active automated backups and if the backup retention period meets or exceeds the specified timeframe. The control result is deemed unsuccessful if the N... | AWS | RDS | | | Neptune.5 | 3 | AWS::RDS::DBCluster | | |
| Neptune DB Clusters Are Not Encypted At Rest | This check verifies the encryption status of a Neptune DB cluster in terms of data at rest. The check results in failure if the Neptune DB cluster is not encrypted at rest. Data at rest encompasses... | AWS | RDS | | | Neptune.1 | 3 | AWS::RDS::DBCluster | | |
| Neptune DB Clusters Do Not Publish Logs To CloudWatch Logs | This check assesses whether a Neptune DB cluster is configured to transmit audit logs to Amazon CloudWatch Logs. The evaluation outcome is unsuccessful if a Neptune DB cluster is not actively sending ... | AWS | RDS | | | Neptune.2 | 3 | AWS::RDS::DBCluster | | |
| Neptune DB Cluster Does Not Have Copy Tags to Snapshot | This control assesses whether a Neptune DB cluster is set up to replicate all tags to snapshots during their creation. The control result is marked as unsuccessful if the Neptune DB cluster lacks the ... | AWS | RDS | | | Neptune.8 | 2 | AWS::RDS::DBCluster | | |
| Neptune DB Clusters Does Not Have Deletion Protection Enabled | This control assesses whether deletion protection is active for a Neptune DB cluster. The control reports a failure if the deletion protection is not enabled for the Neptune DB cluster. Activation of... | AWS | RDS | | | Neptune.4 | 2 | AWS::RDS::DBCluster | | |
| Neptune DB Cluster Does Not Have IAM Database Authentication Enabled | This control examines whether IAM database authentication is activated for a Neptune DB cluster. The control result is negative if IAM database authentication is not enabled for the specified Neptune ... | AWS | RDS | | | Neptune.7 | 3 | AWS::RDS::DBCluster | | |
| AWS OpenSearch Service Domain is Publicly Accessible | This check ensures that OpenSearch service domains are not publicly accessible by looking into the domains specific access policy. Publicly accessbile domains are subject to exposure to sensitive... | AWS | OpenSearch | | | | 5 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Service Domain is not in an Amazon VPC | Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). It does not evaluate the VPC subnet routing configuration to determine public access... | AWS | OpenSearch | | | Opensearch.2 | 5 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Domain Does Not Have Audit Logging Enabled | Checks if AWS OpeanSearch has audit logging enabled. Enabling fine-grained access control on your Amazon OpenSearch Service domain allows you to activate audit logs for your data. These logs are fu... | AWS | OpenSearch | | | Opensearch.5 | 2 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Domain Encryption-At-Rest Is Not Enabled | OpenSearch Service domains provide data-at-rest encryption, using AWS Key Management Service (AWS KMS) for managing encryption keys and AES-256 algorithm for encryption. When enabled, it encrypts al... | AWS | OpenSearch | | | Opensearch.1 | 3 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Node-to-Node Encryption Is Not Enabled | Node-to-node encryption adds an extra security layer, enhancing the inherent features of Amazon OpenSearch. This configuration thwarts potential attackers' attempts to intercept communication betwe... | AWS | OpenSearch | | | Opensearch.3 | 3 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Has Cognito Authentication for Kibana Disabled | Check whether Amazon OpenSearch Service domains have enabled Amazon Cognito authentication for Kibana. Amazon OpenSearch Service offers support for employing Amazon Cognito as a means of authent... | AWS | OpenSearch | | | | 4 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Has Software Version Updates Available | Check the availability of updates for Amazon OpenSearch Service domains. Amazon OpenSearch consistently launches system software updates to introduce enhancements or enhance the performance of your... | AWS | OpenSearch | | | | 2 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Has Internal User Database Disabled | Check whether Amazon OpenSearch Service domains have activated the internal user database. The Internal User Database serves well for demonstrations; for operational environments, prefer the adopti... | AWS | OpenSearch | | | | 3 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Does Not Have HTTPS Enforced | Verify whether HTTPS enforcement is enabled for Amazon OpenSearch Service domains. Failure to enable this could elevate the potential risks associated with unauthorized data access. When establi... | AWS | OpenSearch | | | | 3 | AWS::OpenSearch::Domain | | |
