- Kubernetes CIS Benchmark
- Amazon EKS CIS Benchmark
- Amazon AWS CIS Benchmark
- Google Cloud CIS Benchmark
- Microsoft Azure CIS Benchmark
| Rule Number | Section | Description | Status | Integration Tests | Type |
|---|---|---|---|---|---|
| 1.1.1 | Control Plane Node Configuration Files | Ensure that the API server pod specification file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.10 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file ownership is set to root:root | β | Passed β / Failed β | Manual |
| 1.1.11 | Control Plane Node Configuration Files | Ensure that the etcd data directory permissions are set to 700 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.12 | Control Plane Node Configuration Files | Ensure that the etcd data directory ownership is set to etcd:etcd | β | Passed β / Failed β | Automated |
| 1.1.13 | Control Plane Node Configuration Files | Ensure that the admin.conf file permissions are set to 600 | β | Passed β / Failed β | Automated |
| 1.1.14 | Control Plane Node Configuration Files | Ensure that the admin.conf file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.15 | Control Plane Node Configuration Files | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.16 | Control Plane Node Configuration Files | Ensure that the scheduler.conf file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.17 | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.18 | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.19 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI directory and file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.2 | Control Plane Node Configuration Files | Ensure that the API server pod specification file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.20 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 1.1.21 | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI key file permissions are set to 600 | β | Passed β / Failed β | Manual |
| 1.1.3 | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.4 | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.5 | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.6 | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.7 | Control Plane Node Configuration Files | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 1.1.8 | Control Plane Node Configuration Files | Ensure that the etcd pod specification file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 1.1.9 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 1.2.1 | API Server | Ensure that the --anonymous-auth argument is set to false | β | Passed β / Failed β | Manual |
| 1.2.10 | API Server | Ensure that the admission control plugin EventRateLimit is set | β | Passed β / Failed β | Manual |
| 1.2.11 | API Server | Ensure that the admission control plugin AlwaysAdmit is not set | β | Passed β / Failed β | Automated |
| 1.2.12 | API Server | Ensure that the admission control plugin AlwaysPullImages is set | β | Passed β / Failed β | Manual |
| 1.2.13 | API Server | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | β | Passed β / Failed β | Manual |
| 1.2.14 | API Server | Ensure that the admission control plugin ServiceAccount is set | β | Passed β / Failed β | Automated |
| 1.2.15 | API Server | Ensure that the admission control plugin NamespaceLifecycle is set | β | Passed β / Failed β | Automated |
| 1.2.16 | API Server | Ensure that the admission control plugin NodeRestriction is set | β | Passed β / Failed β | Automated |
| 1.2.17 | API Server | Ensure that the --secure-port argument is not set to 0 | β | Passed β / Failed β | Automated |
| 1.2.18 | API Server | Ensure that the --profiling argument is set to false | β | Passed β / Failed β | Automated |
| 1.2.19 | API Server | Ensure that the --audit-log-path argument is set | β | Passed β / Failed β | Automated |
| 1.2.2 | API Server | Ensure that the --token-auth-file parameter is not set | β | Passed β / Failed β | Automated |
| 1.2.20 | API Server | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | β | Passed β / Failed β | Automated |
| 1.2.21 | API Server | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | β | Passed β / Failed β | Automated |
| 1.2.22 | API Server | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | β | Passed β / Failed β | Automated |
| 1.2.23 | API Server | Ensure that the --request-timeout argument is set as appropriate | β | Passed β / Failed β | Manual |
| 1.2.24 | API Server | Ensure that the --service-account-lookup argument is set to true | β | Passed β / Failed β | Automated |
| 1.2.25 | API Server | Ensure that the --service-account-key-file argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.26 | API Server | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.27 | API Server | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.28 | API Server | Ensure that the --client-ca-file argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.29 | API Server | Ensure that the --etcd-cafile argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.3 | API Server | Ensure that the --DenyServiceExternalIPs is not set | β | Passed β / Failed β | Automated |
| 1.2.30 | API Server | Ensure that the --encryption-provider-config argument is set as appropriate | β | Passed β / Failed β | Manual |
| 1.2.31 | API Server | Ensure that encryption providers are appropriately configured | β | Passed β / Failed β | Manual |
| 1.2.32 | API Server | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | β | Passed β / Failed β | Manual |
| 1.2.4 | API Server | Ensure that the --kubelet-https argument is set to true | β | Passed β / Failed β | Automated |
| 1.2.5 | API Server | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.6 | API Server | Ensure that the --kubelet-certificate-authority argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.2.7 | API Server | Ensure that the --authorization-mode argument is not set to AlwaysAllow | β | Passed β / Failed β | Automated |
| 1.2.8 | API Server | Ensure that the --authorization-mode argument includes Node | β | Passed β / Failed β | Automated |
| 1.2.9 | API Server | Ensure that the --authorization-mode argument includes RBAC | β | Passed β / Failed β | Automated |
| 1.3.1 | Controller Manager | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | β | Passed β / Failed β | Manual |
| 1.3.2 | Controller Manager | Ensure that the --profiling argument is set to false | β | Passed β / Failed β | Automated |
| 1.3.3 | Controller Manager | Ensure that the --use-service-account-credentials argument is set to true | β | Passed β / Failed β | Automated |
| 1.3.4 | Controller Manager | Ensure that the --service-account-private-key-file argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.3.5 | Controller Manager | Ensure that the --root-ca-file argument is set as appropriate | β | Passed β / Failed β | Automated |
| 1.3.6 | Controller Manager | Ensure that the RotateKubeletServerCertificate argument is set to true | β | Passed β / Failed β | Automated |
| 1.3.7 | Controller Manager | Ensure that the --bind-address argument is set to 127.0.0.1 | β | Passed β / Failed β | Automated |
| 1.4.1 | Scheduler | Ensure that the --profiling argument is set to false | β | Passed β / Failed β | Automated |
| 1.4.2 | Scheduler | Ensure that the --bind-address argument is set to 127.0.0.1 | β | Passed β / Failed β | Automated |
