| π AWS Account EBS Volume Encryption Attribute is not enabled in all regions π’ | 1 | π’ x6 |
| π AWS Account IAM Access Analyzer is not enabled for all regions π’ | 1 | π’ x6 |
| π AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled π’ | 1 | π’ x6 |
| π AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled π’ | 1 | π’ x6 |
| π AWS Account Root User credentials were used is the last 30 days π’ | 1 | π’ x6 |
| π AWS Account Root User has active access keys π’ | 1 | π’ x6 |
| π AWS API Gateway API Route Authorization Type is not configured π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution Default Root Object is not configured π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses default SSL/TLS certificate π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses Dedicated IP for SSL π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudTrail is not encrypted with KMS CMK π’ | 1 | π’ x6 |
| π AWS CloudTrail Log File Validation is not enabled π’ | 1 | π’ x6 |
| π AWS DAX Cluster Server-Side Encryption is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Endpoint doesn't use SSL π’ | 1 | π’ x6 |
| π AWS DMS Replication Instance is publicly accessible π’ | 1 | π’ x6 |
| π AWS DynamoDB Table Point In Time Recovery is not enabled π’ | 1 | π’ x6 |
| π AWS EBS Attached Volume is not encrypted π’ | 1 | π’ x6 |
| π AWS EBS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 π’ | 1 | π’ x6 |
| π AWS EC2 Default Security Group does not restrict all traffic π’ | 1 | π’ x6 |
| π AWS EC2 Instance IMDSv2 is not enabled π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted CIFS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted DNS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted FTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted ICMP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted NetBIOS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted RPC traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted SMTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MongoDB π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MSSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MySQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to PostgreSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted Telnet traffic π’ | 1 | π’ x6 |
| π AWS EFS File System encryption is not enabled π’ | 1 | π’ x6 |
| π AWS IAM Policy allows full administrative privileges π’ | 1 | π’ x6 |
| π AWS IAM Server Certificate is expired π’ | 1 | π’ x6 |
| π AWS IAM User has inline or directly attached policies π’ | 1 | π x1, π’ x5 |
| π AWS IAM User with credentials unused for 45 days or more is not disabled π’ | 1 | π’ x6 |
| π AWS RDS Instance Encryption is not enabled π’ | 1 | π’ x6 |
| π AWS RDS Instance is publicly accessible and in an unrestricted public subnet π’ | 1 | π’ x6 |
| π AWS RDS Instance uses default endpoint port π’ | 1 | π’ x6 |
| π AWS RDS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS S3 Bucket is not configured to block public access π’ | 1 | π’ x6 |
| π AWS S3 Bucket Lifecycle Configuration is not enabled π’ | 1 | π’ x6 |
| π AWS S3 Bucket Object Lock is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS S3 Bucket Policy is not set to deny HTTP requests π’ | 1 | π’ x6 |
| π AWS VPC Network ACL exposes admin ports to public internet ports π’ | 1 | π’ x6 |
| π Azure App Service Authentication is disabled and Basic Authentication is enabled π’ | 1 | π’ x6 |
| π Azure App Service Basic Authentication is enabled π’ | | π’ x3 |
| π Azure App Service FTP deployments are not disabled π’ | 1 | π’ x6 |
| π Azure App Service HTTPS Only configuration is not enabled π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account Virtual Network Filter is not enabled π’ | 1 | π’ x6 |
| π Azure Cosmos DB Entra ID Client Authentication is not used π’ | | π’ x3 |
| π Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to HTTP(S) ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to RDP port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to SSH port π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) π’ | 1 | π’ x6 |
| π Azure Storage Account Allow Blob Anonymous Access is enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Cross Tenant Replication is enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Secure Transfer Required is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Trusted Azure Services are not enabled as networking exceptions π’ | 1 | π’ x6 |
| π Azure Subscription Network Watcher is not enabled in every available region π’ | 1 | π’ x6 |
| π Azure Unattached Managed Disk is not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Consumer Google Accounts are used π’ | | π’ x3 |
| π Google API Key is not restricted for unused APIs π’ | 1 | π’ x6 |
| π Google API Key is not rotated every 90 days π’ | 1 | π’ x6 |
| π Google BigQuery Dataset is anonymously or publicly accessible π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC is not enabled π’ | 1 | π’ x6 |
| π Google Cloud MySQL Instance allows anyone to connect with administrative privileges π’ | | π’ x3 |
| π Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance Automated Backups are not configured π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance has public IP addresses π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user options Database Flag is configured π’ | 1 | π’ x6 |
| π Google GCE Instance has a public IP address π’ | 1 | π’ x6 |
| π Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs π’ | 1 | π’ x6 |
| π Google GCE Instance IP Forwarding is not disabled. π’ | 1 | π’ x6 |
| π Google GCE Instance OS Login is not enabled π’ | 1 | π’ x6 |
| π Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet π’ | 1 | π’ x6 |
| π Google GCE Subnetwork Flow Logs are not enabled π’ | 1 | π’ x6 |
| π Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites π’ | | π’ x3 |
| π Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level π’ | 1 | π’ x6 |
| π Google KMS Crypto Key is anonymously or publicly accessible π π’ | | π x1, π’ x3 |
| π Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock π’ | 1 | π’ x6 |
| π Google Project has API Keys π’ | 1 | π x1, π’ x5 |
| π Google Storage Bucket is anonymously or publicly accessible π’ | 1 | π’ x6 |
| π Google Storage Bucket Uniform Bucket-Level Access is not enabled π’ | 1 | π’ x6 |
| π Google User has both Service Account Admin and Service Account User roles assigned π’ | 1 | π’ x6 |