| OpenSearch Domain Does Not Have CloudWatch Logging Enabled | Check whether logging is activated for your Amazon OpenSearch Service domains. Amazon OS provides access to four types of OpenSearch logs via Amazon CloudWatch Logs: error logs, search slow logs, i... | AWS | OpenSearch | | | Opensearch.4 | 3 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Domain Does Not Have TLS 1.2 Encryption | This control examines whether connections to OpenSearch domains necessitate the use of TLS 1.2. The validation will not pass if the TLSSecurityPolicy of the OpenSearch domain is not set to Policy-Min-... | AWS | OpenSearch | | | Opensearch.8 | 3 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Domain Does Not Have Fine-grained Access Control Enabled | This validation examines whether fine-grained access control is activated in OpenSearch domains. The validation will not succeed unless fine-grained access control is enabled. Enabling fine-grained ac... | AWS | OpenSearch | | | Opensearch.7 | 4 | AWS::OpenSearch::Domain | | |
| AWS OpenSearch Domain Does Not Have At Least Three Data Nodes | This validation verifies that OpenSearch domains have been set up with a minimum of three data nodes and zoneAwarenessEnabled is set to true. The validation will not pass for an OpenSearch domain if t... | AWS | OpenSearch | | | Opensearch.6 | 3 | AWS::OpenSearch::Domain | | |
| Account Is Not A Member Of An Organization | An AWS account should be part of an AWS Organization. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and co... | AWS | Organizations | | | CSMM v1 ORM-02.1, Account.2 | 2 | Custom::AWS::Account | | |
| Peered VPCs Do Not Use Transit Gateway | | AWS | Organizations | | | CSMM v1 NET-04.2 | 2 | Custom::AWS::Account | | |
| RDS Instance Auto Minor Version Upgrade Feature is Disabled | Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. This way RDS instan... | AWS | RDS | | | CIS AWS v1.5.0 2.3.2, RDS.13 | 3 | AWS::RDS::DBInstance | | |
| RDS Instance Does Not Use Cross-Region Automated Backups | Checks that the RDS instance is configured to replicate automated backups to another region for data resilience.... | AWS | RDS | | | CSMM v1 BCR-04.3 | 1 | AWS::RDS::DBInstance | | |
| RDS Instance Does Not Have a Cross-Region Read Replica | Checks that the RDS instance has a read replica in another region for data resilience.... | AWS | RDS | | | CSMM v1 BCR-04.3 | 1 | AWS::RDS::DBInstance | | |
| RDS Database Instance Storage is not Encrypted | This RDS database instance does not have Storage Encryption enabled. Storage encryption protects the confidentiality... | AWS | RDS | | | CIS AWS v1.5.0 2.3.1, RDS.3 | 1 | AWS::RDS::DBInstance | | |
| RDS Instance is Publicly Accessible | Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted ... | AWS | RDS | | | CIS AWS v1.5.0 2.3.3, RDS.2 | 4 | AWS::RDS::DBInstance | | |
| RDS Snapshot Exposed to Public or Untrusted Account | RDS database snapshots often contain sensitive information. Anyone in control of a AWS account with access to this snapshot can view all of the data in the snapshot by copying it to their account and/... | AWS | RDS | Trust All Known Accounts, Trusted AWS Account IDs | PCI DSS 1.2.1, PCI DSS 1.3.1, PCI DSS 1.3.4, PCI DSS 1.3.6, PCI DSS 7.2.1 | RDS.1 | 5 | AWS::RDS::DBSnapshot | | |
| RDS Instance Backup is not Enabled | RDS instances have automated backups that can be enabled. Instances without automated backup could be subject to vulnerable data. Data can be easily altered and modified by human error and bad actors... | AWS | RDS | | | RDS.11 | 3 | AWS::RDS::DBInstance | | |
| RDS Instance Backup Transport is not Encrypted | Checks if the RDS instance's client connections (SQL Server and PostgreSQL) are encrypted. An unencrypted instance allows for sensitive information at transit to be exposed to threats, it's importa... | AWS | RDS | | | | 3 | AWS::RDS::DBInstance | | |
| RDS Instance Engine Version is Deprecated | This check ensures that RDS is using an available engine version for the supported engine types. If the instance is using a deprecated version, RDS instances could be exposed to security vulnerab... | AWS | RDS | | | | 3 | AWS::RDS::DBInstance | | |
| RDS Instance Is Not Integrated With CloudWatch Logs | Checks whether RDS instances are linked with CloudWatch Logs. Without enabled logs, the ability to monitor service utilization and conduct threat analysis becomes restricted. Employ CloudWatch Logs... | AWS | RDS | | | | 3 | AWS::RDS::DBInstance | | |
| RDS Instance Has Enhanced Monitoring Disabled | Checks whether Enhanced Monitoring is activated for RDS instances. Opting for a shorter monitoring interval leads to more frequent updates of OS metrics. To enable Enhanced Monitoring, it's necessa... | AWS | RDS | | | RDS.6 | 2 | AWS::RDS::DBInstance | | |
