| 🛡️ [LEGACY] Azure Virtual Machine VHDs are not encrypted🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Alternate Contact Information is not current🔴🟢⚪ | | 🔴 x1, 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Config is not enabled in all regions🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account IAM Access Analyzer is not enabled for all regions🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account IAM Password Policy minimum password length is 14 characters or less🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Primary Contact Information is not current🔴🟢⚪ | | 🔴 x1, 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Root User credentials were used is the last 30 days🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Root User has active access keys🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Root User Hardware MFA is not enabled.🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS Account Root User MFA is not enabled.🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Account Security Hub is not enabled🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ AWS ACM Certificate expires in the next 7 days🟢 | 1 | 🟢 x6 |
| 🛡️ AWS ACM Certificate Expired🟢 | 1 | 🟢 x6 |
| 🛡️ AWS ACM Certificate with Wildcard Domain Name🟢 | 1 | 🟢 x6 |
| 🛡️ AWS ACM RSA Certificate key length is less than 2048 bits🟢 | 1 | 🟢 x6 |
| 🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ AWS API Gateway API Execution Logging in CloudWatch is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS API Gateway API Route Authorization Type is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ AWS API Gateway REST API Stage is not associated with a WAF Web ACL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢 | 1 | 🟢 x6 |
| 🛡️ AWS API Gateway REST API Stage X-Ray Tracing is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Athena Workgroup CloudWatch Metrics are not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Backup Recovery Point is expired and failed to delete🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Backup Vault contains unencrypted Recovery Points🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Distribution Logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution Default Root Object is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudTrail AWS Organizations Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Config Configuration Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Configuration Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudTrail IAM Policy Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Log File Validation is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Network Gateways Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Root Account Usage Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Route Table Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢 | 1 | 🟢 x6 |
| 🛡️ AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Security Group Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail Unauthorized API Calls Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CloudTrail VPC Changes Monitoring is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS CodeBuild Project Bitbucket Source Location URL contains credentials🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Connect Instance flow logs are not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Data Sync Task logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DMS Endpoint doesn't use SSL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DMS Migration Task Logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DMS Replication Instance is publicly accessible🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DynamoDB Provisioned Table Auto Scaling is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ AWS DynamoDB Table Point In Time Recovery is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EBS Attached Volume is not encrypted🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EBS Snapshot is publicly accessible🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Auto Scaling Group and Classic Load Balancer AZs are inconsistent🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance Detailed Monitoring is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance is idle🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance is overutilized🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance is underutilized🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance IAM role is not attached🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance uses paravirtual Virtualization Type🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Instance without a public IP address is in a public subnet🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted DNS traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted ICMP traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted NetBIOS traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to all ports🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EFS File System encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EKS Cluster allows unrestricted public traffic🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EKS Cluster has node IAM role with AmazonEKS_CNI_Policy attached🔴🟢 | 1 | 🔴 x1, 🟢 x6 |
| 🛡️ AWS EKS Cluster IAM OIDC provider is not created🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢 | 1 | 🟢 x6 |
| 🛡️ AWS EKS Cluster Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM AWSCloudShellFullAccess Policy is attached🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM Policy allows full administrative privileges🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM Role unused🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM Server Certificate is expired🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM User Access Keys are not rotated every 90 days or less🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM User has inline or directly attached policies🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ AWS IAM User has more than one active access key🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM User is not managed centrally in multi-account environments🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS IAM User MFA is not enabled for all users with console password🟢 | 1 | 🟢 x6 |
| 🛡️ AWS IAM User with console and programmatic access set during the initial creation🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS KMS Symmetric CMK Rotation is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Aurora Cluster access is not consistent🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Instance Auto Minor Version Upgrade is not enabled🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 🛡️ AWS RDS Instance Encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Instance Multi-AZ Deployment is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Instance uses default endpoint port🟢 | 1 | 🟢 x6 |
| 🛡️ AWS RDS Snapshot is publicly accessible🟢 | 1 | 🟢 x6 |
| 🛡️ AWS S3 Bucket is not configured to block public access🟢 | 1 | 🟢 x6 |
| 🛡️ AWS S3 Bucket Lifecycle Configuration is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 🛡️ AWS S3 Bucket Object Lock is not enabled🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢 | 1 | 🟢 x6 |
