Cloud Security Rules

RULE	SERVICE GROUP
M Wildcard principal has been specified in access policy	ElasticSearch
M Wildcard principal specified in REST API access policy	API Gateway (REST APIs)
M Windows Defender ATP (WDATP) integration in Security Center is disabled	Security Center
M Windows VM scale set encryption at host is disabled	Compute
M Workspaces is assigned public IP	WorkSpaces
M X-ray tracing is disabled for Lambda function	Lambda
L AKS cluster Network Policy feature is disabled	Container
L App Service mutual TLS is disabled	App Service (Web Apps)
L Cloud SQL for MySQL allows all users to see database names	Cloud SQL
L Compute firewall allows open egress	Compute Engine
L Container has no CPU limit	Deployment
L Container is running with custom hosts file configuration	Deployment
L Container is running with custom SELinux options	Deployment
L Container is running with shared mount propagation	Deployment
L Container is running without memory limit	Deployment
L EC2 instance is not associated with IAM role and instance profile	EC2
L ECS container definition mounts volumes with mount propagation set to "shared"	ECS
L ECS task definition does not set CPU limit for containers	ECS
L GKE Alias IP disabled	Kubernetes (Container) Engine
L GKE cluster labels are missing	Kubernetes (Container) Engine
L GKE Node Pool auto repair is disabled	Kubernetes (Container) Engine
L GKE Node Pool auto upgrade disabled	Kubernetes (Container) Engine
L GKE Node pool does not use a container-optimized OS	Kubernetes (Container) Engine
L GKE PodSecurityPolicy controller is disabled	Kubernetes (Container) Engine
L GKE Shield is disabled	Kubernetes (Container) Engine
L IAM policies allow broad list actions on S3 buckets	IAM
L IAM role attached to instance profile allows broad list actions on S3 buckets	EC2
L Instance IP assignment is not set to private	Compute Engine
L OS Login is disabled on instance	Compute Engine
L Pod spec 'automountServiceAccountToken' should be set to 'false'	Service

Previous Next

AWS

Azure

Google

Kubernetes