| RDS DB Instance Does Not Have Multi-AZ Enabled | Checks if a RDS DB Instance has multi-AZ deployment enabled. In the event of a specific availability zone failure in a single-AZ deployment, Amazon RDS does not have the capability to automatica... | AWS | RDS | | | RDS.5 | 3 | AWS::RDS::DBInstance | | |
| RDS DB Instance Does Not Have Deletion Protection Enabled | Checks if a RDS DB Instance has deletion protection enabled. It's only possible to delete instances that do not have deletion protection enabled. ... | AWS | RDS | | | RDS.8 | 3 | AWS::RDS::DBInstance | | |
| RDS Database Snapshot Is Not Encrypted | | AWS | RDS | | | RDS.4 | 4 | AWS::RDS::DBSnapshot | | |
| RDS Cluster Snapshot Is Not Encrypted | | AWS | RDS | | | RDS.4 | 4 | AWS::RDS::DBClusterSnapshot | | |
| Route53 Record Set In Hosted Zone Is A Dangling IP | Check the presence of dangling IPs in your Route53 Records. When an AWS ephemeral resource, like an Elastic IP (EIP), is released and returns to Amazon's Elastic IP pool, it allows potential exp... | AWS | Route53 | | | | 4 | AWS::Route53::HostedZone | | |
| S3 Bucket Does Not Enforce Encryption at Rest | *NOTE: ALL Amazon S3 buckets have bucket encryption enabled by default. S3 supports server-side encryption at the bucket... | AWS | S3 | | | CIS AWS v1.5.0 2.1.1 | 1 | AWS::S3::Bucket | | |
| S3 Bucket Allows Cross Account Access | This check inspects S3 bucket policies to identify any cross-account access that is not known and trusted. The check does so by comparing all cross-account "Allow" permissions in a bucket policy... | AWS | S3 | Trust All Known Accounts, Trusted AWS Account IDs, Ignore All Canonical Principals, Ignore Only Listed Canonical Principals, Ignore All Federated Principals, Ignore All Federated Principals, Ignore All Service Principals, Trusted AWS Services | | | 3 | AWS::S3::Bucket | | |
| S3 Bucket Has Excessive ACL Permissions | This checks the Access Control List (ACL) for S3 buckets to identify public access (via the Everyone or **Authenticated ... | AWS | S3 | | | | 4 | AWS::S3::Bucket | | |
| S3 Bucket Policy Has Excessive Permissions | This checks S3 bucket policies for Statements that Allow Principals that include wildcard '*' groups. Policies that allow wildcard groups will permit any user and/or AWS account to ac... | AWS | S3 | | | CSMM v1 DAT-02.1, S3.6 | 4 | AWS::S3::Bucket | | |
| Missing or Disabled S3 Cross-Region Replication Rule | This S3 bucket does not have a Cross-Region Replication rule attached, or this S3 bucket has at least one Cross-Region Replication rule attached to it, but not enabled. Cross-Region Replication ru... | AWS | S3 | | PCI DSS 2.2 | CSMM v1 BCR-04.3, S3.7 | 1 | AWS::S3::Bucket | | |
| S3 Bucket Allows HTTP Requests | At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. By default, Amazon S3 allows both HTTP and HTTPS requests. To a... | AWS | S3 | | | CIS AWS v1.5.0 2.1.2, S3.5 | 3 | AWS::S3::Bucket | | |
| Object-level Logging for Read Events is Not Enabled for S3 Bucket | S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events. However, it is recommended to enable Object-l... | AWS | S3 | | | CIS AWS v1.5.0 3.11, S3.23 | 2 | AWS::S3::Bucket | | |
| Object-level Logging for Write Events is Not Enabled for S3 Bucket | S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events. However, it is recommended to enable Object-l... | AWS | S3 | | | CIS AWS v1.5.0 3.10, S3.22 | 2 | AWS::S3::Bucket | | |
| S3 Bucket Does Not Have Object Versioning Enabled | This checks assesses whether Amazon S3 Buckets have object versioning enabled. Object versioning is a crucial feature that enhances data protection and enables easy recovery from unintended user actio... | AWS | S3 | | | S3.14 | 3 | AWS::S3::Bucket | | |
| S3 Bucket Does Not Block Public Access | Public S3 buckets is one of the single biggest sources of data breaches and AWS ransomware attacks. By default, S3 buckets and objects are created with public access disabled. However, an IAM principa... | AWS | S3 | | | CIS AWS v1.5.0 2.1.5, CSMM v1 DAT-03.1, S3.1, S3.2, S3.3, S3.8 | 4 | AWS::S3::Bucket | | |
| S3 Bucket Has ACLs Enabled | Verify whether ACLs are enabled for S3 buckets. S3 ACLs represent an outdated form of access control that predates IAM. Presently, IAM and bucket policies are the recommended approaches. Confirm th... | AWS | S3 | | | S3.12 | 3 | AWS::S3::Bucket | | |
| S3 Bucket Does Not Have Server Access Logging Enabled | Check whether server access logging is activated for S3 buckets. Enabling server access logs can aid in security assessments, access audits, customer insights, and comprehending Amazon S3 billing. ... | AWS | S3 | | | S3.9 | 3 | AWS::S3::Bucket | | |
| S3 Bucket Has MFA Delete Disabled | Check if S3 bucket MFA Delete is not enabled. If not enabled, security credentials being compromised or unauthorized access being granted is risked. ... | AWS | S3 | | | | 2 | AWS::S3::Bucket | | |
