| 🛡️ [LEGACY] Azure Virtual Machine VHDs are not encrypted🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Alternate Contact Information is not current🔴🟢⚪ | | 🔴 x1, 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Primary Contact Information is not current🔴🟢⚪ | | 🔴 x1, 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Root User Hardware MFA is not enabled.🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail AWS Organizations Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Config Configuration Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Configuration Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail IAM Policy Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Network Gateways Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Root Account Usage Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Route Table Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Security Group Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Unauthorized API Calls Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail VPC Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS IAM User is not managed centrally in multi-account environments🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS IAM User with console and programmatic access set during the initial creation🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS S3 Bucket sensitive data is not discovered, classified, and secured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS VPC Route Table for VPC Peering does not follow the least privilege principle🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service Basic Authentication is enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest Java version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest PHP version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest Python version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not use Azure Key Vaults to store secrets🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Cosmos DB Entra ID Client Authentication is not used🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Diagnostic Log Delivery is not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks network security groups are not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Personal Access Tokens (PATs) are not restricted and expirable🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks users and groups are not synced from Microsoft Entra ID🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Unity Catalog is not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Workspace traffic is not encrypted between cluster worker nodes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting exists for Subscription Activity Logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting for Azure AppService HTTP logs is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting for Azure Key Vault is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting is not enabled for all services that support it🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Key Vault Managed HSM is not used whenever required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Privileged Role Assignments are not periodically reviewed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Public IP Addresses are not evaluated periodically🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Resource Lock is not enabled for mission-critical resources🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Access Key Rotation Reminders are not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Access Keys are not regenerated periodically🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Shared Access Signature Tokens do not expire within 1 hour🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account uses Delete lock🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account uses ReadOnly lock🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Leaving Microsoft Entra ID Directory and Subscription Entering Microsoft Entra ID Directory is not set to Permit No One🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Microsoft Defender For IoT Hub is not set to On🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Resource Lock Administrator Custom Role does not exist🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Resources Basic SKU is used for production workloads🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Security Alert Notifications for attack path with Critical severity are not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Vulnerability Assessment is not auto provisioned🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Machine Endpoint Protection is not installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Machine Unapproved Extensions are installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Network Flow Logs are not captured and sent to Log Analytics Workspace🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Consumer Google Accounts are used🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Accounts are not configured with MFA🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google App Engine Application HTTPS Connection is not enforced🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google API Key is not restricted for unspecified hosts and apps🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google BigQuery Sensitive Data Protection is not in use🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud Access Transparency is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud Function Environment Variables store confidential data🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google GCE Instance doesn't have the latest operating system updates installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Identity Aware Proxy (IAP) is not used to enforce access controls🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪ | | 🟠 x1, 🟢 x2, ⚪ x1 |
| 🛡️ Google Organization Administrator Security Key Enforcement is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Intune logs are not captured and sent to Log Analytics🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Cloud Security Benchmark policies are disabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Container Vulnerability Assessment Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Discovery for Kubernetes Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Scanning for Machines Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender External Attack Surface Monitoring (EASM) is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender File Integrity Monitoring Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Recommendations for Apply System Updates are not completed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Account Lockout Duration is not set 60 seconds or more🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Account Lockout Threshold is not set to 10 or less🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Admin accounts are not used for daily operations🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Allow Users To Remember MFA On Devices They Trust is enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Conditional Access By Location is not defined🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Custom Banned Password List is not enforced🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Device Code Authentication Flow is not restricted🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Diagnostic Setting does not capture Microsoft Entra activity logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Diagnostic Setting does not capture Microsoft Graph activity logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Global Administrator Role assigned to more than 4 users🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Guest Users are not reviewed on a regular basis🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For Administrators is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For All Users is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For Risky Sign-Ins is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For Windows Azure Service Management API is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA to access Microsoft Admin Portals is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Named Locations are not defined🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Owners Can Manage Group Membership Requests In The Access Panel is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Remember MFA devices setting is disabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Require MFA To Register Or Join Devices With Microsoft Entra ID is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Restrict User Ability To Access Groups Features In The Access Pane is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Security Defaults are not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Consent For Applications is not set to Allow From Verified Publishers🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Consent For Applications is not set to Do Not Allow User Consent🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Multi-Factor Auth Status is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Notify All Admins When Other Admins Reset Their Password is set No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Notify Users On Password Resets is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Reconfirm Authentication Information is set to 0🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Self-Service Password Reset does not require 2 authentication methods🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Settings Restrict Access To Microsoft Entra Admin Center is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Users Can Create Microsoft 365 Groups In Azure Portals, API Or PowerShell is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Users Can Create Security Groups In Azure Portals, API Or PowerShell is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Privileged Azure Virtual Machine is accessed by identities without MFA🟢⚪ | | 🟢 x2, ⚪ x1 |