| 🛡️ AWS S3 Bucket sensitive data is not discovered, classified, and secured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS S3 Bucket Versioning is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS Support Role is not created🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC Flow Logs are not enabled🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC Network ACL is unused🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC Route Table for VPC Peering does not follow the least privilege principle🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ AWS VPC VPN Connection does not have both Tunnels up🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Active Directory Device Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Azure AKS Cluster Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service Authentication is disabled and Basic Authentication is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service Basic Authentication is enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest HTTP version🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service does not run the latest Java version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest PHP version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not run the latest Python version🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service does not use Azure Key Vaults to store secrets🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure App Service FTP deployments are not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service HTTPS Only configuration is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service is not registered with Microsoft Entra ID🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service Minimum TLS Version is not set to TLS 1.2 or higher🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service Plan has no Apps assigned🟢 | 1 | 🟢 x6 |
| 🛡️ Azure App Service Remote Debugging is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Cosmos DB Account has zero Total Request Units🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Cosmos DB Account Private Endpoints are not used🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Cosmos DB Account Virtual Network Filter is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Cosmos DB Entra ID Client Authentication is not used🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Diagnostic Log Delivery is not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks network security groups are not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Personal Access Tokens (PATs) are not restricted and expirable🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks users and groups are not synced from Microsoft Entra ID🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Unity Catalog is not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Databricks Workspace is not deployed in a customer-managed virtual network (VNet)🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Databricks Workspace is not encrypted using customer-managed key (CMK)🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Databricks Workspace traffic is not encrypted between cluster worker nodes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Diagnostic Setting exists for Subscription Activity Logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting for Azure AppService HTTP logs is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting for Azure Key Vault is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting is not enabled for all services that support it🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Key Vault Automatic Key Rotation is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Key Vault Managed HSM is not used whenever required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Key Vault Private Endpoints are not used🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Key Vault Public Network Access when using Private Endpoint is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Key Vault Role Based Access Control is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Key Vault Soft Delete and Purge Protection functions are not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Managed Disk Data Access Auth Mode is not set to Azure Active Directory🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Managed Disk is not attached to any Virtual Machine🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Managed Disk Public Network Access is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Managed Disk Snapshot is 90 days old or more🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Managed Disk Snapshot is stored on Premium SSDs Managed Disk storage🟢 | 1 | 🟢 x6 |
| 🛡️ Azure MySQL Flexible Server audit_log_enabled Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure MySQL Flexible Server audit_log_events Parameter is not set with the CONNECTION event🟢 | 1 | 🟢 x6 |
| 🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure MySQL Flexible Server TLS Version is not set to TLS 1.2🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to all ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to CIFS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to DNS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to FTP ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to HTTP(S) ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to MongoDB ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to MSSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to MySQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to NetBIOS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to Oracle DBMS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to PostgreSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to RDP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to RPC port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to SMTP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to SSH port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public access to Telnet port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group allows public UDP access🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Network Security Group Flow Logs retention period is less than 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Non-RBAC Key Vault stores Keys without expiration date🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Non-RBAC Key Vault stores Secrets without expiration date🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Single Server log_connections Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Privileged Role Assignments are not periodically reviewed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Public IP Address is not associated with any resource🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Public IP Addresses are not evaluated periodically🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure RBAC Key Vault stores Keys without expiration date🟢 | 1 | 🟢 x6 |
| 🛡️ Azure RBAC Key Vault stores Secrets without expiration date🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Resource Lock is not enabled for mission-critical resources🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP)🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Database Transparent Data Encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Server Auditing is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Server Auditing Retention is less than 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Server Microsoft Entra authentication is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Server Public Network Access is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Access Key Rotation Reminders are not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Access Keys are not regenerated periodically🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Allow Blob Anonymous Access is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Blob Service Versioning is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Cross Tenant Replication is enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Default Network Access Rule is not set to Deny🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Default To OAuth Authentication is not set to Yes🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Minimum TLS Version is not set to TLS 1.2 or higher🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Private Endpoints are not used🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Public Network Access is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Require Infrastructure Encryption is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Secure Transfer Required is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Shared Access Signature Tokens do not expire within 1 hour🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account Shared Key Access is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account Trusted Azure Services are not enabled as networking exceptions🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account uses Delete lock🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account uses Locally Redundant Storage