| π [LEGACY] Azure Virtual Machine VHDs are not encrypted π’ | | π’ x3 |
| π AWS Account Alternate Contact Information is not current π΄π’ | | π΄ x1, π’ x3 |
| π AWS Account Config is not enabled in all regions π’ | 1 | π’ x6 |
| π AWS Account EBS Volume Encryption Attribute is not enabled in all regions π’ | 1 | π’ x6 |
| π AWS Account IAM Access Analyzer is not enabled for all regions π’ | 1 | π’ x6 |
| π AWS Account IAM Password Policy minimum password length is 14 characters or less π’ | 1 | π’ x6 |
| π AWS Account IAM Password Policy Number of passwords to remember is not set to 24 π’ | 1 | π’ x6 |
| π AWS Account Multi-Region CloudTrail is not enabled π’ | 1 | π’ x6 |
| π AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled π’ | 1 | π’ x6 |
| π AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled π’ | 1 | π’ x6 |
| π AWS Account Primary Contact Information is not current π΄π’ | | π΄ x1, π’ x3 |
| π AWS Account Root User credentials were used is the last 30 days π’ | 1 | π’ x6 |
| π AWS Account Root User has active access keys π’ | 1 | π’ x6 |
| π AWS Account Root User Hardware MFA is not enabled. π’ | | π’ x3 |
| π AWS Account Root User MFA is not enabled. π’ | 1 | π’ x6 |
| π AWS Account Security Hub is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS ACM Certificate expires in the next 7 days π’ | 1 | π’ x6 |
| π AWS ACM Certificate Expired π’ | 1 | π’ x6 |
| π AWS ACM Certificate with Wildcard Domain Name π’ | 1 | π’ x6 |
| π AWS ACM RSA Certificate key length is less than 2048 bits π’ | 1 | π’ x6 |
| π AWS API Gateway API Access Logging in CloudWatch is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Execution Logging in CloudWatch is not enabled π’ | 1 | π’ x6 |
| π AWS API Gateway API Route Authorization Type is not configured π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage is not associated with a WAF Web ACL π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage X-Ray Tracing is not enabled π’ | 1 | π’ x6 |
| π AWS Athena Workgroup CloudWatch Metrics are not enabled π’ | 1 | π’ x6 |
| π AWS Backup Recovery Point is expired and failed to delete π’ | 1 | π’ x6 |
| π AWS Backup Vault contains unencrypted Recovery Points π’ | 1 | π’ x6 |
| π AWS CloudFront Distribution Logging is not enabled π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution Default Root Object is not configured π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses default SSL/TLS certificate π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses Dedicated IP for SSL π’ | 1 | π’ x6 |
| π AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins π’ | 1 | π’ x6 |
| π AWS CloudTrail AWS Organizations Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Config Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Configuration Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail is not encrypted with KMS CMK π’ | 1 | π’ x6 |
| π AWS CloudTrail IAM Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Log File Validation is not enabled π’ | 1 | π’ x6 |
| π AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Network Gateways Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Root Account Usage Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Route Table Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail S3 Bucket Access Logging is not enabled. π’ | 1 | π’ x6 |
| π AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Security Group Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail Unauthorized API Calls Monitoring is not enabled π’ | | π’ x3 |
| π AWS CloudTrail VPC Changes Monitoring is not enabled π’ | | π’ x3 |
| π AWS CodeBuild Project Bitbucket Source Location URL contains credentials π’ | 1 | π’ x6 |
| π AWS Connect Instance flow logs are not enabled π’ | 1 | π’ x6 |
| π AWS Data Sync Task logging is not enabled π’ | 1 | π’ x6 |
| π AWS DAX Cluster Server-Side Encryption is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Endpoint doesn't use SSL π’ | 1 | π’ x6 |
| π AWS DMS Migration Task Logging is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled π’ | 1 | π’ x6 |
| π AWS DMS Replication Instance is publicly accessible π’ | 1 | π’ x6 |
| π AWS DynamoDB Provisioned Table Auto Scaling is not configured π’ | 1 | π’ x6 |
