| 📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account IAM Access Analyzer is not enabled for all regions 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account Root User credentials were used is the last 30 days 🟢 | 1 | 🟢 x6 |
| 📝 AWS Account Root User has active access keys 🟢 | 1 | 🟢 x6 |
| 📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudTrail is not encrypted with KMS CMK 🟢 | 1 | 🟢 x6 |
| 📝 AWS CloudTrail Log File Validation is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS DAX Cluster Server-Side Encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Endpoint doesn't use SSL 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS DMS Replication Instance is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS DynamoDB Table Point In Time Recovery is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS EBS Attached Volume is not encrypted 🟢 | 1 | 🟢 x6 |
| 📝 AWS EBS Snapshot is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Default Security Group does not restrict all traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted DNS traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted ICMP traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢 | 1 | 🟢 x6 |
| 📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢 | 1 | 🟢 x6 |
| 📝 AWS EFS File System encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM Policy allows full administrative privileges 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM Server Certificate is expired 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM User Access Keys are not rotated every 90 days or less 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM User has inline or directly attached policies 🟢 | 1 | 🟠 x1, 🟢 x5 |
| 📝 AWS IAM User has more than one active access key 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM User with console and programmatic access set during the initial creation 🟢 | | 🟢 x3 |
| 📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Instance Auto Minor Version Upgrade is not enabled 🟠🟢 | 1 | 🟠 x1, 🟢 x6 |
| 📝 AWS RDS Instance Encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Instance uses default endpoint port 🟢 | 1 | 🟢 x6 |
| 📝 AWS RDS Snapshot is publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket is not configured to block public access 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket Lifecycle Configuration is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢 | 1 | 🟢 x6 |
| 📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢 | 1 | 🟢 x6 |
| 📝 AWS VPC Network ACL exposes admin ports to public internet ports 🟢 | 1 | 🟢 x6 |
| 📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service Basic Authentication is enabled 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest Java version 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest PHP version 🟢 | | 🟢 x3 |
| 📝 Azure App Service does not run the latest Python version 🟢 | | 🟢 x3 |
| 📝 Azure App Service FTP deployments are not disabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure App Service HTTPS Only configuration is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Cosmos DB Account Private Endpoints are not used 🟢 | 1 | 🟢 x6 |
| 📝 Azure Cosmos DB Account Virtual Network Filter is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Cosmos DB Entra ID Client Authentication is not used 🟢 | | 🟢 x3 |
| 📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢 | 1 | 🟢 x6 |
| 📝 Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure Network Security Group allows public access to HTTP(S) ports 🟢 | 1 | 🟢 x6 |
| 📝 Azure Network Security Group allows public access to RDP port 🟢 | 1 | 🟢 x6 |
| 📝 Azure Network Security Group allows public access to SSH port 🟢 | 1 | 🟢 x6 |
| 📝 Azure Non-RBAC Key Vault stores Keys without expiration date 🟢 | 1 | 🟢 x6 |
| 📝 Azure Non-RBAC Key Vault stores Secrets without expiration date 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure RBAC Key Vault stores Keys without expiration date 🟢 | 1 | 🟢 x6 |
| 📝 Azure RBAC Key Vault stores Secrets without expiration date 🟢 | 1 | 🟢 x6 |
| 📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢 | 1 | 🟢 x6 |
| 📝 Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account Allow Blob Anonymous Access is enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account Require Infrastructure Encryption is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account Secure Transfer Required is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account Trusted Azure Services are not enabled as networking exceptions 🟢 | 1 | 🟢 x6 |
| 📝 Azure Storage Account With Critical Data is not encrypted with customer managed key 🟢 | | 🟢 x3 |
| 📝 Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For App Services is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Containers is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Key Vault is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Servers is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Subscription Microsoft Defender For Storage is not set to On 🟢 | 1 | 🟢 x6 |
| 📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢 | 1 | 🟢 x6 |
| 📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢 | 1 | 🟢 x6 |
| 📝 Consumer Google Accounts are used 🟢 | | 🟢 x3 |
| 📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢 | 1 | 🟢 x6 |
| 📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟢 | | 🟢 x3 |
| 📝 Google Cloud SQL Instance Automated Backups are not configured 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢 | 1 | 🟢 x6 |
| 📝 Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off 🟢 | 1 | 🟢 x6 |
| 📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance Confidential Compute is not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance has a public IP address 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance IP Forwarding is not disabled. 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Subnetwork Flow Logs are not enabled 🟢 | 1 | 🟢 x6 |
| 📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢 | | 🟢 x3 |
| 📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢 | 1 | 🟢 x6 |
| 📝 Google Storage Bucket is anonymously or publicly accessible 🟢 | 1 | 🟢 x6 |
| 📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢 | 1 | 🟢 x6 |