| 2.1 | etcd | Ensure that the --cert-file and --key-file arguments are set as appropriate | β | Passed β / Failed β | Automated |
| 2.2 | etcd | Ensure that the --client-cert-auth argument is set to true | β | Passed β / Failed β | Automated |
| 2.3 | etcd | Ensure that the --auto-tls argument is not set to true | β | Passed β / Failed β | Automated |
| 2.4 | etcd | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | β | Passed β / Failed β | Automated |
| 2.5 | etcd | Ensure that the --peer-client-cert-auth argument is set to true | β | Passed β / Failed β | Automated |
| 2.6 | etcd | Ensure that the --peer-auto-tls argument is not set to true | β | Passed β / Failed β | Automated |
| 2.7 | etcd | Ensure that a unique Certificate Authority is used for etcd | β | Passed β / Failed β | Manual |
| 3.1.1 | Authentication and Authorization | Client certificate authentication should not be used for users | β | Passed β / Failed β | Manual |
| 3.2.1 | Logging | Ensure that a minimal audit policy is created | β | Passed β / Failed β | Manual |
| 3.2.2 | Logging | Ensure that the audit policy covers key security concerns | β | Passed β / Failed β | Manual |
| 4.1.1 | Worker Node Configuration Files | Ensure that the kubelet service file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 4.1.10 | Worker Node Configuration Files | Ensure that the kubelet --config configuration file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 4.1.2 | Worker Node Configuration Files | Ensure that the kubelet service file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 4.1.3 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 4.1.4 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure ownership is set to root:root | β | Passed β / Failed β | Manual |
| 4.1.5 | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 4.1.6 | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | β | Passed β / Failed β | Automated |
| 4.1.7 | Worker Node Configuration Files | Ensure that the certificate authorities file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 4.1.8 | Worker Node Configuration Files | Ensure that the client certificate authorities file ownership is set to root:root | β | Passed β / Failed β | Manual |
| 4.1.9 | Worker Node Configuration Files | Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive | β | Passed β / Failed β | Automated |
| 4.2.1 | Kubelet | Ensure that the --anonymous-auth argument is set to false | β | Passed β / Failed β | Automated |
| 4.2.10 | Kubelet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | β | Passed β / Failed β | Manual |
| 4.2.11 | Kubelet | Ensure that the --rotate-certificates argument is not set to false | β | Passed β / Failed β | Automated |
| 4.2.12 | Kubelet | Verify that the RotateKubeletServerCertificate argument is set to true | β | Passed β / Failed β | Manual |
| 4.2.13 | Kubelet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | β | Passed β / Failed β | Manual |
| 4.2.2 | Kubelet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | β | Passed β / Failed β | Automated |
| 4.2.3 | Kubelet | Ensure that the --client-ca-file argument is set as appropriate | β | Passed β / Failed β | Automated |
| 4.2.4 | Kubelet | Verify that the --read-only-port argument is set to 0 | β | Passed β / Failed β | Manual |
| 4.2.5 | Kubelet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | β | Passed β / Failed β | Manual |
| 4.2.6 | Kubelet | Ensure that the --protect-kernel-defaults argument is set to true | β | Passed β / Failed β | Automated |
| 4.2.7 | Kubelet | Ensure that the --make-iptables-util-chains argument is set to true | β | Passed β / Failed β | Automated |
| 4.2.8 | Kubelet | Ensure that the --hostname-override argument is not set | β | Passed β / Failed β | Manual |
| 4.2.9 | Kubelet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | β | Passed β / Failed β | Manual |
| 5.1.1 | RBAC and Service Accounts | Ensure that the cluster-admin role is only used where required | β | Passed β / Failed β | Manual |
| 5.1.2 | RBAC and Service Accounts | Minimize access to secrets | β | Passed β / Failed β | Manual |
| 5.1.3 | RBAC and Service Accounts | Minimize wildcard use in Roles and ClusterRoles | β | Passed β / Failed β | Manual |
| 5.1.4 | RBAC and Service Accounts | Minimize access to create pods | β | Passed β / Failed β | Manual |
| 5.1.5 | RBAC and Service Accounts | Ensure that default service accounts are not actively used. | β | Passed β / Failed β | Manual |
| 5.1.6 | RBAC and Service Accounts | Ensure that Service Account Tokens are only mounted where necessary | β | Passed β / Failed β | Manual |
| 5.1.7 | RBAC and Service Accounts | Avoid use of system:masters group | β | Passed β / Failed β | Manual |
| 5.1.8 | RBAC and Service Accounts | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | β | Passed β / Failed β | Manual |
| 5.2.1 | Pod Security Standards | Ensure that the cluster has at least one active policy control mechanism in place | β | Passed β / Failed β | Manual |
| 5.2.10 | Pod Security Standards | Minimize the admission of containers with capabilities assigned | β | Passed β / Failed β | Manual |
| 5.2.11 | Pod Security Standards | Minimize the admission of Windows HostProcess Containers | β | Passed β / Failed β | Manual |
| 5.2.12 | Pod Security Standards | Minimize the admission of HostPath volumes | β | Passed β / Failed β | Manual |
| 5.2.13 | Pod Security Standards | Minimize the admission of containers which use HostPorts | β | Passed β / Failed β | Manual |
| 5.2.2 | Pod Security Standards | Minimize the admission of privileged containers | β | Passed β / Failed β | Manual |
| 5.2.3 | Pod Security Standards | Minimize the admission of containers wishing to share the host process ID namespace | β | Passed β / Failed β | Automated |
| 5.2.4 | Pod Security Standards | Minimize the admission of containers wishing to share the host IPC namespace | β | Passed β / Failed β | Automated |
| 5.2.5 | Pod Security Standards | Minimize the admission of containers wishing to share the host network namespace | β | Passed β / Failed β | Automated |
| 5.2.6 | Pod Security Standards | Minimize the admission of containers with allowPrivilegeEscalation | β | Passed β / Failed β | Automated |
| 5.2.7 | Pod Security Standards | Minimize the admission of root containers | β | Passed β / Failed β | Automated |
| 5.2.8 | Pod Security Standards | Minimize the admission of containers with the NET_RAW capability | β | Passed β / Failed β | Automated |
| 5.2.9 | Pod Security Standards | Minimize the admission of containers with added capabilities | β | Passed β / Failed β | Automated |
| 5.3.1 | Network Policies and CNI | Ensure that the CNI in use supports Network Policies | β | Passed β / Failed β | Manual |
| 5.3.2 | Network Policies and CNI | Ensure that all Namespaces have Network Policies defined | β | Passed β / Failed β | Manual |
| 5.4.1 | Secrets Management | Prefer using secrets as files over secrets as environment variables | β | Passed β / Failed β | Manual |
| 5.4.2 | Secrets Management | Consider external secret storage | β | Passed β / Failed β | Manual |
| 5.5.1 | Extensible Admission Control | Configure Image Provenance using ImagePolicyWebhook admission controller | β | Passed β / Failed β | Manual |
| 5.7.1 | General Policies | Create administrative boundaries between resources using namespaces | β | Passed β / Failed β | Manual |