| π AWS DynamoDB Table Point In Time Recovery is not enabled π’ | 1 | π’ x6 |
| π AWS EBS Attached Volume is not encrypted π’ | 1 | π’ x6 |
| π AWS EBS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group and Classic Load Balancer AZs are inconsistent π π’ | 1 | π x1, π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template π’ | 1 | π’ x6 |
| π AWS EC2 Default Security Group does not restrict all traffic π’ | 1 | π’ x6 |
| π AWS EC2 Instance Detailed Monitoring is not enabled π’ | 1 | π’ x6 |
| π AWS EC2 Instance is idle π’ | 1 | π’ x6 |
| π AWS EC2 Instance is overutilized π’ | 1 | π’ x6 |
| π AWS EC2 Instance is underutilized π’ | 1 | π’ x6 |
| π AWS EC2 Instance IAM role is not attached π’ | 1 | π’ x6 |
| π AWS EC2 Instance IMDSv2 is not enabled π’ | 1 | π’ x6 |
| π AWS EC2 Instance Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π AWS EC2 Instance without a public IP address is in a public subnet π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted CIFS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted DNS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted FTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted ICMP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted NetBIOS traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted RPC traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted SMTP traffic π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to all ports π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MongoDB π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MSSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to MySQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted traffic to PostgreSQL π’ | 1 | π’ x6 |
| π AWS EC2 Security Group allows unrestricted Telnet traffic π’ | 1 | π’ x6 |
| π AWS EFS File System encryption is not enabled π’ | 1 | π’ x6 |
| π AWS EKS Cluster allows unrestricted public traffic π’ | 1 | π’ x6 |
| π AWS EKS Cluster has node IAM role with AmazonEKS_CNI_Policy attached π΄π’ | 1 | π΄ x1, π’ x6 |
| π AWS EKS Cluster IAM OIDC provider is not created π’ | 1 | π’ x6 |
| π AWS EKS Cluster Logging is not enabled for all control plane logs types π’ | 1 | π’ x6 |
| π AWS EKS Cluster Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π AWS IAM AWSCloudShellFullAccess Policy is attached π’ | 1 | π’ x6 |
| π AWS IAM Policy allows full administrative privileges π’ | 1 | π’ x6 |
| π AWS IAM Role unused π’ | 1 | π’ x6 |
| π AWS IAM Server Certificate is expired π’ | 1 | π’ x6 |
| π AWS IAM User Access Keys are not rotated every 90 days or less π’ | 1 | π’ x6 |
| π AWS IAM User has inline or directly attached policies π’ | 1 | π x1, π’ x5 |
| π AWS IAM User has more than one active access key π’ | 1 | π’ x6 |
| π AWS IAM User is not managed centrally in multi-account environments π’ | | π’ x3 |
| π AWS IAM User MFA is not enabled for all users with console password π’ | 1 | π’ x6 |
| π AWS IAM User with console and programmatic access set during the initial creation π’ | | π’ x3 |
| π AWS IAM User with credentials unused for 45 days or more is not disabled π’ | 1 | π’ x6 |
| π AWS KMS Symmetric CMK Rotation is not enabled π’ | 1 | π’ x6 |
| π AWS RDS Aurora Cluster access is not consistent π’ | 1 | π’ x6 |
| π AWS RDS Instance Auto Minor Version Upgrade is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS RDS Instance Encryption is not enabled π’ | 1 | π’ x6 |
| π AWS RDS Instance is publicly accessible and in an unrestricted public subnet π’ | 1 | π’ x6 |
| π AWS RDS Instance Multi-AZ Deployment is not enabled π’ | 1 | π’ x6 |
| π AWS RDS Instance uses default endpoint port π’ | 1 | π’ x6 |
| π AWS RDS Snapshot is publicly accessible π’ | 1 | π’ x6 |
| π AWS S3 Bucket is not configured to block public access π’ | 1 | π’ x6 |
| π AWS S3 Bucket Lifecycle Configuration is not enabled π’ | 1 | π’ x6 |
| π AWS S3 Bucket MFA Delete is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS S3 Bucket Object Lock is not enabled π π’ | 1 | π x1, π’ x6 |
| π AWS S3 Bucket Policy is not set to deny HTTP requests π’ | 1 | π’ x6 |
| π AWS S3 Bucket sensitive data is not discovered, classified, and secured π’ | | π’ x3 |