| S3 Bucket Does Not Have Object Lock Enabled | Check if S3 bucket Object Lock is enabled. Utilize a write-once-read-many (WORM) approach to store items, ensuring they cannot be deleted or altered for a specified duration or indefinitely. Thi... | AWS | S3 | | | S3.15 | 3 | AWS::S3::Bucket | | |
| CloudTrail Logs S3 Bucket Has MFA Delete Disabled | This check ensures that S3 buckets used by CloudTrail for storing logs have MFA Delete enabled. Enabling MFA Delete provides an extra layer of security by requiring additional authentication before al... | AWS | S3 | | | | 4 | AWS::S3::Bucket | | |
| Secret Does Not Have Automatic Rotation Enabled | AWS Secrets Manager automatic secret rotation is a key security feature that helps in managing the lifecycle of secrets. Having automatic rotation enabled ensures that secrets are rotated regularly, r... | AWS | SecretsManager | | | SecretsManager.1 | 2 | AWS::SecretsManager::Secret | | |
| AWS Security Hub Is Not Enabled | Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security... | AWS | SecurityHub | | | CIS AWS v1.5.0 4.16, CIS AWS v1.5.0 4.16 | 3 | Custom::AWS::Region | AWS::SecurityHub::Hub | |
| AWS Security Hub Is Disabled Or Does Not Have NIST 800-53 Enabled | | AWS | SecurityHub | | | CSMM v1 GOV-04.3 | 3 | Custom::AWS::Region | AWS::SecurityHub::Hub | |
| No AWS Security Hub Security Standards Are Enabled | AWS Security Hub serves as a centralized dashboard for monitoring the security status of your AWS environment. This check ensures that at least one security standard is enabled in your Security Hub, e... | AWS | SecurityHub | | | CSMM v1 GOV-03.2 | 1 | AWS::SecurityHub::Hub | | |
| SNS Topic KMS Encryption At Rest Is Not Enabled | Check that no SNS Topics lack encryption. Neglecting encryption leaves sensitive information susceptible to compromise while inactive. Implement Amazon SNS with AWS KMS as a corrective measure. ... | AWS | SNS | | | SNS.1 | 4 | AWS::SNS::Topic | | |
| SNS Topic Policy Has Public Access | Check whether SNS topics have been configured with a public policy, as making services publicly accessible may expose sensitive data to malicious actors. Ensure that there is a legitimate busine... | AWS | SNS | | | | 4 | AWS::SNS::Topic | | |
| SQS Queue Shared With Untrusted AWS Account | The Amazon Simple Queue Service (SQS) queue has a [resource-based policy](https://docs.aws.amazon.com/AWSSimp... | AWS | SQS | Trust All Known Accounts, Trusted AWS Account IDs | | | 3 | AWS::SQS::Queue | | |
| SQS Queue Policy Has Public Access | Having public access enabled for an SQS Queue can expose sensitive information that should not be disclosed to the general public. The policy permissions should be updated to protect against unaut... | AWS | SQS | | | | 5 | AWS::SQS::Queue | | |
| SQS Queue Does Not Have Server Side Encryption Enabled | Check whether SQS queues have Server Side Encryption activated. If the encryption is not enabled, confidential data in transit will remain vulnerable. Activate encryption and utilize a Customer Mas... | AWS | SQS | | | SQS.1 | 3 | AWS::SQS::Queue | | |
| App Service Authentication Not Enabled | Authentication for an App Services app is not enabled.... | Azure | AppService | | | CIS Azure v2.0.0 9.1 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Redirect All HTTP Traffic to HTTPS in Azure App Service | Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all H... | Azure | AppService | | | CIS Azure v2.0.0 9.2 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Use Latest Version of TLS Encryption | The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service al... | Azure | AppService | | | CIS Azure v2.0.0 9.3 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Have Incoming Client Certificates Set to "On" | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication techn... | Azure | AppService | | | CIS Azure v2.0.0 9.4 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Have Azure Active Directory Enabled | Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App S... | Azure | AppService | | | CIS Azure v2.0.0 9.5 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Use Latest HTTP Version | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, ... | Azure | AppService | | | CIS Azure v2.0.0 9.9 | 4 | Microsoft.Web.sites | | |
| Web App Does Not Have FTP Deployments Disabled | By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and... | Azure | AppService | | | CIS Azure v2.0.0 9.10 | 4 | Microsoft.Web.sites | | |
| App Service app Slots Should Require FTPS Only | Enable FTPS enforcement for enhanced security.... | Azure | AppService | | | | 3 | Microsoft.Web.sites.slots | | |
| Function Apps Should Require FTPS Only | Enable FTPS enforcement for enhanced security.... | Azure | AppService | | | | 3 | Microsoft.Web.sites | | |