| 5.7.2 | General Policies | Ensure that the seccomp profile is set to docker/default in your pod definitions | β | Passed β / Failed β | Manual |
| 5.7.3 | General Policies | Apply Security Context to Your Pods and Containers | β | Passed β / Failed β | Manual |
| 5.7.4 | General Policies | The default namespace should not be used | β | Passed β / Failed β | Manual |
| Rule Number | Section | Description | Status | Integration Tests | Type |
|---|---|---|---|---|---|
| 2.1.1 | Logging | Enable audit Logs | β | Passed β / Failed β | Manual |
| 3.1.1 | Worker Node Configuration Files | Ensure that the kubeconfig file permissions are set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 3.1.2 | Worker Node Configuration Files | Ensure that the kubelet kubeconfig file ownership is set to root:root | β | Passed β / Failed β | Manual |
| 3.1.3 | Worker Node Configuration Files | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive | β | Passed β / Failed β | Manual |
| 3.1.4 | Worker Node Configuration Files | Ensure that the kubelet configuration file ownership is set to root:root | β | Passed β / Failed β | Manual |
| 3.2.1 | Kubelet | Ensure that the --anonymous-auth argument is set to false | β | Passed β / Failed β | Automated |
| 3.2.10 | Kubelet | Ensure that the --rotate-certificates argument is not set to false | β | Passed β / Failed β | Manual |
| 3.2.11 | Kubelet | Ensure that the RotateKubeletServerCertificate argument is set to true | β | Passed β / Failed β | Manual |
| 3.2.2 | Kubelet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | β | Passed β / Failed β | Automated |
| 3.2.3 | Kubelet | Ensure that the --client-ca-file argument is set as appropriate | β | Passed β / Failed β | Manual |
| 3.2.4 | Kubelet | Ensure that the --read-only-port is secured | β | Passed β / Failed β | Manual |
| 3.2.5 | Kubelet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | β | Passed β / Failed β | Manual |
| 3.2.6 | Kubelet | Ensure that the --protect-kernel-defaults argument is set to true | β | Passed β / Failed β | Automated |
| 3.2.7 | Kubelet | Ensure that the --make-iptables-util-chains argument is set to true | β | Passed β / Failed β | Automated |
| 3.2.8 | Kubelet | Ensure that the --hostname-override argument is not set | β | Passed β / Failed β | Manual |
| 3.2.9 | Kubelet | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | β | Passed β / Failed β | Automated |
| 4.1.1 | RBAC and Service Accounts | Ensure that the cluster-admin role is only used where required | β | Passed β / Failed β | Manual |
| 4.1.2 | RBAC and Service Accounts | Minimize access to secrets | β | Passed β / Failed β | Manual |
| 4.1.3 | RBAC and Service Accounts | Minimize wildcard use in Roles and ClusterRoles | β | Passed β / Failed β | Manual |
| 4.1.4 | RBAC and Service Accounts | Minimize access to create pods | β | Passed β / Failed β | Manual |
| 4.1.5 | RBAC and Service Accounts | Ensure that default service accounts are not actively used. | β | Passed β / Failed β | Manual |
| 4.1.6 | RBAC and Service Accounts | Ensure that Service Account Tokens are only mounted where necessary | β | Passed β / Failed β | Manual |
| 4.2.1 | Pod Security Policies | Minimize the admission of privileged containers | β | Passed β / Failed β | Automated |
| 4.2.2 | Pod Security Policies | Minimize the admission of containers wishing to share the host process ID namespace | β | Passed β / Failed β | Automated |
| 4.2.3 | Pod Security Policies | Minimize the admission of containers wishing to share the host IPC namespace | β | Passed β / Failed β | Automated |
| 4.2.4 | Pod Security Policies | Minimize the admission of containers wishing to share the host network namespace | β | Passed β / Failed β | Automated |
| 4.2.5 | Pod Security Policies | Minimize the admission of containers with allowPrivilegeEscalation | β | Passed β / Failed β | Automated |
| 4.2.6 | Pod Security Policies | Minimize the admission of root containers | β | Passed β / Failed β | Automated |
| 4.2.7 | Pod Security Policies | Minimize the admission of containers with the NET_RAW capability | β | Passed β / Failed β | Automated |
| 4.2.8 | Pod Security Policies | Minimize the admission of containers with added capabilities | β | Passed β / Failed β | Automated |
| 4.2.9 | Pod Security Policies | Minimize the admission of containers with capabilities assigned | β | Passed β / Failed β | Manual |
| 4.3.1 | CNI Plugin | Ensure latest CNI version is used | β | Passed β / Failed β | Manual |
| 4.3.2 | CNI Plugin | Ensure that all Namespaces have Network Policies defined | β | Passed β / Failed β | Automated |
| 4.4.1 | Secrets Management | Prefer using secrets as files over secrets as environment variables | β | Passed β / Failed β | Manual |
| 4.4.2 | Secrets Management | Consider external secret storage | β | Passed β / Failed β | Manual |
| 4.5.1 | Extensible Admission Control | Configure Image Provenance using ImagePolicyWebhook admission controller | β | Passed β / Failed β | Manual |
| 4.6.1 | General Policies | Create administrative boundaries between resources using namespaces | β | Passed β / Failed β | Manual |
| 4.6.2 | General Policies | Apply Security Context to Your Pods and Containers | β | Passed β / Failed β | Manual |
| 4.6.3 | General Policies | The default namespace should not be used | β | Passed β / Failed β | Automated |
| 5.1.1 | Image Registry and Image Scanning | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | β | Passed β / Failed β | Manual |
| 5.1.2 | Image Registry and Image Scanning | Minimize user access to Amazon ECR | β | Passed β / Failed β | Manual |
| 5.1.3 | Image Registry and Image Scanning | Minimize cluster access to read-only for Amazon ECR | β | Passed β / Failed β | Manual |
| 5.1.4 | Image Registry and Image Scanning | Minimize Container Registries to only those approved | β | Passed β / Failed β | Manual |
| 5.2.1 | Identity and Access Management (IAM) | Prefer using dedicated EKS Service Accounts | β | Passed β / Failed β | Manual |
| 5.3.1 | AWS Key Management Service (KMS) | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | β | Passed β / Failed β | Automated |
| 5.4.1 | Cluster Networking | Restrict Access to the Control Plane Endpoint | β | Passed β / Failed β | Manual |
| 5.4.2 | Cluster Networking | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | β | Passed β / Failed β | Manual |
| 5.4.3 | Cluster Networking | Ensure clusters are created with Private Nodes | β | Passed β / Failed β | Manual |
| 5.4.4 | Cluster Networking | Ensure Network Policy is Enabled and set as appropriate | β | Passed β / Failed β | Manual |
| 5.4.5 | Cluster Networking | Encrypt traffic to HTTPS load balancers with TLS certificates | β | Passed β / Failed β | Manual |
| 5.5.1 | Authentication and Authorization | Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes | β | Passed β / Failed β | Manual |
| 5.6.1 | Other Cluster Configurations | Consider Fargate for running untrusted workloads | β | Passed β / Failed β | Manual |
| Rule Number | Section | Description | Status | Integration Tests | Type |
|---|---|---|---|---|---|
| 1.1 | Identity and Access Management | Maintain current contact details | β | Passed β / Failed β | Manual |
| 1.10 | Identity and Access Management | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | β | Passed β / Failed β | Automated |