| π AWS S3 Bucket Server Access Logging is not enabled π’ | 1 | π’ x6 |
| π AWS S3 Bucket Versioning is not enabled π’ | 1 | π’ x6 |
| π AWS Support Role is not created π’ | 1 | π’ x6 |
| π AWS VPC Flow Logs are not enabled π’ | 1 | π x1, π’ x5 |
| π AWS VPC Network ACL exposes admin ports to public internet ports π’ | 1 | π’ x6 |
| π AWS VPC Route Table for VPC Peering does not follow the least privilege principle π’ | | π’ x3 |
| π Azure Active Directory Device Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Azure AKS Cluster Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Azure App Service Authentication is disabled and Basic Authentication is enabled π’ | 1 | π’ x6 |
| π Azure App Service Basic Authentication is enabled π’ | | π’ x3 |
| π Azure App Service does not run the latest HTTP version π’ | 1 | π’ x6 |
| π Azure App Service does not run the latest Java version π’ | | π’ x3 |
| π Azure App Service does not run the latest PHP version π’ | | π’ x3 |
| π Azure App Service does not run the latest Python version π’ | | π’ x3 |
| π Azure App Service does not use Azure Key Vaults to store secrets π’ | | π’ x3 |
| π Azure App Service FTP deployments are not disabled π’ | 1 | π’ x6 |
| π Azure App Service HTTPS Only configuration is not enabled π’ | 1 | π’ x6 |
| π Azure App Service is not registered with Microsoft Entra ID π’ | 1 | π’ x6 |
| π Azure App Service Minimum TLS Version is not set to TLS 1.2 or higher π’ | 1 | π’ x6 |
| π Azure App Service Plan has no Apps assigned π’ | 1 | π’ x6 |
| π Azure App Service Remote Debugging is not disabled π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account has zero Total Request Units π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Cosmos DB Account Virtual Network Filter is not enabled π’ | 1 | π’ x6 |
| π Azure Cosmos DB Entra ID Client Authentication is not used π’ | | π’ x3 |
| π Azure Databricks Diagnostic Log Delivery is not configured π’ | | π’ x3 |
| π Azure Databricks network security groups are not configured π’ | | π’ x3 |
| π Azure Databricks Personal Access Tokens (PATs) are not restricted and expirable π’ | | π’ x3 |
| π Azure Databricks users and groups are not synced from Microsoft Entra ID π’ | | π’ x3 |
| π Azure Databricks Unity Catalog is not configured π’ | | π’ x3 |
| π Azure Databricks Workspace is not deployed in a customer-managed virtual network (VNet) π’ | 1 | π’ x6 |
| π Azure Databricks Workspace is not encrypted using customer-managed key (CMK) π’ | 1 | π’ x6 |
| π Azure Databricks Workspace traffic is not encrypted between cluster worker nodes π’ | | π’ x3 |
| π Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories π’ | 1 | π’ x6 |
| π Azure Diagnostic Setting exists for Subscription Activity Logs π’ | | π’ x3 |
| π Azure Diagnostic Setting for Azure AppService HTTP logs is not enabled π’ | | π’ x3 |
| π Azure Diagnostic Setting for Azure Key Vault is not enabled π’ | | π’ x3 |
| π Azure Diagnostic Setting is not enabled for all services that support it π’ | | π’ x3 |
| π Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure Key Vault Automatic Key Rotation is not enabled π’ | 1 | π’ x6 |
| π Azure Key Vault Managed HSM is not used whenever required π’ | | π’ x3 |
| π Azure Key Vault Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Key Vault Public Network Access when using Private Endpoint is enabled π’ | 1 | π’ x6 |
| π Azure Key Vault Role Based Access Control is not enabled π’ | 1 | π’ x6 |
| π Azure Key Vault Soft Delete and Purge Protection functions are not enabled π’ | 1 | π’ x6 |
| π Azure Managed Disk Data Access Auth Mode is not set to Azure Active Directory π’ | 1 | π’ x6 |
| π Azure Managed Disk is not attached to any Virtual Machine π’ | 1 | π’ x6 |
| π Azure Managed Disk Public Network Access is not disabled π’ | 1 | π’ x6 |
| π Azure Managed Disk Snapshot is 90 days old or more π’ | 1 | π’ x6 |