| Function Apps Slots Should Require FTPS Only | Enable FTPS enforcement for enhanced security.... | Azure | AppService | | | | 3 | Microsoft.Web.sites.slots | | |
| Function Apps Should Have Authentication Enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app.... | Azure | AppService | | | | 3 | Microsoft.Web.sites | | |
| Custom Role Has Admin Privileges | The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. Classic subscription admin roles offer basic access... | Azure | Access Control (IAM) | | | CIS Azure v2.0.0 1.23 | 3 | Microsoft.Authorization.roleDefinitions | | |
| Logging for Azure Key Vault is Not Enabled | Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom, enables an audit trail... | Azure | KeyVault | | | CIS Azure v2.0.0 5.1.5 | 2 | Microsoft.KeyVault.vaults | | |
| Key Vault Is Not Recoverable | The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verific... | Azure | KeyVault | | | CIS Azure v2.0.0 8.5 | 4 | Microsoft.KeyVault.vaults | | |
| Expiration Date Is Not Set For Key Vault Secret | Ensure that all Secrets in Azure Key Vaults have an expiration date set. The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key V... | Azure | KeyVault | | | CIS Azure v2.0.0 8.3, CIS Azure v2.0.0 8.4 | 4 | Microsoft.KeyVault.vaults.secrets | | |
| Expiration Date Is Not Set For Key Vault Key | Ensure that all Keys in Azure Key Vaults have an expiration date set. Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration d... | Azure | KeyVault | | | CIS Azure v2.0.0 8.1, CIS Azure v2.0.0 8.2 | 4 | Microsoft.KeyVault.vaults.keys | | |
| Enforce SSL Is Not Enabled for MySQL Database Server | SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and c... | Azure | MySQL | | | CIS Azure v2.0.0 4.4.1 | 4 | Microsoft.DBforMySQL.servers.databases | | |
| MySQL Flexible Server TLS Version Is Not TLSV1.2 | TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server a... | Azure | MySQL | | | CIS Azure v2.0.0 4.4.2 | 3 | Microsoft.DBforMySQL.flexibleservers.databases | | |
| Audit Log Is Not Enabled for MySQL Database Server | Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configurati... | Azure | MySQL | | | CIS Azure v2.0.0 4.4.3 | 3 | Microsoft.DBforMySQL.servers.databases | | |
| MySQL Server Parameter 'audit_log_events' Is Not Set To 'CONNECTION' | Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors a... | Azure | MySQL | | | CIS Azure v2.0.0 4.4.4 | 3 | Microsoft.DBforMySQL.servers.databases | | |
| Enforce SSL Is Not Enabled for PostgreSQL Database Server | SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and c... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.1 | 4 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "log_checkpoints" Is Not Enabled | Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be ... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.2 | 4 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "log_connections" Is Not Enabled | Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot,... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.3 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "log_disconnections" Is Not Enabled | Enabling log_disconnections helps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubles... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.4 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "log_retention_days" Is Not Greater Than 3 Days | Configuring log_retention_days determines the duration in days that Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuratio... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.6 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "connection_throttling" Is Not Enabled | Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages. This in turn generates query and error logs with respect to concurrent connections that could lead... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.5 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Does Not Restrict Access for Azure Services | If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configurat... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.7 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| PostgreSQL Server Parameter "infrastructure_encryption" Is Not Enabled | If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, prevent... | Azure | PostgreSQL | | | CIS Azure v2.0.0 4.3.8 | 3 | Microsoft.DBforPostgreSQL.servers.databases | | |
| Azure SQL Database Allows Ingress From 0.0.0.0/0 | Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. ... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.2 | 4 | Microsoft.Sql.servers | | |
| Azure SQL Database 'Auditing' Is Not Set to 'On' | The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. A... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.1 | 4 | Microsoft.Sql.servers | | |