| 1.11 | Identity and Access Management | Do not setup access keys during initial user setup for all IAM users that have a console password | β | Passed β / Failed β | Automated |
| 1.12 | Identity and Access Management | Ensure credentials unused for 45 days or greater are disabled | β | Passed β / Failed β | Automated |
| 1.13 | Identity and Access Management | Ensure there is only one active access key available for any single IAM user | β | Passed β / Failed β | Automated |
| 1.14 | Identity and Access Management | Ensure access keys are rotated every 90 days or less | β | Passed β / Failed β | Automated |
| 1.15 | Identity and Access Management | Ensure IAM Users Receive Permissions Only Through Groups | β | Passed β / Failed β | Automated |
| 1.16 | Identity and Access Management | Ensure IAM policies that allow full ":" administrative privileges are not attached | β | Passed β / Failed β | Automated |
| 1.17 | Identity and Access Management | Ensure a support role has been created to manage incidents with AWS Support | β | Passed β / Failed β | Automated |
| 1.18 | Identity and Access Management | Ensure IAM instance roles are used for AWS resource access from instances | β | Passed β / Failed β | Manual |
| 1.19 | Identity and Access Management | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | β | Passed β / Failed β | Automated |
| 1.2 | Identity and Access Management | Ensure security contact information is registered | β | Passed β / Failed β | Manual |
| 1.20 | Identity and Access Management | Ensure that IAM Access analyzer is enabled for all regions | β | Passed β / Failed β | Automated |
| 1.21 | Identity and Access Management | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | β | Passed β / Failed β | Manual |
| 1.3 | Identity and Access Management | Ensure security questions are registered in the AWS account | β | Passed β / Failed β | Manual |
| 1.4 | Identity and Access Management | Ensure no 'root' user account access key exists | β | Passed β / Failed β | Automated |
| 1.5 | Identity and Access Management | Ensure MFA is enabled for the 'root' user account | β | Passed β / Failed β | Automated |
| 1.6 | Identity and Access Management | Ensure hardware MFA is enabled for the 'root' user account | β | Passed β / Failed β | Automated |
| 1.7 | Identity and Access Management | Eliminate use of the 'root' user for administrative and daily tasks | β | Passed β / Failed β | Automated |
| 1.8 | Identity and Access Management | Ensure IAM password policy requires minimum length of 14 or greater | β | Passed β / Failed β | Automated |
| 1.9 | Identity and Access Management | Ensure IAM password policy prevents password reuse | β | Passed β / Failed β | Automated |
| 2.1.1 | Simple Storage Service (S3) | Ensure all S3 buckets employ encryption-at-rest | β | Passed β / Failed β | Automated |
| 2.1.2 | Simple Storage Service (S3) | Ensure S3 Bucket Policy is set to deny HTTP requests | β | Passed β / Failed β | Automated |
| 2.1.3 | Simple Storage Service (S3) | Ensure MFA Delete is enabled on S3 buckets | β | Passed β / Failed β | Automated |
| 2.1.4 | Simple Storage Service (S3) | Ensure all data in Amazon S3 has been discovered, classified and secured when required. | β | Passed β / Failed β | Manual |
| 2.1.5 | Simple Storage Service (S3) | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | β | Passed β / Failed β | Automated |
| 2.2.1 | Elastic Compute Cloud (EC2) | Ensure EBS Volume Encryption is Enabled in all Regions | β | Passed β / Failed β | Automated |
| 2.3.1 | Relational Database Service (RDS) | Ensure that encryption is enabled for RDS Instances | β | Passed β / Failed β | Automated |
| 2.3.2 | Relational Database Service (RDS) | Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | β | Passed β / Failed β | Automated |
| 2.3.3 | Relational Database Service (RDS) | Ensure that public access is not given to RDS Instance | β | Passed β / Failed β | Automated |
| 2.4.1 | Elastic File System (EFS) | Ensure that encryption is enabled for EFS file systems | β | Passed β / Failed β | Manual |
| 3.1 | Logging | Ensure CloudTrail is enabled in all regions | β | Passed β / Failed β | Automated |
| 3.10 | Logging | Ensure that Object-level logging for write events is enabled for S3 bucket | β | Passed β / Failed β | Automated |
| 3.11 | Logging | Ensure that Object-level logging for read events is enabled for S3 bucket | β | Passed β / Failed β | Automated |
| 3.2 | Logging | Ensure CloudTrail log file validation is enabled | β | Passed β / Failed β | Automated |
| 3.3 | Logging | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | β | Passed β / Failed β | Automated |
| 3.4 | Logging | Ensure CloudTrail trails are integrated with CloudWatch Logs | β | Passed β / Failed β | Automated |
| 3.5 | Logging | Ensure AWS Config is enabled in all regions | β | Passed β / Failed β | Automated |
| 3.6 | Logging | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | β | Passed β / Failed β | Automated |
| 3.7 | Logging | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | β | Passed β / Failed β | Automated |
| 3.8 | Logging | Ensure rotation for customer created symmetric CMKs is enabled | β | Passed β / Failed β | Automated |
| 3.9 | Logging | Ensure VPC flow logging is enabled in all VPCs | β | Passed β / Failed β | Automated |
| 4.1 | Monitoring | Ensure a log metric filter and alarm exist for unauthorized API calls | β | Passed β / Failed β | Automated |
| 4.10 | Monitoring | Ensure a log metric filter and alarm exist for security group changes | β | Passed β / Failed β | Automated |
| 4.11 | Monitoring | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | β | Passed β / Failed β | Automated |
| 4.12 | Monitoring | Ensure a log metric filter and alarm exist for changes to network gateways | β | Passed β / Failed β | Automated |
| 4.13 | Monitoring | Ensure a log metric filter and alarm exist for route table changes | β | Passed β / Failed β | Automated |
| 4.14 | Monitoring | Ensure a log metric filter and alarm exist for VPC changes | β | Passed β / Failed β | Automated |
| 4.15 | Monitoring | Ensure a log metric filter and alarm exists for AWS Organizations changes | β | Passed β / Failed β | Automated |
| 4.16 | Monitoring | Ensure AWS Security Hub is enabled | β | Passed β / Failed β | Automated |
| 4.2 | Monitoring | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | β | Passed β / Failed β | Automated |
| 4.3 | Monitoring | Ensure a log metric filter and alarm exist for usage of 'root' account | β | Passed β / Failed β | Automated |
| 4.4 | Monitoring | Ensure a log metric filter and alarm exist for IAM policy changes | β | Passed β / Failed β | Automated |
| 4.5 | Monitoring | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | β | Passed β / Failed β | Automated |
| 4.6 | Monitoring | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | β | Passed β / Failed β | Automated |
| 4.7 | Monitoring | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | β | Passed β / Failed β | Automated |
| 4.8 | Monitoring | Ensure a log metric filter and alarm exist for S3 bucket policy changes | β | Passed β / Failed β | Automated |
| 4.9 | Monitoring | Ensure a log metric filter and alarm exist for AWS Config configuration changes | β | Passed β / Failed β | Automated |