replication option🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Account uses ReadOnly lock🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Storage Blob Containers Soft Delete is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage File Shares SMB Channel Encryption is not set to AES-256-GCM or higher🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage File Shares SMB Protocol Version is not set to SMB 3.1.1 or higher🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage File Shares Soft Delete is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Storage Table Logging is not enabled for Read, Write, and Delete requests🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Create or Update Public IP Address Rule does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Create Policy Assignment does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Delete Network Security Group does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Delete Public IP Address Rule does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Delete Security Solution does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Activity Log Alert for Service Health does not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Application Insights are not configured🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ Azure Subscription Bastion Host does not exist🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ Azure Subscription Custom Subscription Administrator Roles exist🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Integration With Microsoft Defender For Cloud Apps is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Integration With Microsoft Defender For Endpoint is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Leaving Microsoft Entra ID Directory and Subscription Entering Microsoft Entra ID Directory is not set to Permit No One🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Log Analytics Agent is not auto provisioned🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For App Services is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Azure Cosmos DB is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Containers is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For IoT Hub is not set to On🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Microsoft Defender For Key Vault is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Open-Source Relational Databases is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Resource Manager is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Servers is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Microsoft Defender For Storage is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Network Watcher is not enabled in every available region🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Resource Lock Administrator Custom Role does not exist🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Resources Basic SKU is used for production workloads🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Security Alert Notifications additional email address is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Security Alert Notifications for attack path with Critical severity are not configured🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Subscription Security Alert Notifications to subscription owners are not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Subscription Vulnerability Assessment is not auto provisioned🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Unattached Managed Disk is not encrypted with Customer-managed key🟢 | 1 | 🟢 x6 |
| 🛡️ Azure User Access Administrator Role has assignments🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to all ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to CIFS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to DNS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to FTP ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to HTTP(S) ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to MongoDB ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to MSSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to MySQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to NetBIOS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to Oracle DBMS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to PostgreSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to RDP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to RPC port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to SMTP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to SSH port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public access to Telnet port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine allows public UDP access🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine Endpoint Protection is not installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Machine is idle🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine is not utilizing Managed Disks🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine is overutilized🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine is underutilized🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine Trusted Launch is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Machine Unapproved Extensions are installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Network Flow Logs are not captured and sent to Log Analytics Workspace🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Azure Virtual Network Flow Logs retention period is less than 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Azure Virtual Network Gateway has no connections🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ Azure VM Scale Set Instance allows public access to all ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to CIFS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to DNS port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to FTP ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to HTTP(S) ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to MongoDB ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to MSSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to MySQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to NetBIOS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to Oracle DBMS ports🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to PostgreSQL port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to RDP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to RPC port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to SMTP port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to SSH port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public access to Telnet port🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance allows public UDP access🟢 | 1 | 🟢 x6 |
| 🛡️ Azure VM Scale Set Instance Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Consumer Google Accounts are used🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Access Approval is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google Accounts are not configured with MFA🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google App Engine Application HTTPS Connection is not enforced🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google API Key is not restricted for unspecified hosts and apps🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google API Key is not restricted for unused APIs🟢 | 1 | 🟢 x6 |
| 🛡️ Google API Key is not rotated every 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢 | 1 | 🟢 x6 |
| 🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢 | 1 | 🟢 x6 |
| 🛡️ Google BigQuery Sensitive Data Protection is not in use🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud Access Transparency is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud Asset Inventory API is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud Audit Logging is not configured properly🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud Function Environment Variables store confidential data🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Cloud MySQL Instance Local_infile Database Flag is not set to off🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢 | 1 | 🟢 x6 |
