| 📝 AWS Account Config is not enabled in all regions 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account IAM Access Analyzer is not enabled for all regions 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account Multi-Region CloudTrail is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account Security Hub is not enabled 🟢 | 1 | 🟠 x1, 🟢 x5 |
| 📝 AWS API Gateway API Access Logging in CloudWatch is not enabled 🟢 | 1 | 🟠 x1, 🟢 x5 |
| 📝 AWS API Gateway API Execution Logging in CloudWatch is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS API Gateway API Route Authorization Type is not configured 🟢 | 1 | 🟢 x6 |
| 📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢 | 1 | 🟢 x6 |
| 📝 AWS API Gateway REST API Stage X-Ray Tracing is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Distribution Logging is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudTrail AWS Organizations Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Config Configuration Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Configuration Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail IAM Policy Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Log File Validation is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Network Gateways Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Root Account Usage Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Route Table Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Security Group Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail Unauthorized API Calls Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS CloudTrail VPC Changes Monitoring is not enabled 🟢 | | 🟢 x3 |
| 📝 AWS DMS Endpoint doesn't use SSL 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Migration Task Logging is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Replication Instance is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS EBS Snapshot is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Default Security Group does not restrict all traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EKS Cluster Logging is not enabled for all control plane logs types 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Instance Auto Minor Version Upgrade is not enabled 🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Instance uses default endpoint port 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Snapshot is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket is not configured to block public access 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket Server Access Logging is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS VPC Flow Logs are not enabled 🟢 | 1 | 🟠 x1, 🟢 x5 |
| 📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢 | 1 | 🟢 x6 |
| 📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service Basic Authentication is enabled 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest Java version 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest PHP version 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest Python version 🟢 | | 🟢 x3 |
| 📝 Azure App Service FTP deployments are not disabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service HTTPS Only configuration is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories 🟢 | 1 | 🟢 x6 |
| 📝 Azure Diagnostic Setting for Azure Key Vault is not enabled 🟢 | | 🟢 x3 |
| 📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure Network Security Group Flow Logs retention period is less than 90 days 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure SQL Server Auditing is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure SQL Server Auditing Retention is less than 90 days 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account Secure Transfer Required is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Create Policy Assignment does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Delete Network Security Group does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Delete Security Solution does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For App Services is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Containers is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Key Vault is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Servers is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Storage is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Network Watcher is not enabled in every available region 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Security Alert Notifications additional email address is not configured 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Security Alert Notifications to subscription owners are not configured 🟢 | 1 | 🟢 x6 |
| 📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud Audit Logging is not configured properly 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud MySQL Instance Local_infile Database Flag is not set to off 🟢 | 1 | 🟢 x6 |
📝 Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance remote access Database Flag is not set to off 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance user options Database Flag is configured 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance Enable Connecting to Serial Ports is not disabled 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Subnetwork Flow Logs are not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google HTTP(S) Load Balancer Logging is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢 | | 🟢 x3 |
| 📝 Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist 🟢 | 1 | 🟢 x6 |
| 📝 Google Logging Log Sink for All Log Entries is not configured 🟢 | 1 | 🟢 x6 |
| 📝 Google Project has a default network 🟢 | 1 | 🟢 x6 |
| 📝 Google Project has a legacy network 🟢 | 1 | 🟢 x6 |
| 📝 Google Storage Bucket is anonymously or publicly accessible 🟢 | 1 | 🟢 x6 |