| π AWS Account Config is not enabled in all regions π’ | 1 | π’ x6 |
| π AWS Account IAM Access Analyzer is not enabled for all regions π’ | 1 | π’ x6 |
| π AWS Account Multi-Region CloudTrail is not enabled π’ | 1 | π’ x6 |
| π AWS Account Security Hub is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Access Logging in CloudWatch is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Execution Logging in CloudWatch is not enabled π’ | 1 | π’ x6 |
| π AWS API Gateway API Route Authorization Type is not configured π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage X-Ray Tracing is not enabled π’ | 1 | π’ x6 |
| π AWS CloudFront Distribution Logging is not enabled π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses default SSL/TLS certificate π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses Dedicated IP for SSL π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudTrail AWS Organizations Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Config Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail IAM Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Log File Validation is not enabled π’ | 1 | π’ x6 |
| π AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Gateways Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Root Account Usage Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Route Table Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail S3 Bucket Access Logging is not enabled. π’ | 1 | π’ x6 |
| π AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Security Group Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Unauthorized API Calls Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail VPC Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS DMS Endpoint doesn't use SSL π’ | 1 | π’ x6 |
| π AWS DMS Migration Task Logging is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Replication Instance is publicly accessible π’ | 1 | π’ x6 |
| π AWS EBS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check π’ | 1 | π’ x6 |
| π AWS EC2 Default Security Group does not restrict all traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted CIFS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted FTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted RPC traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted SMTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MSSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MySQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to PostgreSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted Telnet traffic π’ | 1 | π’ x6 |
| π AWS EKS Cluster Logging is not enabled for all control plane logs types π’ | 1 | π’ x6 |
| π AWS RDS Instance Auto Minor Version Upgrade is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS RDS Instance is publicly accessible and in an unrestricted public subnet π’ | 1 | π’ x6 |
| π AWS RDS Instance uses default endpoint port π’ | 1 | π’ x6 |
| π AWS RDS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS S3 Bucket is not configured to block public access π’ | 1 | π’ x6 |
| π AWS S3 Bucket Policy is not set to deny HTTP requests π’ | 1 | π’ x6 |
| π AWS S3 Bucket Server Access Logging is not enabled π’ | 1 | π’ x6 |
| π AWS VPC Flow Logs are not enabled π’ | 1 | π x1, π’ x5 |
| π Azure App Service Authentication is disabled and Basic Authentication is enabled π’ | 1 | π’ x6 |
| π Azure App Service Basic Authentication is enabled π’ | | π’ x3 |
| π Azure App Service does not run the latest Java version π’ | | π’ x3 |
| π Azure App Service does not run the latest PHP version π’ | | π’ x3 |
| π Azure App Service does not run the latest Python version π’ | | π’ x3 |
| π Azure App Service FTP deployments are not disabled π’ | 1 | π’ x6 |
| π Azure App Service HTTPS Only configuration is not enabled π’ | 1 | π’ x6 |
| π Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories π’ | 1 | π’ x6 |
| π Azure Diagnostic Setting for Azure Key Vault is not enabled π’ | | π’ x3 |
| π Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure Network Security Group Flow Logs retention period is less than 90 days π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_connections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing is not enabled π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing Retention is less than 90 days π’ | 1 | π’ x6 |
| π Azure Storage Account Secure Transfer Required is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For App Services is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Containers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Key Vault is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Servers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Storage is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Network Watcher is not enabled in every available region π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications additional email address is not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications to subscription owners are not configured π’ | 1 | π’ x6 |
| π Google BigQuery Dataset is anonymously or publicly accessible π’ | 1 | π’ x6 |
| π Google Cloud Audit Logging is not configured properly π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC is not enabled π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 π’ | 1 | π’ x6 |
| π Google Cloud MySQL Instance Local_infile Database Flag is not set to off π’ | 1 | π’ x6 |
π Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance remote access Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user options Database Flag is configured π’ | 1 | π’ x6 |
| π Google GCE Instance Enable Connecting to Serial Ports is not disabled π’ | 1 | π’ x6 |
| π Google GCE Subnetwork Flow Logs are not enabled π’ | 1 | π’ x6 |
| π Google HTTP(S) Load Balancer Logging is not enabled π’ | 1 | π’ x6 |
| π Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites π’ | | π’ x3 |
| π Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Sink for All Log Entries is not configured π’ | 1 | π’ x6 |
| π Google Project has a default network π’ | 1 | π’ x6 |
| π Google Project has a legacy network π’ | 1 | π’ x6 |
| π Google Storage Bucket is anonymously or publicly accessible π’ | 1 | π’ x6 |