| π Azure Managed Disk Snapshot is stored on Premium SSDs Managed Disk storage π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server audit_log_enabled Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server audit_log_events Parameter is not set with the CONNECTION event π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server TLS Version is not set to TLS 1.2 π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to all ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to CIFS port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to DNS port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to FTP ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to HTTP(S) ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to MongoDB ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to MSSQL port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to MySQL port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to NetBIOS ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to Oracle DBMS ports π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to PostgreSQL port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to RDP port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to RPC port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to SMTP port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to SSH port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public access to Telnet port π’ | 1 | π’ x6 |
| π Azure Network Security Group allows public UDP access π’ | 1 | π’ x6 |
| π Azure Network Security Group Flow Logs retention period is less than 90 days π’ | 1 | π’ x6 |
| π Azure Non-RBAC Key Vault stores Keys without expiration date π’ | 1 | π’ x6 |
| π Azure Non-RBAC Key Vault stores Secrets without expiration date π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_connections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure Privileged Role Assignments are not periodically reviewed π’ | | π’ x3 |
| π Azure Public IP Address is not associated with any resource π’ | 1 | π’ x6 |
| π Azure Public IP Addresses are not evaluated periodically π’ | | π’ x3 |
| π Azure RBAC Key Vault stores Keys without expiration date π’ | 1 | π’ x6 |
| π Azure RBAC Key Vault stores Secrets without expiration date π’ | 1 | π’ x6 |
| π Azure Resource Lock is not enabled for mission-critical resources π’ | | π’ x3 |
| π Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) π’ | 1 | π’ x6 |
| π Azure SQL Database Transparent Data Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing is not enabled π’ | 1 | π’ x6 |
| π Azure SQL Server Auditing Retention is less than 90 days π’ | 1 | π’ x6 |
| π Azure SQL Server Microsoft Entra authentication is not configured π’ | 1 | π’ x6 |
| π Azure SQL Server Public Network Access is not disabled π’ | 1 | π’ x6 |
| π Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure Storage Account Access Key Rotation Reminders are not enabled π’ | | π’ x3 |
| π Azure Storage Account Access Keys are not regenerated periodically π’ | | π’ x3 |
| π Azure Storage Account Allow Blob Anonymous Access is enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Blob Service Versioning is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Cross Tenant Replication is enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Default Network Access Rule is not set to Deny π’ | 1 | π’ x6 |
| π Azure Storage Account Default To OAuth Authentication is not set to Yes π’ | 1 | π’ x6 |
| π Azure Storage Account Minimum TLS Version is not set to TLS 1.2 or higher π’ | 1 | π’ x6 |
| π Azure Storage Account Private Endpoints are not used π’ | 1 | π’ x6 |
| π Azure Storage Account Public Network Access is not disabled π’ | 1 | π’ x6 |
| π Azure Storage Account Require Infrastructure Encryption is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Secure Transfer Required is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Shared Access Signature Tokens do not expire within 1 hour π’ | | π’ x3 |
| π Azure Storage Account Shared Key Access is not disabled π’ | 1 | π’ x6 |
| π Azure Storage Account Trusted Azure Services are not enabled as networking exceptions π’ | 1 | π’ x6 |
| π Azure Storage Account uses Delete lock π’ | | π’ x3 |
| π Azure Storage Account uses Locally Redundant Storage replication option π’ | 1 | π’ x6 |
| π Azure Storage Account uses ReadOnly lock π’ | | π’ x3 |
| π Azure Storage Account With Critical Data is not encrypted with customer managed key π’ | | π’ x3 |
