| π AWS Account Config is not enabled in all regions π’ | 1 | π’ x6 |
| π AWS Account IAM Access Analyzer is not enabled for all regions π’ | 1 | π’ x6 |
| π AWS Account Multi-Region CloudTrail is not enabled π’ | 1 | π’ x6 |
| π AWS Account Security Hub is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Access Logging in CloudWatch is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Execution Logging in CloudWatch is not enabled π’ | 1 | π’ x6 |
| π AWS API Gateway API Route Authorization Type is not configured π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage X-Ray Tracing is not enabled π’ | 1 | π’ x6 |
| π AWS CloudTrail AWS Organizations Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Config Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail IAM Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Log File Validation is not enabled π’ | 1 | π’ x6 |
| π AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Gateways Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Root Account Usage Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Route Table Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail S3 Bucket Access Logging is not enabled. π’ | 1 | π’ x6 |
| π AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Security Group Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Unauthorized API Calls Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail VPC Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check π’ | 1 | π’ x6 |
| π AWS EC2 Default Security Group does not restrict all traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted CIFS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted FTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted RPC traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted SMTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MSSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MySQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to PostgreSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted Telnet traffic π’ | 1 | π’ x6 |
| π AWS RDS Instance Auto Minor Version Upgrade is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS RDS Instance is publicly accessible and in an unrestricted public subnet π’ | 1 | π’ x6 |
| π AWS RDS Instance uses default endpoint port π’ | 1 | π’ x6 |
| π AWS RDS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS S3 Bucket is not configured to block public access π’ | 1 | π’ x6 |
| π AWS S3 Bucket Policy is not set to deny HTTP requests π’ | 1 | π’ x6 |
| π AWS S3 Bucket Server Access Logging is not enabled π’ | 1 | π’ x6 |
| π AWS VPC Flow Logs are not enabled π’ | 1 | π x1, π’ x5 |
| π Azure App Service Authentication is disabled and Basic Authentication is enabled π’ | 1 | π’ x6 |
| π Azure App Service Basic Authentication is enabled π’ | | π’ x3 |
| π Azure App Service does not run the latest Java version π’ | | π’ x3 |
| π Azure App Service does not run the latest PHP version π’ | | π’ x3 |
| π Azure App Service does not run the latest Python version π’ | | π’ x3 |
| π Azure App Service FTP deployments are not disabled π’ | 1 | π’ x6 |
| π Azure App Service HTTPS Only configuration is not enabled π’ | 1 | π’ x6 |
| π Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories π’ | 1 | π’ x6 |
| π Azure Diagnostic Setting for Azure Key Vault is not enabled π’ | | π’ x3 |
| π Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure Network Security Group Flow Logs retention period is less than 90 days π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_connections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing is not enabled π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing Retention is less than 90 days π’ | 1 | π’ x6 |
| π Azure Storage Account Secure Transfer Required is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For App Services is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Containers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Key Vault is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Servers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Storage is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Network Watcher is not enabled in every available region π’ | 1 | π΄ x1, π’ x5 |
| π Azure Subscription Security Alert Notifications additional email address is not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications for alerts with High severity are not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications to subscription owners are not configured π’ | 1 | π’ x6 |