🛡️ Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On🟢 | 1 | 🟢 x6 |
🛡️ Google Cloud PostgreSQL Instance Log_min_duration_statement Database Flag is not set to -1 (Disabled)🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Instance Automated Backups are not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Instance has public IP addresses🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance contained database authentication Database Flag is set to on🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance remote access Database Flag is not set to off🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢 | 1 | 🟢 x6 |
| 🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢 | 1 | 🟢 x6 |
| 🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance Block Project-Wide SSH Keys is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance Confidential Compute is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance doesn't have the latest operating system updates installed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google GCE Instance Enable Connecting to Serial Ports is not disabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance has a public IP address🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance is configured to use the Default Service Account🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance is launched without Shielded VM enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance IP Forwarding is not disabled.🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance OS Login is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Instance Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Network DNS Policy Logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet🟢 | 1 | 🟢 x6 |
| 🛡️ Google GCE Subnetwork Flow Logs are not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google HTTP(S) Load Balancer Logging is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google IAM Roles related to KMS are not assigned to separate users🟢 | 1 | 🟢 x6 |
| 🛡️ Google IAM Service Account has admin privileges🟢 | 1 | 🟢 x6 |
| 🛡️ Google IAM Service Account has User-Managed Keys🟢 | 1 | 🟢 x6 |
| 🛡️ Google IAM Service Account User-Managed Key is not rotated every 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢 | 1 | 🟢 x6 |
| 🛡️ Google Identity Aware Proxy (IAP) is not used to enforce access controls🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪ | | 🟠 x1, 🟢 x2, ⚪ x1 |
| 🛡️ Google KMS Crypto Key is not rotated every 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts Cloud Storage IAM Permission Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢 | 1 | 🟢 x6 |
| 🛡️ Google Logging Log Sink for All Log Entries is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Google Organization Administrator Security Key Enforcement is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Google Organization Essential Contacts is not configured🟢 | 1 | 🟢 x6 |
| 🛡️ Google Project has a default network🟢 | 1 | 🟢 x6 |
| 🛡️ Google Project has a legacy network🟢 | 1 | 🟢 x6 |
| 🛡️ Google Project has API Keys🟢 | 1 | 🟠 x1, 🟢 x5 |
| 🛡️ Google Storage Bucket is anonymously or publicly accessible🟢 | 1 | 🟢 x6 |
| 🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢 | 1 | 🟢 x6 |
| 🛡️ Intune logs are not captured and sent to Log Analytics🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Cloud Security Benchmark policies are disabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Container Vulnerability Assessment Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Discovery for Kubernetes Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Agentless Scanning for Machines Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender External Attack Surface Monitoring (EASM) is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender File Integrity Monitoring Component is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Defender Recommendations for Apply System Updates are not completed🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Account Lockout Duration is not set 60 seconds or more🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Account Lockout Threshold is not set to 10 or less🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Admin accounts are not used for daily operations🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Allow Users To Remember MFA On Devices They Trust is enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Conditional Access By Location is not defined🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Custom Banned Password List is not enforced🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Default User Role can create tenants🟢 | 1 | 🟢 x6 |
| 🛡️ Microsoft Entra ID Device Code Authentication Flow is not restricted🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Diagnostic Setting does not capture Microsoft Entra activity logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Diagnostic Setting does not capture Microsoft Graph activity logs🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Global Administrator Role assigned to more than 4 users🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Guest Invite Settings is not set to Only Users Assigned To Specific Admin Roles Can Invite Guest Users🟢 | 1 | 🟢 x6 |
| 🛡️ Microsoft Entra ID Guest Users are not reviewed on a regular basis🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Guest Users restricted to their own directory objects🟢 | 1 | 🟢 x6 |
| 🛡️ Microsoft Entra ID MFA For Administrators is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For All Users is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For Risky Sign-Ins is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA For Windows Azure Service Management API is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID MFA to access Microsoft Admin Portals is not required🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Named Locations are not defined🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Owners Can Manage Group Membership Requests In The Access Panel is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Remember MFA devices setting is disabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Require MFA To Register Or Join Devices With Microsoft Entra ID is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Restrict User Ability To Access Groups Features In The Access Pane is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Security Defaults are not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Consent For Applications is not set to Allow From Verified Publishers🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Consent For Applications is not set to Do Not Allow User Consent🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Multi-Factor Auth Status is not enabled🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Notify All Admins When Other Admins Reset Their Password is set No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Notify Users On Password Resets is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Reconfirm Authentication Information is set to 0🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Self-Service Password Reset does not require 2 authentication methods🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID User Settings Restrict Access To Microsoft Entra Admin Center is set to No🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Users Can Create Microsoft 365 Groups In Azure Portals, API Or PowerShell is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Users Can Create Security Groups In Azure Portals, API Or PowerShell is set to Yes🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Microsoft Entra ID Users Can Register Applications is set to Yes🟢 | 1 | 🟢 x6 |
| 🛡️ Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Physical Server Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |
| 🛡️ Privileged Azure Virtual Machine is accessed by identities without MFA🟢⚪ | | 🟢 x2, ⚪ x1 |
| 🛡️ Snowflake User Default Role is ACCOUNTADMIN🟢 | 1 | 🟢 x6 |
| 🛡️ Snowflake User Default Role is not set🟢 | 1 | 🟢 x6 |
| 🛡️ Snowflake User MFA is not enabled🟢 | 1 | 🟢 x6 |
| 🛡️ Snowflake User password is not rotated every 90 days🟢 | 1 | 🟢 x6 |
| 🛡️ vCenter Virtual Machine Should Have Breeze Agent Installed🟢 | 1 | 🟢 x6 |