Cloud Security Rules

RULE	SERVICE GROUP
H BigQuery dataset is publicly accessible	BigQuery
H Compute instance uses the default service account	Compute Engine
H DNS managed zone DNSSEC zone-signing keys should not use RSASHA1	Cloud DNS
H Encryption key is exposed in instance template configuration	Compute Engine
H GKE client certificate auth is enabled	Kubernetes (Container) Engine
H GKE control plane is publicly accessible	Container
H In transit encryption is disabled for Memory store instances	Redis
H KMS key is openly accessible	Cloud Key Management Service
H Legacy ABAC is enabled	Kubernetes (Container) Engine
H Memory store has Redis AUTH disabled	Redis
H Sensitive certificate key material is stored in state file	Secrets Manager
H Unrestricted RDP access	Compute Engine
M At least one project-level logging sink does not contain an empty filter	Monitor
M Backend service is not enforcing HTTPS	Compute Engine
M Backend service logging is disabled	Compute Engine
M Cloud IAM not configured for CloudSQL instance	Cloud SQL
M Cloud SQL instance is publicly accessible	Cloud SQL
M Cloud Storage bucket is publicly accessible	Cloud Storage
M Compute firewall allows unrestricted SSH access	Compute Engine
M Compute instance uses the default service account with full access to all Cloud APIs	Compute Engine
M DNS managed zone DNSSEC key-signing keys should not use RSASHA1	Cloud DNS
M GCP App Engine Firewall Rule allows public access	Network
M GCP Compute Firewall allows public access	Network
M GKE cluster might be publicly exposed	Kubernetes (Container) Engine
M GKE legacy endpoint enabled	Container
M GKE PodSecurityPolicy controller is disabled	Kubernetes (Container) Engine
M GKE Workload Identity is disabled	Container
M IAM default audit log config does not include 'DATA_READ' and 'DATA_WRITE' log types	IAM
M IAM default audit log config should not exempt any users	Monitor
M IAM user has privileged roles at project level	IAM

AWS

Azure

Google

Kubernetes