| π Azure Storage Blob Containers Soft Delete is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Storage File Shares SMB Channel Encryption is not set to AES-256-GCM or higher π’ | 1 | π’ x6 |
| π Azure Storage File Shares SMB Protocol Version is not set to SMB 3.1.1 or higher π’ | 1 | π’ x6 |
| π Azure Storage File Shares Soft Delete is not enabled π’ | 1 | π’ x6 |
| π Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Storage Table Logging is not enabled for Read, Write, and Delete requests π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Public IP Address Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Create Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Network Security Group does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Public IP Address Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete Security Solution does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Activity Log Alert for Service Health does not exist π’ | 1 | π’ x6 |
| π Azure Subscription Application Insights are not configured π’ | 1 | π x1, π’ x5 |
| π Azure Subscription Bastion Host does not exist π’ | 1 | π x1, π’ x5 |
| π Azure Subscription Custom Subscription Administrator Roles exist π’ | 1 | π’ x6 |
| π Azure Subscription Integration With Microsoft Defender For Cloud Apps is not enabled π’ | 1 | π’ x6 |
| π Azure Subscription Integration With Microsoft Defender For Endpoint is not enabled π’ | 1 | π’ x6 |
| π Azure Subscription Leaving Microsoft Entra ID Directory and Subscription Entering Microsoft Entra ID Directory is not set to Permit No One π’ | | π’ x3 |
| π Azure Subscription Log Analytics Agent is not auto provisioned π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For App Services is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Azure Cosmos DB is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Containers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For IoT Hub is not set to On π’ | | π’ x3 |
| π Azure Subscription Microsoft Defender For Key Vault is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Open-Source Relational Databases is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Resource Manager is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Servers is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Microsoft Defender For Storage is not set to On π’ | 1 | π’ x6 |
| π Azure Subscription Network Watcher is not enabled in every available region π’ | 1 | π’ x6 |
| π Azure Subscription Resource Lock Administrator Custom Role does not exist π’ | | π’ x3 |
| π Azure Subscription Resources Basic SKU is used for production workloads π’ | | π’ x3 |
| π Azure Subscription Security Alert Notifications additional email address is not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured π’ | 1 | π’ x6 |
| π Azure Subscription Security Alert Notifications for attack path with Critical severity are not configured π’ | | π’ x3 |
| π Azure Subscription Security Alert Notifications to subscription owners are not configured π’ | 1 | π’ x6 |
| π Azure Subscription Vulnerability Assessment is not auto provisioned π’ | | π’ x3 |
| π Azure Unattached Managed Disk is not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure User Access Administrator Role has assignments π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to all ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to CIFS port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to DNS port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to FTP ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to HTTP(S) ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to MongoDB ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to MSSQL port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to MySQL port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to NetBIOS ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to Oracle DBMS ports π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to PostgreSQL port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to RDP port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to RPC port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to SMTP port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to SSH port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public access to Telnet port π’ | 1 | π’ x6 |