| 5.1 | Networking | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | β | Passed β / Failed β | Automated |
| 5.2 | Networking | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | β | Passed β / Failed β | Automated |
| 5.3 | Networking | Ensure no security groups allow ingress from ::/0 to remote server administration ports | β | Passed β / Failed β | Automated |
| 5.4 | Networking | Ensure the default security group of every VPC restricts all traffic | β | Passed β / Failed β | Automated |
| 5.5 | Networking | Ensure routing tables for VPC peering are "least access" | β | Passed β / Failed β | Manual |
| Rule Number | Section | Description | Status | Integration Tests | Type |
|---|---|---|---|---|---|
| 1.1 | Identity and Access Management | Ensure that Corporate Login Credentials are Used | β | Passed β / Failed β | Manual |
| 1.10 | Identity and Access Management | Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | β | Passed β / Failed β | Automated |
| 1.11 | Identity and Access Management | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | β | Passed β / Failed β | Automated |
| 1.12 | Identity and Access Management | Ensure API Keys Only Exist for Active Services | β | Passed β / Failed β | Automated |
| 1.13 | Identity and Access Management | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | β | Passed β / Failed β | Manual |
| 1.14 | Identity and Access Management | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | β | Passed β / Failed β | Automated |
| 1.15 | Identity and Access Management | Ensure API Keys Are Rotated Every 90 Days | β | Passed β / Failed β | Automated |
| 1.16 | Identity and Access Management | Ensure Essential Contacts is Configured for Organization | β | Passed β / Failed β | Automated |
| 1.17 | Identity and Access Management | Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | β | Passed β / Failed β | Automated |
| 1.18 | Identity and Access Management | Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager | β | Passed β / Failed β | Manual |
| 1.2 | Identity and Access Management | Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | β | Passed β / Failed β | Manual |
| 1.3 | Identity and Access Management | Ensure that Security Key Enforcement is Enabled for All Admin Accounts | β | Passed β / Failed β | Manual |
| 1.4 | Identity and Access Management | Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | β | Passed β / Failed β | Automated |
| 1.5 | Identity and Access Management | Ensure That Service Account Has No Admin Privileges | β | Passed β / Failed β | Automated |
| 1.6 | Identity and Access Management | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | β | Passed β / Failed β | Automated |
| 1.7 | Identity and Access Management | Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | β | Passed β / Failed β | Automated |
| 1.8 | Identity and Access Management | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | β | Passed β / Failed β | Automated |
| 1.9 | Identity and Access Management | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | β | Passed β / Failed β | Automated |
| 2.1 | Logging and Monitoring | Ensure That Cloud Audit Logging Is Configured Properly | β | Passed β / Failed β | Automated |
| 2.10 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | β | Passed β / Failed β | Automated |
| 2.11 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | β | Passed β / Failed β | Automated |
| 2.12 | Logging and Monitoring | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | β | Passed β / Failed β | Automated |
| 2.13 | Logging and Monitoring | Ensure Cloud Asset Inventory Is Enabled | β | Passed β / Failed β | Automated |
| 2.14 | Logging and Monitoring | Ensure 'Access Transparency' is 'Enabled' | β | Passed β / Failed β | Manual |
| 2.15 | Logging and Monitoring | Ensure 'Access Approval' is 'Enabled' | β | Passed β / Failed β | Automated |
| 2.16 | Logging and Monitoring | Ensure Logging is enabled for HTTP(S) Load Balancer | β | Passed β / Failed β | Automated |
| 2.2 | Logging and Monitoring | Ensure That Sinks Are Configured for All Log Entries | β | Passed β / Failed β | Automated |
| 2.3 | Logging and Monitoring | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | β | Passed β / Failed β | Automated |
| 2.4 | Logging and Monitoring | Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | β | Passed β / Failed β | Automated |
| 2.5 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | β | Passed β / Failed β | Automated |
| 2.6 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | β | Passed β / Failed β | Automated |
| 2.7 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | β | Passed β / Failed β | Automated |
| 2.8 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | β | Passed β / Failed β | Automated |
| 2.9 | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | β | Passed β / Failed β | Automated |
| 3.1 | Networking | Ensure That the Default Network Does Not Exist in a Project | β | Passed β / Failed β | Automated |
| 3.10 | Networking | Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | β | Passed β / Failed β | Manual |
| 3.2 | Networking | Ensure Legacy Networks Do Not Exist for Older Projects | β | Passed β / Failed β | Automated |
| 3.3 | Networking | Ensure That DNSSEC Is Enabled for Cloud DNS | β | Passed β / Failed β | Automated |
| 3.4 | Networking | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | β | Passed β / Failed β | Automated |
| 3.5 | Networking | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | β | Passed β / Failed β | Automated |
| 3.6 | Networking | Ensure That SSH Access Is Restricted From the Internet | β | Passed β / Failed β | Automated |
| 3.7 | Networking | Ensure That RDP Access Is Restricted From the Internet | β | Passed β / Failed β | Automated |
| 3.8 | Networking | Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | β | Passed β / Failed β | Automated |
| 3.9 | Networking | Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | β | Passed β / Failed β | Manual |
| 4.1 | Virtual Machines | Ensure That Instances Are Not Configured To Use the Default Service Account | β | Passed β / Failed β | Automated |
| 4.10 | Virtual Machines | Ensure That App Engine Applications Enforce HTTPS Connections | β | Passed β / Failed β | Manual |
| 4.11 | Virtual Machines | Ensure That Compute Instances Have Confidential Computing Enabled | β | Passed β / Failed β | Automated |
| 4.12 | Virtual Machines | Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | β | Passed β / Failed β | Manual |
| 4.2 | Virtual Machines | Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | β | Passed β / Failed β | Automated |
| 4.3 | Virtual Machines | Ensure βBlock Project-Wide SSH Keysβ Is Enabled for VM Instances | β | Passed β / Failed β | Automated |
| 4.4 | Virtual Machines | Ensure Oslogin Is Enabled for a Project | β | Passed β / Failed β | Automated |
| 4.5 | Virtual Machines | Ensure βEnable Connecting to Serial Portsβ Is Not Enabled for VM Instance | β | Passed β / Failed β | Automated |
| 4.6 | Virtual Machines | Ensure That IP Forwarding Is Not Enabled on Instances | β | Passed β / Failed β | Automated |
| 4.7 | Virtual Machines | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | β | Passed β / Failed β | Automated |
| 4.8 | Virtual Machines | Ensure Compute Instances Are Launched With Shielded VM Enabled | β | Passed β / Failed β | Automated |