| SQL Server's Transparent Data Encryption (TDE) Protector Is Encrypted With Customer-Managed Key | Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and prom... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.3 | 4 | Microsoft.Sql.servers | | |
| Azure Active Directory Admin is Not Configured for SQL Servers | Azure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentic... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.4 | 4 | Microsoft.Sql.servers | | |
| Data Encryption Is Not Enabled On SQL Database | Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transac... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.5 | 4 | Microsoft.Sql.servers.databases | | |
| Auditing Retention Is Less Than 90 Days | SQL Server Audit Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.1.6 | 3 | Microsoft.Sql.servers | | |
| Microsoft Defender for SQL Is Not Enabled | Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.2.1 | 3 | Microsoft.Sql.servers | | |
| Vulnerability Assessments Are Not Enabled On SQL Server | Enabling Microsoft Defender for SQL server does not enable Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports. T... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.2.2 | 3 | Microsoft.Sql.servers | | |
| Vulnerability Assessment Recurring Scans Not Enabled On SQL Server | VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visib... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.2.3 | 3 | Microsoft.Sql.servers | | |
| Vulnerability Assessment Scan Reports Do Not Have Recipients | Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers. Vulnerability Assessment (VA) scan reports and alerts will be sent to email... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.2.4 | 3 | Microsoft.Sql.servers | | |
| Vulnerability Assessment Reports Are Not Sent to Admins | Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. VA scan reports and alerts will be sent to admins and subscription owners by enabling... | Azure | MsSqlDatabase | | | CIS Azure v2.0.0 4.2.5 | 3 | Microsoft.Sql.servers | | |
| Azure SQL Database Configured as Synapse Link Source | This check fails if the Azure SQL Database is configured as a Synapse Link source. When enabled, Synapse Link may allow data access that bypasses standard SQL Database firewall rules, potentially expo... | Azure | SQL Database | | | | 4 | Microsoft.Sql.servers.databases | | |
| Storage Account Does Not Allow Azure Service Access | Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trus... | Azure | Storage | | | CIS Azure v2.0.0 3.9 | 3 | Microsoft.Storage.storageAccounts | | |
| Storage Account Does Not Require Infrastructure Encryption | Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Custo... | Azure | Storage | | | CIS Azure v2.0.0 3.2 | 4 | Microsoft.Storage.storageAccounts | | |
| Storage Account Allows Public Network Access | The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that publ... | Azure | Storage | | | CIS Azure v2.0.0 3.7 | 3 | Microsoft.Storage.storageAccounts | | |
| Storage Account Does Not Require Secure Transfer | The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage acc... | Azure | Storage | | | CIS Azure v2.0.0 3.1 | 3 | Microsoft.Storage.storageAccounts | | |
| Storage Logging Is Not Enabled for Queue Service | The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in ... | Azure | Storage | | | CIS Azure v2.0.0 3.5 | 3 | Microsoft.Storage.storageAccounts | | |
| Default Network Access Rule Is Not Set to Deny | Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default ac... | Azure | Storage | | | CIS Azure v2.0.0 3.8 | 3 | Microsoft.Storage.storageAccounts | | |
| Soft Delete Is Not Enabled for Azure Containers and Blob Storage | The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause da... | Azure | Storage | | | CIS Azure v2.0.0 3.11 | 3 | Microsoft.Storage.storageAccounts | | |
| Private Endpoints Are Not Used for Storage Accounts | Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses ... | Azure | Storage | | | CIS Azure v2.0.0 3.10 | 3 | Microsoft.Storage.storageAccounts | | |
| Storage Logging Is Not Enabled for Blob Service Requests | The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in... | Azure | Storage | | | CIS Azure v2.0.0 3.13 | 3 | Microsoft.Storage.storageAccounts | | |
| Storage Logging Is Not Enabled for Table Service Requests | Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for b... | Azure | Storage | | | CIS Azure v2.0.0 3.14 | 3 | Microsoft.Storage.storageAccounts | | |