| π Azure Virtual Machine allows public UDP access π’ | 1 | π’ x6 |
| π Azure Virtual Machine Endpoint Protection is not installed π’ | | π’ x3 |
| π Azure Virtual Machine is idle π’ | 1 | π’ x6 |
| π Azure Virtual Machine is not utilizing Managed Disks π’ | 1 | π’ x6 |
| π Azure Virtual Machine is overutilized π’ | 1 | π’ x6 |
| π Azure Virtual Machine is underutilized π’ | 1 | π’ x6 |
| π Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key π’ | 1 | π’ x6 |
| π Azure Virtual Machine Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Azure Virtual Machine Trusted Launch is not enabled π’ | 1 | π’ x6 |
| π Azure Virtual Machine Unapproved Extensions are installed π’ | | π’ x3 |
| π Azure Virtual Network Flow Logs are not captured and sent to Log Analytics Workspace π’ | | π’ x3 |
| π Azure Virtual Network Flow Logs retention period is less than 90 days π’ | 1 | π’ x6 |
| π Azure Virtual Network Gateway has no connections π’ | 1 | π x1, π’ x5 |
| π Azure VM Scale Set Instance allows public access to all ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to CIFS port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to DNS port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to FTP ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to HTTP(S) ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to MongoDB ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to MSSQL port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to MySQL port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to NetBIOS ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to Oracle DBMS ports π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to PostgreSQL port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to RDP port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to RPC port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to SMTP port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to SSH port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public access to Telnet port π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance allows public UDP access π’ | 1 | π’ x6 |
| π Azure VM Scale Set Instance Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Consumer Google Accounts are used π’ | | π’ x3 |
| π Google Access Approval is not enabled π’ | 1 | π’ x6 |
| π Google Accounts are not configured with MFA π’ | | π’ x3 |
| π Google App Engine Application HTTPS Connection is not enforced π’ | | π’ x3 |
| π Google API Key is not restricted for unspecified hosts and apps π’ | | π’ x3 |
| π Google API Key is not restricted for unused APIs π’ | 1 | π’ x6 |
| π Google API Key is not rotated every 90 days π’ | 1 | π’ x6 |
| π Google BigQuery Dataset is anonymously or publicly accessible π’ | 1 | π’ x6 |
| π Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) π’ | 1 | π’ x6 |
| π Google BigQuery Sensitive Data Protection is not in use π’ | | π’ x3 |
| π Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) π’ | 1 | π’ x6 |
| π Google Cloud Access Transparency is not enabled π’ | | π’ x3 |
| π Google Cloud Asset Inventory API is not enabled π’ | 1 | π’ x6 |
| π Google Cloud Audit Logging is not configured properly π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC is not enabled π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 π’ | 1 | π’ x6 |
| π Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 π’ | 1 | π’ x6 |
| π Google Cloud Function Environment Variables store confidential data π’ | | π’ x3 |
| π Google Cloud MySQL Instance allows anyone to connect with administrative privileges π’ | | π’ x3 |
| π Google Cloud MySQL Instance Local_infile Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on π’ | 1 | π’ x6 |
π Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance cloudsql.enable_pgaudit Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On π’ | 1 | π’ x6 |
π Google Cloud PostgreSQL Instance Log_min_duration_statement Database Flag is not set to -1 (Disabled) π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning π’ | 1 | π’ x6 |