| 4.9 | Virtual Machines | Ensure That Compute Instances Do Not Have Public IP Addresses | β | Passed β / Failed β | Automated |
| 5.1 | Storage | Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | β | Passed β / Failed β | Automated |
| 5.2 | Storage | Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled | β | Passed β / Failed β | Automated |
| 6.1.1 | MySQL Database | Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges | β | Passed β / Failed β | Manual |
| 6.1.2 | MySQL Database | Ensure βSkip_show_databaseβ Database Flag for Cloud SQL MySQL Instance Is Set to βOnβ | β | Passed β / Failed β | Automated |
| 6.1.3 | MySQL Database | Ensure That the βLocal_infileβ Database Flag for a Cloud SQL MySQL Instance Is Set to βOffβ | β | Passed β / Failed β | Automated |
| 6.2.1 | PostgreSQL Database | Ensure βLog_error_verbosityβ Database Flag for Cloud SQL PostgreSQL Instance Is Set to βDEFAULTβ or Stricter | β | Passed β / Failed β | Automated |
| 6.2.2 | PostgreSQL Database | Ensure That the βLog_connectionsβ Database Flag for Cloud SQL PostgreSQL Instance Is Set to βOnβ | β | Passed β / Failed β | Automated |
| 6.2.3 | PostgreSQL Database | Ensure That the βLog_disconnectionsβ Database Flag for Cloud SQL PostgreSQL Instance Is Set to βOnβ | β | Passed β / Failed β | Automated |
| 6.2.4 | PostgreSQL Database | Ensure βLog_statementβ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | β | Passed β / Failed β | Automated |
| 6.2.5 | PostgreSQL Database | Ensure that the βLog_min_messagesβ Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | β | Passed β / Failed β | Automated |
| 6.2.6 | PostgreSQL Database | Ensure βLog_min_error_statementβ Database Flag for Cloud SQL PostgreSQL Instance Is Set to βErrorβ or Stricter | β | Passed β / Failed β | Automated |
| 6.2.7 | PostgreSQL Database | Ensure That the βLog_min_duration_statementβ Database Flag for Cloud SQL PostgreSQL Instance Is Set to β-1β² (Disabled) | β | Passed β / Failed β | Automated |
| 6.2.8 | PostgreSQL Database | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | β | Passed β / Failed β | Automated |
| 6.2.9 | PostgreSQL Database | Ensure Instance IP assignment is set to private | β | Passed β / Failed β | Automated |
| 6.3.1 | SQL Server | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | β | Passed β / Failed β | Automated |
| 6.3.2 | SQL Server | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | β | Passed β / Failed β | Automated |
| 6.3.3 | SQL Server | Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value | β | Passed β / Failed β | Automated |
| 6.3.4 | SQL Server | Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured | β | Passed β / Failed β | Automated |
| 6.3.5 | SQL Server | Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | β | Passed β / Failed β | Automated |
| 6.3.6 | SQL Server | Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' | β | Passed β / Failed β | Automated |
| 6.3.7 | SQL Server | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | β | Passed β / Failed β | Automated |
| 6.4 | Cloud SQL Database Services | Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | β | Passed β / Failed β | Automated |
| 6.5 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | β | Passed β / Failed β | Automated |
| 6.6 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Do Not Have Public IPs | β | Passed β / Failed β | Automated |
| 6.7 | Cloud SQL Database Services | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | β | Passed β / Failed β | Automated |
| 7.1 | BigQuery | Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible | β | Passed β / Failed β | Automated |
| 7.2 | BigQuery | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | β | Passed β / Failed β | Automated |
| 7.3 | BigQuery | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | β | Passed β / Failed β | Automated |
| Rule Number | Section | Description | Status | Integration Tests | Type |
|---|---|---|---|---|---|
| 1.1.1 | Security Defaults | Ensure Security Defaults is enabled on Azure Active Directory | β | Passed β / Failed β | Manual |
| 1.1.2 | Security Defaults | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | β | Passed β / Failed β | Manual |
| 1.1.3 | Security Defaults | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | β | Passed β / Failed β | Manual |
| 1.1.4 | Security Defaults | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | β | Passed β / Failed β | Manual |
| 1.10 | Identity and Access Management | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | β | Passed β / Failed β | Manual |
| 1.11 | Identity and Access Management | Ensure User consent for applications is set to Do not allow user consent |
β | Passed β / Failed β | Manual |
| 1.12 | Identity and Access Management | Ensure βUser consent for applicationsβ Is Set To βAllow for Verified Publishersβ | β | Passed β / Failed β | Manual |
| 1.13 | Identity and Access Management | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | β | Passed β / Failed β | Manual |
| 1.14 | Identity and Access Management | Ensure That βUsers Can Register Applicationsβ Is Set to βNoβ | β | Passed β / Failed β | Manual |
| 1.15 | Identity and Access Management | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | β | Passed β / Failed β | Manual |
| 1.16 | Identity and Access Management | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | β | Passed β / Failed β | Manual |
| 1.17 | Identity and Access Management | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | β | Passed β / Failed β | Manual |
| 1.18 | Identity and Access Management | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | β | Passed β / Failed β | Manual |
| 1.19 | Identity and Access Management | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | β | Passed β / Failed β | Manual |
| 1.2.1 | Conditional Access | Ensure Trusted Locations Are Defined | β | Passed β / Failed β | Manual |
| 1.2.2 | Conditional Access | Ensure that an exclusionary Geographic Access Policy is considered | β | Passed β / Failed β | Manual |
| 1.2.3 | Conditional Access | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | β | Passed β / Failed β | Manual |
| 1.2.4 | Conditional Access | Ensure that A Multi-factor Authentication Policy Exists for All Users | β | Passed β / Failed β | Manual |
| 1.2.5 | Conditional Access | Ensure Multi-factor Authentication is Required for Risky Sign-ins | β | Passed β / Failed β | Manual |
| 1.2.6 | Conditional Access | Ensure Multi-factor Authentication is Required for Azure Management | β | Passed β / Failed β | Manual |
| 1.20 | Identity and Access Management | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | β | Passed β / Failed β | Manual |
| 1.21 | Identity and Access Management | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | β | Passed β / Failed β | Manual |
| 1.22 | Identity and Access Management | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | β | Passed β / Failed β | Manual |
| 1.23 | Identity and Access Management | Ensure That No Custom Subscription Administrator Roles Exist | β | Passed β / Failed β | Automated |
| 1.24 | Identity and Access Management | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | β | Passed β / Failed β | Manual |
| 1.25 | Identity and Access Management | Ensure That βSubscription Entering AAD Directoryβ and βSubscription Leaving AAD Directoryβ Is Set To βPermit No Oneβ | β | Passed β / Failed β | Manual |