| Activity Log Alert Does Not Exist for Create or Update Network Security Group | Create an activity log alert for the Create or Update Network Security Group event. Monitoring for Create or Update Network Security Group events gives insight into network access changes and may red... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.3 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Create Policy Assignment | Create an activity log alert for the Create Policy Assignment event. Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the ... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.1 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Delete Policy Assignment | Create an activity log alert for the Delete Policy Assignment event. Monitoring for delete policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the ... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.2 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Delete Network Security Group | Create an activity log alert for the Delete Network Security Group event. Monitoring for Delete Network Security Group events gives insight into network access changes and may reduce the time it take... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.4 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Create or Update Security Solution | Create an activity log alert for the Create or Update Security Solution event. Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions a... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.5 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Delete Security Solution | Create an activity log alert for the Delete Security Solution event. Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the ti... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.6 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Create or Update SQL Server Firewall Rule | Create an activity log alert for the Create or Update SQL Server Firewall Rule event. Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.7 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Delete SQL Server Firewall Rule | Create an activity log alert for the Delete SQL Server Firewall Rule event. Monitoring for Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it ... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.8 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Create or Update Public IP Address Rule | Create an activity log alert for the Create or Update Public IP Address rule. Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the tim... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.9 | 3 | Custom::Microsoft::Subscription | | |
| Activity Log Alert Does Not Exist for Delete Public IP Address Rule | Create an activity log alert for the Delete Public IP Address rule. Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to dete... | Azure | Monitor | | | CIS Azure v2.0.0 5.2.10 | 3 | Custom::Microsoft::Subscription | | |
| Application Insights Are Not Configured | Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing inciden... | Azure | Monitor | | | CIS Azure v2.0.0 5.3.1 | 3 | Custom::Microsoft::Subscription | | |
| Storage Account With Activity Logs is Not Encrypted With Customer Managed Key | Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK). Configuring the storage account with the activity log export container to use CMKs provides add... | Azure | Monitor | | | CIS Azure v2.0.0 5.1.4 | 3 | Custom::Microsoft::Subscription | | |
| Subscription Does Not Contain Proper Diagnostic Settings Categories | A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting. Remediation f... | Azure | Monitor | | | CIS Azure v2.0.0 5.1.2 | 2 | Custom::Microsoft::Subscription | | |
| The Storage Container Storing the Activity Logs is Publicly Accessible | The storage account container containing the activity log export should not be publicly accessible. Allowing public access to activity log content may aid an adversary in identifying weaknesses in th... | Azure | Monitor | | | CIS Azure v2.0.0 5.1.3 | 4 | Custom::Microsoft::Subscription | | |
| Security Alert Emails to Subscription Owners Not Enabled | Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate... | Azure | | | | CIS Azure v2.0.0 2.1.18 | 3 | Custom::Microsoft::Subscription | | |
| Security Contact Email Not Configured | Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that you... | Azure | | | | CIS Azure v2.0.0 2.1.19 | 3 | Custom::Microsoft::Subscription | | |
| Security Alert Severity Not Set to High | Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate th... | Azure | | | | CIS Azure v2.0.0 2.1.20 | 3 | Custom::Microsoft::Subscription | | |
| Cosmos DB Does Not Have Virtual Network Filtering Enabled | Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database. Failure to whitelist the... | Azure | Azure Cosmos DB | | | CIS Azure v2.0.0 4.5.1 | 3 | Microsoft.DocumentDB.databaseAccounts.accounts | | |
| Resource is Using Basic or Free SKU | The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do n... | Azure | Network Manager | | | CIS Azure v2.0.0 5.5 | 2 | Microsoft.Network.publicIPAddresses, Microsoft.Network.loadBalancers, Microsoft.Cache.Redis, Microsoft.Sql.servers.databases, Microsoft.Network.virtualNetworkGateways | | |