| π Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance Automated Backups are not configured π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance has public IP addresses π’ | 1 | π’ x6 |
| π Google Cloud SQL Instance SSL Connections are not enforced π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance contained database authentication Database Flag is set to on π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance remote access Database Flag is not set to off π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value π’ | 1 | π’ x6 |
| π Google Cloud SQL Server Instance user options Database Flag is configured π’ | 1 | π’ x6 |
| π Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key π’ | 1 | π’ x6 |
| π Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) π’ | 1 | π’ x6 |
| π Google GCE Instance Block Project-Wide SSH Keys is not enabled π’ | 1 | π’ x6 |
| π Google GCE Instance Confidential Compute is not enabled π’ | 1 | π’ x6 |
| π Google GCE Instance doesn't have the latest operating system updates installed π’ | | π’ x3 |
| π Google GCE Instance Enable Connecting to Serial Ports is not disabled π’ | 1 | π’ x6 |
| π Google GCE Instance has a public IP address π’ | 1 | π’ x6 |
| π Google GCE Instance is configured to use the Default Service Account π’ | 1 | π’ x6 |
| π Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs π’ | 1 | π’ x6 |
| π Google GCE Instance is launched without Shielded VM enabled π’ | 1 | π’ x6 |
| π Google GCE Instance IP Forwarding is not disabled. π’ | 1 | π’ x6 |
| π Google GCE Instance OS Login is not enabled π’ | 1 | π’ x6 |
| π Google GCE Instance Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Google GCE Network DNS Policy Logging is not enabled π’ | 1 | π’ x6 |
| π Google GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet π’ | 1 | π’ x6 |
| π Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet π’ | 1 | π’ x6 |
| π Google GCE Subnetwork Flow Logs are not enabled π’ | 1 | π’ x6 |
| π Google HTTP(S) Load Balancer Logging is not enabled π’ | 1 | π’ x6 |
| π Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites π’ | | π’ x3 |
| π Google IAM Roles related to KMS are not assigned to separate users π’ | 1 | π’ x6 |
| π Google IAM Service Account has admin privileges π’ | 1 | π’ x6 |
| π Google IAM Service Account has User-Managed Keys π’ | 1 | π’ x6 |
| π Google IAM Service Account User-Managed Key is not rotated every 90 days π’ | 1 | π’ x6 |
| π Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level π’ | 1 | π’ x6 |
| π Google Identity Aware Proxy (IAP) is not used to enforce access controls π’ | | π’ x3 |
| π Google KMS Crypto Key is anonymously or publicly accessible π π’ | | π x1, π’ x3 |
| π Google KMS Crypto Key is not rotated every 90 days π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts Cloud Storage IAM Permission Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist π’ | 1 | π’ x6 |
| π Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock π’ | 1 | π’ x6 |
| π Google Logging Log Sink for All Log Entries is not configured π’ | 1 | π’ x6 |
| π Google Organization Administrator Security Key Enforcement is not enabled π’ | | π’ x3 |
| π Google Organization Essential Contacts is not configured π’ | 1 | π’ x6 |
| π Google Project has a default network π’ | 1 | π’ x6 |
| π Google Project has a legacy network π’ | 1 | π’ x6 |
| π Google Project has API Keys π’ | 1 | π x1, π’ x5 |
| π Google Storage Bucket is anonymously or publicly accessible π’ | 1 | π’ x6 |
| π Google Storage Bucket Uniform Bucket-Level Access is not enabled π’ | 1 | π’ x6 |
| π Google User has both Service Account Admin and Service Account User roles assigned π’ | 1 | π’ x6 |
| π Intune logs are not captured and sent to Log Analytics π’ | | π’ x3 |
| π Microsoft Cloud Security Benchmark policies are disabled π’ | | π’ x3 |
| π Microsoft Defender Agentless Container Vulnerability Assessment Component is not enabled π’ | | π’ x3 |
| π Microsoft Defender Agentless Discovery for Kubernetes Component is not enabled π’ | | π’ x3 |
| π Microsoft Defender Agentless Scanning for Machines Component is not enabled π’ | | π’ x3 |
| π Microsoft Defender External Attack Surface Monitoring (EASM) is not enabled π’ | | π’ x3 |