| 1.3 | Identity and Access Management | Ensure that 'Users can create Azure AD Tenants' is set to 'No' | β | Passed β / Failed β | Automated |
| 1.4 | Identity and Access Management | Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | β | Passed β / Failed β | Manual |
| 1.5 | Identity and Access Management | Ensure Guest Users Are Reviewed on a Regular Basis | β | Passed β / Failed β | Manual |
| 1.6 | Identity and Access Management | Ensure That 'Number of methods required to reset' is set to '2' | β | Passed β / Failed β | Manual |
| 1.7 | Identity and Access Management | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | β | Passed β / Failed β | Manual |
| 1.8 | Identity and Access Management | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | β | Passed β / Failed β | Manual |
| 1.9 | Identity and Access Management | Ensure that 'Notify users on password resets?' is set to 'Yes' | β | Passed β / Failed β | Manual |
| 10.1 | Miscellaneous | Ensure that Resource Locks are set for Mission-Critical Azure Resources | β | Passed β / Failed β | Manual |
| 2.1.1 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Servers Is Set to 'On' | β | Passed β / Failed β | Manual |
| 2.1.10 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.11 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for DNS Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.12 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.13 | Microsoft Defender for Cloud | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | β | Passed β / Failed β | Manual |
| 2.1.14 | Microsoft Defender for Cloud | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | β | Passed β / Failed β | Manual |
| 2.1.15 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | β | Passed β / Failed β | Automated |
| 2.1.16 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | β | Passed β / Failed β | Manual |
| 2.1.17 | Microsoft Defender for Cloud | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | β | Passed β / Failed β | Manual |
| 2.1.18 | Microsoft Defender for Cloud | Ensure That 'All users with the following roles' is set to 'Owner' | β | Passed β / Failed β | Automated |
| 2.1.19 | Microsoft Defender for Cloud | Ensure 'Additional email addresses' is Configured with a Security Contact Email | β | Passed β / Failed β | Automated |
| 2.1.2 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for App Services Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.20 | Microsoft Defender for Cloud | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | β | Passed β / Failed β | Automated |
| 2.1.21 | Microsoft Defender for Cloud | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | β | Passed β / Failed β | Manual |
| 2.1.22 | Microsoft Defender for Cloud | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | β | Passed β / Failed β | Manual |
| 2.1.3 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Databases Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.4 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.5 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.6 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.7 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Storage Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.8 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Containers Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.1.9 | Microsoft Defender for Cloud | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | β | Passed β / Failed β | Manual |
| 2.2.1 | Microsoft Defender for IoT | Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | β | Passed β / Failed β | Manual |
| 3.1 | Storage Accounts | Ensure that 'Secure transfer required' is set to 'Enabled' | β | Passed β / Failed β | Automated |
| 3.10 | Storage Accounts | Ensure Private Endpoints are used to access Storage Accounts | β | Passed β / Failed β | Automated |
| 3.11 | Storage Accounts | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | β | Passed β / Failed β | Automated |
| 3.12 | Storage Accounts | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | β | Passed β / Failed β | Manual |
| 3.13 | Storage Accounts | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | β | Passed β / Failed β | Automated |
| 3.14 | Storage Accounts | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | β | Passed β / Failed β | Automated |
| 3.15 | Storage Accounts | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | β | Passed β / Failed β | Automated |
| 3.2 | Storage Accounts | Ensure that βEnable Infrastructure Encryptionβ for Each Storage Account in Azure Storage is Set to βenabledβ | β | Passed β / Failed β | Automated |
| 3.3 | Storage Accounts | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | β | Passed β / Failed β | Manual |
| 3.4 | Storage Accounts | Ensure that Storage Account Access Keys are Periodically Regenerated | β | Passed β / Failed β | Manual |
| 3.5 | Storage Accounts | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | β | Passed β / Failed β | Automated |
| 3.6 | Storage Accounts | Ensure that Shared Access Signature Tokens Expire Within an Hour | β | Passed β / Failed β | Manual |
| 3.7 | Storage Accounts | Ensure that 'Public access level' is disabled for storage accounts with blob containers | β | Passed β / Failed β | Automated |
| 3.8 | Storage Accounts | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | β | Passed β / Failed β | Automated |
| 3.9 | Storage Accounts | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | β | Passed β / Failed β | Automated |
| 4.1.1 | SQL Server - Auditing | Ensure that 'Auditing' is set to 'On' | β | Passed β / Failed β | Automated |
| 4.1.2 | SQL Server - Auditing | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | β | Passed β / Failed β | Automated |
| 4.1.3 | SQL Server - Auditing | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | β | Passed β / Failed β | Automated |
| 4.1.4 | SQL Server - Auditing | Ensure that Azure Active Directory Admin is Configured for SQL Servers | β | Passed β / Failed β | Automated |
| 4.1.5 | SQL Server - Auditing | Ensure that 'Data encryption' is set to 'On' on a SQL Database | β | Passed β / Failed β | Automated |
| 4.1.6 | SQL Server - Auditing | Ensure that 'Auditing' Retention is 'greater than 90 days' | β | Passed β / Failed β | Automated |
| 4.2.1 | SQL Server - Microsoft Defender for SQL | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | β | Passed β / Failed β | Automated |
| 4.2.2 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | β | Passed β / Failed β | Automated |
| 4.2.3 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | β | Passed β / Failed β | Automated |
| 4.2.4 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | β | Passed β / Failed β | Automated |
| 4.2.5 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | β | Passed β / Failed β | Automated |
| 4.3.1 | PostgreSQL Database Server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.2 | PostgreSQL Database Server | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.3 | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.4 | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.5 | PostgreSQL Database Server | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.6 | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | β | Passed β / Failed β | Automated |
