| π AWS Account IAM Access Analyzer is not enabled for all regions π’ | 1 | π’ x6 |
| π AWS API Gateway API Route Authorization Type is not configured π’ | 1 | π’ x6 |
| π AWS EC2 Default Security Group does not restrict all traffic π’ | 1 | π’ x6 |
| π AWS EC2 Instance IAM role is not attached π’ | 1 | π’ x6 |
| π AWS EC2 Instance IMDSv2 is not enabled π’ | 1 | π’ x6 |
| π AWS RDS Aurora Cluster access is not consistent π’ | 1 | π’ x6 |
| π AWS VPC Route Table for VPC Peering does not follow the least privilege principle π’ | | π’ x3 |
| π Azure App Service Authentication is disabled and Basic Authentication is enabled π’ | 1 | π’ x6 |
| π Azure App Service Basic Authentication is enabled π’ | | π’ x3 |
| π Azure App Service is not registered with Microsoft Entra ID π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Cosmos DB Entra ID Client Authentication is not used π’ | | π’ x3 |
| π Azure Key Vault Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Key Vault Role Based Access Control is not enabled π’ | 1 | π’ x6 |
| π Azure Managed Disk Data Access Auth Mode is not set to Azure Active Directory π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services π’ | 1 | π’ x6 |
| π Azure SQL Server Microsoft Entra authentication is not configured π’ | 1 | π’ x6 |
| π Azure Storage Account Access Key Rotation Reminders are not enabled π’ | | π’ x3 |
| π Azure Storage Account Access Keys are not regenerated periodically π’ | | π’ x3 |
| π Azure Storage Account Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Storage Account Shared Access Signature Tokens do not expire within 1 hour π’ | | π’ x3 |
| π Azure Storage Account Trusted Azure Services are not enabled as networking exceptions π’ | 1 | π’ x6 |
| π Azure Subscription Bastion Host does not exist π’ | 1 | π x1, π’ x5 |
| π Google Access Approval is not enabled π’ | 1 | π’ x6 |
| π Google Cloud Function Environment Variables store confidential data π’ | | π’ x3 |
| π Google Cloud MySQL Instance allows anyone to connect with administrative privileges π’ | | π’ x3 |
| π Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance SSL Connections are not enforced π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance contained database authentication Database Flag is set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance remote access Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user options Database Flag is configured π’ | 1 | π’ x6 |
| π Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key π’ | 1 | π’ x6 |
| π Google GCE Instance Block Project-Wide SSH Keys is not enabled π’ | 1 | π’ x6 |
| π Google GCE Instance Enable Connecting to Serial Ports is not disabled π’ | 1 | π’ x6 |
| π Google GCE Instance is configured to use the Default Service Account π’ | 1 | π’ x6 |
| π Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs π’ | 1 | π’ x6 |
| π Google GCE Instance IP Forwarding is not disabled. π’ | 1 | π’ x6 |
| π Google GCE Instance OS Login is not enabled π’ | 1 | π’ x6 |
| π Google GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet π’ | 1 | π’ x6 |
| π Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet π’ | 1 | π’ x6 |
| π Google Identity Aware Proxy (IAP) is not used to enforce access controls π’ | | π’ x3 |
| π Google Project has a default network π’ | 1 | π’ x6 |
| π Google Storage Bucket Uniform Bucket-Level Access is not enabled π’ | 1 | π’ x6 |