| π Microsoft Defender File Integrity Monitoring Component is not enabled π’ | | π’ x3 |
| π Microsoft Defender Recommendations for Apply System Updates are not completed π’ | | π’ x3 |
| π Microsoft Entra ID Account Lockout Duration is not set 60 seconds or more π’ | | π’ x3 |
| π Microsoft Entra ID Account Lockout Threshold is not set to 10 or less π’ | | π’ x3 |
| π Microsoft Entra ID Admin accounts are not used for daily operations π’ | | π’ x3 |
| π Microsoft Entra ID Allow Users To Remember MFA On Devices They Trust is enabled π’ | | π’ x3 |
| π Microsoft Entra ID Conditional Access By Location is not defined π’ | | π’ x3 |
| π Microsoft Entra ID Custom Banned Password List is not enforced π’ | | π’ x3 |
| π Microsoft Entra ID Default User Role can create tenants π’ | 1 | π’ x6 |
| π Microsoft Entra ID Device Code Authentication Flow is not restricted π’ | | π’ x3 |
| π Microsoft Entra ID Diagnostic Setting does not capture Microsoft Entra activity logs π’ | | π’ x3 |
| π Microsoft Entra ID Diagnostic Setting does not capture Microsoft Graph activity logs π’ | | π’ x3 |
| π Microsoft Entra ID Global Administrator Role assigned to more than 4 users π’ | | π’ x3 |
| π Microsoft Entra ID Guest Invite Settings is not set to Only Users Assigned To Specific Admin Roles Can Invite Guest Users π’ | 1 | π’ x6 |
| π Microsoft Entra ID Guest Users are not reviewed on a regular basis π’ | | π’ x3 |
| π Microsoft Entra ID Guest Users restricted to their own directory objects π’ | 1 | π’ x6 |
| π Microsoft Entra ID MFA For Administrators is not required π’ | | π’ x3 |
| π Microsoft Entra ID MFA For All Users is not required π’ | | π’ x3 |
| π Microsoft Entra ID MFA For Risky Sign-Ins is not required π’ | | π’ x3 |
| π Microsoft Entra ID MFA For Windows Azure Service Management API is not required π’ | | π’ x3 |
| π Microsoft Entra ID MFA to access Microsoft Admin Portals is not required π’ | | π’ x3 |
| π Microsoft Entra ID Named Locations are not defined π’ | | π’ x3 |
| π Microsoft Entra ID Owners Can Manage Group Membership Requests In The Access Panel is set to Yes π’ | | π’ x3 |
| π Microsoft Entra ID Remember MFA devices setting is disabled π’ | | π’ x3 |
| π Microsoft Entra ID Require MFA To Register Or Join Devices With Microsoft Entra ID is set to No π’ | | π’ x3 |
| π Microsoft Entra ID Restrict User Ability To Access Groups Features In The Access Pane is set to No π’ | | π’ x3 |
| π Microsoft Entra ID Security Defaults are not enabled π’ | | π’ x3 |
| π Microsoft Entra ID User Consent For Applications is not set to Allow From Verified Publishers π’ | | π’ x3 |
| π Microsoft Entra ID User Consent For Applications is not set to Do Not Allow User Consent π’ | | π’ x3 |
| π Microsoft Entra ID User Multi-Factor Auth Status is not enabled π’ | | π’ x3 |
| π Microsoft Entra ID User Notify All Admins When Other Admins Reset Their Password is set No π’ | | π’ x3 |
| π Microsoft Entra ID User Notify Users On Password Resets is set to No π’ | | π’ x3 |
| π Microsoft Entra ID User Reconfirm Authentication Information is set to 0 π’ | | π’ x3 |
| π Microsoft Entra ID User Self-Service Password Reset does not require 2 authentication methods π’ | | π’ x3 |
| π Microsoft Entra ID User Settings Restrict Access To Microsoft Entra Admin Center is set to No π’ | | π’ x3 |
| π Microsoft Entra ID Users Can Create Microsoft 365 Groups In Azure Portals, API Or PowerShell is set to Yes π’ | | π’ x3 |
| π Microsoft Entra ID Users Can Create Security Groups In Azure Portals, API Or PowerShell is set to Yes π’ | | π’ x3 |
| π Microsoft Entra ID Users Can Register Applications is set to Yes π’ | 1 | π’ x6 |
| π Network Security Group Flow Logs are not captured and sent to Log Analytics Workspace π’ | | π’ x3 |
| π Physical Server Should Have Breeze Agent Installed π’ | 1 | π’ x6 |
| π Privileged Azure Virtual Machine is accessed by identities without MFA π’ | | π’ x3 |
| π Snowflake User Default Role is ACCOUNTADMIN π’ | 1 | π’ x6 |
| π Snowflake User Default Role is not set π’ | 1 | π’ x6 |
| π Snowflake User MFA is not enabled π’ | 1 | π’ x6 |
| π Snowflake User password is not rotated every 90 days π’ | 1 | π’ x6 |
| π vCenter Virtual Machine Should Have Breeze Agent Installed π’ | 1 | π’ x6 |