| Bastion Host Does Not Exist | The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion... | Azure | Network Manager | | | CIS Azure v2.0.0 7.1 | 3 | Custom::Microsoft::Subscription | | |
| Network Security Group Flow Log Retention Is Not Greater Than 90 Days | Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days. Flow logs enable capturing information about IP traffic flowing in and out of ne... | Azure | Network Manager | | | CIS Azure v2.0.0 6.5 | 3 | Microsoft.Network.networkSecurityGroups | | |
| Network Security Group Does Not Restrict HTTP Access From The Internet | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restri... | Azure | Network Manager | | | CIS Azure v2.0.0 6.4 | 3 | Microsoft.Network.networkSecurityGroups | | |
| Hub Virtual Network Connection Default Route Propagation is Misconfigured | This setting allows Virtual Hub to propagate a learned default route to this connection. This flag enables default route propagation to a connection only if the default route is already learned by the... | Azure | Virtual WAN | Enable this Check, Propagate Default Route | | | 1 | Microsoft.Network.virtualHubs.hubVirtualNetworkConnections | | |
| Network Security Group Is Not Assigned To A Subnet | Fails if a network security group is not associated with at least one subnet.... | Azure | Network Manager | Enable this Check | | | 1 | Microsoft.Network.networkSecurityGroups | | |
| Azure Public IP Address Exists | This check fails if a public IP address exists in the Azure environment. Public IP addresses expose resources directly to the internet, which can increase the attack surface of your infrastructure.... | Azure | Networking | Enable this Check | | | 4 | Microsoft.Network.publicIPAddresses | | |
| Network Security Group Does Not Restrict RDP Access From The Internet | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restri... | Azure | Network Manager | | | CIS Azure v2.0.0 6.1 | 3 | Microsoft.Network.networkSecurityGroups | | |
| Network Security Group Does Not Restrict SSH Access From The Internet | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restri... | Azure | Network Manager | | | CIS Azure v2.0.0 6.2 | 3 | Microsoft.Network.networkSecurityGroups | | |
| Azure Synapse Workspace Public Network Access Enabled | Checks if public network access is enabled for Azure Synapse workspaces.... | Azure | Synapse | | | | 4 | Microsoft.Synapse.workspaces | | |
| Network Security Group Does Not Restrict UDP Access From The Internet | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restri... | Azure | Network Manager | | | CIS Azure v2.0.0 6.3 | 3 | Microsoft.Network.networkSecurityGroups | | |
| Virtual Network With Application Gateway Is Not Protected By Azure DDoS Protection | Protect your virtual networks that have Application Gateways attached against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit [https://aka.ms/ddosprotectiondocs... | Azure | Network | | | | 4 | Microsoft.Network.virtualNetworks | | |
| Virtual Network Does Not Have Security Group | Network Security Groups on Virtual Networks in Azure are important for maintaining robust security controls. They act as a firewall, managing inbound and outbound network traffic, which helps to preve... | Azure | Network Manager | Enable this Check | | | 1 | Microsoft.Network.virtualNetworks | | |
| Virtual Network Has a VPN Gateway | Fails if a subnet within an Azure virtual network has a VPN gateway attached.... | Azure | Network Manager | Enable this Check | | | 1 | Microsoft.Network.virtualNetworks | | |
| Network Watcher Is Not Enabled | Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure. ... | Azure | Network Watcher | | | CIS Azure v2.0.0 6.6 | 3 | Custom::Microsoft::Subscription | | |
| Virtual Machine Does Not Use Managed Disk | Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. Managed disks are by default encrypted on the underlying hardware, so no additi... | Azure | Compute | | | CIS Azure v2.0.0 7.2 | 3 | Microsoft.Compute.VirtualMachine | | |
| Virtual Machine Disks Are Not Encrypted With Customer Managed Key | Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE). Encrypt... | Azure | Compute | | | CIS Azure v2.0.0 7.3 | 3 | Microsoft.Compute.VirtualMachine | | |
| Unattached Disks Are Not Encrypted With Customer Managed Key | Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). Managed disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may... | Azure | Compute | | | CIS Azure v2.0.0 7.4 | 3 | Microsoft.Compute.Disks | | |
| Virtual Machine Has Public IP | This check verifies that an Azure Virtual Machine does not have a public IP address assigned to it. If a Virtual Machine needs to communicate with the internet, consider using a service that provides ... | Azure | Compute | | | | 3 | Microsoft.Compute.VirtualMachine | Microsoft.Network.networkInterfaces | |