| 4.3.7 | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | β | Passed β / Failed β | Automated |
| 4.3.8 | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | β | Passed β / Failed β | Automated |
| 4.4.1 | MySQL Database | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | β | Passed β / Failed β | Automated |
| 4.4.2 | MySQL Database | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | β | Passed β / Failed β | Automated |
| 4.4.3 | MySQL Database | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | β | Passed β / Failed β | Manual |
| 4.4.4 | MySQL Database | Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | β | Passed β / Failed β | Manual |
| 4.5.1 | Cosmos DB | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | β | Passed β / Failed β | Automated |
| 4.5.2 | Cosmos DB | Ensure That Private Endpoints Are Used Where Possible | β | Passed β / Failed β | Manual |
| 4.5.3 | Cosmos DB | Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible. | β | Passed β / Failed β | Manual |
| 5.1.1 | Configuring Diagnostic Settings | Ensure that a 'Diagnostic Setting' exists | β | Passed β / Failed β | Manual |
| 5.1.2 | Configuring Diagnostic Settings | Ensure Diagnostic Setting captures appropriate categories | β | Passed β / Failed β | Automated |
| 5.1.3 | Configuring Diagnostic Settings | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | β | Passed β / Failed β | Automated |
| 5.1.4 | Configuring Diagnostic Settings | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | β | Passed β / Failed β | Automated |
| 5.1.5 | Configuring Diagnostic Settings | Ensure that logging for Azure Key Vault is 'Enabled' | β | Passed β / Failed β | Automated |
| 5.1.6 | Configuring Diagnostic Settings | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | β | Passed β / Failed β | Manual |
| 5.1.7 | Configuring Diagnostic Settings | Ensure that logging for Azure AppService 'HTTP logs' is enabled | β | Passed β / Failed β | Manual |
| 5.2.1 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create Policy Assignment | β | Passed β / Failed β | Automated |
| 5.2.10 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Public IP Address rule | β | Passed β / Failed β | Automated |
| 5.2.2 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Policy Assignment | β | Passed β / Failed β | Automated |
| 5.2.3 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Network Security Group | β | Passed β / Failed β | Automated |
| 5.2.4 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Network Security Group | β | Passed β / Failed β | Automated |
| 5.2.5 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Security Solution | β | Passed β / Failed β | Automated |
| 5.2.6 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete Security Solution | β | Passed β / Failed β | Automated |
| 5.2.7 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | β | Passed β / Failed β | Automated |
| 5.2.8 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | β | Passed β / Failed β | Automated |
| 5.2.9 | Monitoring using Activity Log Alerts | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | β | Passed β / Failed β | Automated |
| 5.3.1 | Configuring Application Insights | Ensure Application Insights are Configured | β | Passed β / Failed β | Automated |
| 5.4 | Logging and Monitoring | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | β | Passed β / Failed β | Manual |
| 5.5 | Logging and Monitoring | Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | β | Passed β / Failed β | Automated |
| 6.1 | Networking | Ensure that RDP access from the Internet is evaluated and restricted | β | Passed β / Failed β | Automated |
| 6.2 | Networking | Ensure that SSH access from the Internet is evaluated and restricted | β | Passed β / Failed β | Automated |
| 6.3 | Networking | Ensure that UDP access from the Internet is evaluated and restricted | β | Passed β / Failed β | Automated |
| 6.4 | Networking | Ensure that HTTP(S) access from the Internet is evaluated and restricted | β | Passed β / Failed β | Automated |
| 6.5 | Networking | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | β | Passed β / Failed β | Automated |
| 6.6 | Networking | Ensure that Network Watcher is 'Enabled' | β | Passed β / Failed β | Automated |
| 6.7 | Networking | Ensure that Public IP addresses are Evaluated on a Periodic Basis | β | Passed β / Failed β | Manual |
| 7.1 | Virtual Machines | Ensure an Azure Bastion Host Exists | β | Passed β / Failed β | Automated |
| 7.2 | Virtual Machines | Ensure Virtual Machines are utilizing Managed Disks | β | Passed β / Failed β | Automated |
| 7.3 | Virtual Machines | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | β | Passed β / Failed β | Automated |
| 7.4 | Virtual Machines | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | β | Passed β / Failed β | Automated |
| 7.5 | Virtual Machines | Ensure that Only Approved Extensions Are Installed | β | Passed β / Failed β | Manual |
| 7.6 | Virtual Machines | Ensure that Endpoint Protection for all Virtual Machines is installed | β | Passed β / Failed β | Manual |
| 7.7 | Virtual Machines | [Legacy] Ensure that VHDs are Encrypted | β | Passed β / Failed β | Manual |
| 8.1 | Key Vault | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | β | Passed β / Failed β | Automated |
| 8.2 | Key Vault | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | β | Passed β / Failed β | Automated |
| 8.3 | Key Vault | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | β | Passed β / Failed β | Automated |
| 8.4 | Key Vault | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | β | Passed β / Failed β | Automated |
| 8.5 | Key Vault | Ensure the Key Vault is Recoverable | β | Passed β / Failed β | Automated |
| 8.6 | Key Vault | Enable Role Based Access Control for Azure Key Vault | β | Passed β / Failed β | Manual |
| 8.7 | Key Vault | Ensure that Private Endpoints are Used for Azure Key Vault | β | Passed β / Failed β | Manual |
| 8.8 | Key Vault | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | β | Passed β / Failed β | Manual |
| 9.1 | AppService | Ensure App Service Authentication is set up for apps in Azure App Service | β | Passed β / Failed β | Automated |
| 9.10 | AppService | Ensure FTP deployments are Disabled | β | Passed β / Failed β | Automated |
| 9.11 | AppService | Ensure Azure Key Vaults are Used to Store Secrets | β | Passed β / Failed β | Manual |
| 9.2 | AppService | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | β | Passed β / Failed β | Automated |
| 9.3 | AppService | Ensure Web App is using the latest version of TLS encryption | β | Passed β / Failed β | Automated |
| 9.4 | AppService | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | β | Passed β / Failed β | Automated |
| 9.5 | AppService | Ensure that Register with Azure Active Directory is enabled on App Service | β | Passed β / Failed β | Automated |
| 9.6 | AppService | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | β | Passed β / Failed β | Manual |
| 9.7 | AppService | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | β | Passed β / Failed β | Manual |
| 9.8 | AppService | Ensure that 'Java version' is the latest, if used to run the Web App | β | Passed β / Failed β | Manual |
| 9.9 | AppService | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | β | Passed β / Failed β | Automated |