Cloud Security Rules

RULE	SERVICE GROUP
H Container is running in privileged mode	Deployment
H Container is running with Docker socket mount	Deployment
H Network policy does not restrict egress destinations	Deployment
H Policy allows `privileged` containers	Deployment
H Policy does not restrict ingress sources	Network Policy
H Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries	Role
H Service is using an external IP	Service
H The built-in "cluster-admin" role is used	Deployment
M Container could be running with outdated image	Container
M Container does not drop all default capabilities	Deployment
M Container is exposing SSH port	Deployment
M Container is running in host's IPC namespace	Deployment
M Container is running in host's network namespace	Deployment
M Container is running in host's PID namespace	Deployment
M Container is running with host path mount	Container
M Container is running with multiple open ports	Container
M Container is running with SYS_ADMIN capability	Deployment
M Container is running with writable root filesystem	Deployment
M Container is running without AppArmor profile	Container
M Container is running without liveness probe	Container
M Container is running without privilege escalation control	Deployment
M Container is running without root user control	Deployment
M Container's UID could clash with host's UID	Container
M Pod is running with added capabilities	Deployment
M Pod stores secrets in environment variables	Service
M Pods and containers should apply a security context	Kubernetes (Container) Engine
M Pods should not run containers with the NET_RAW capability	Container
M Policy allows all capabilities	Pod Security Policy
M Policy allows any apparmor profile	Deployment
M Policy allows insecure seccomp profiles	Deployment

AWS

Azure

Google

Kubernetes