628 docs tagged with "policy"

VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted.

GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects. You can then select users within your organization who can approve these requests through giving them a security role in IAM. All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve. This adds an additional control and logging of who in your organization approved/denied these requests.

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure.

For increased security, regenerate storage account access keys periodically.

Using individual IAM users (with specific set of permissions) to access your AWS cloud account eliminates the risk of compromising your root account credentials. To protect your AWS root account and follow IAM security best practices, it is recommended to create IAM users for everyday work with AWS services and resources in order to avoid using the root credentials.

Consider deleting Cosmos DB Account or switching to the serverless option when the account has no Total Request Units over the past 30 days.

The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.

The account lockout threshold determines how many failed login attempts are permitted prior to placing the account in a locked-out state and initiating a variable lockout duration.

The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA.

The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be deleted.

The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

Create an Activity Log Alert for the Create or Update Network Security Group event.

Create an activity log alert for the Create or Update Public IP Addresses rule.

Create an activity log alert for the Create or Update Security Solution event.

Create an activity log alert for the Create or Update SQL Server Firewall Rule event.

Create an activity log alert for the Create Policy Assignment event.

Create an activity log alert for the Delete Network Security Group event.

Create an activity log alert for the Delete Policy Assignment event.

Create an activity log alert for the Delete Public IP Address rule.

Create an activity log alert for the Delete Security Solution event.

Create an activity log alert for the 'Delete SQL Server Firewall Rule.'

Create an activity log alert for Service Health.

Microsoft Azure admin accounts should not be used for routine, non-administrative tasks.

Enable automatic vulnerability management for images stored in ACR or running in AKS clusters.

Enable automatic discovery and configuration scanning of the Microsoft Kubernetes clusters.

The Microsoft Defender for Cloud agentless machine scanner provides threat detection, vulnerability detection, and discovery of sensitive information.

The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks.

Do not allow users to remember multi-factor authentication on devices.

AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.

Ensure that access logging is enabled on API Gateway APIs, capturing essential details about API usage and access in Amazon CloudWatch Logs. This enables monitoring, troubleshooting, and auditing of API calls.

Ensure that CloudWatch execution logging is enabled for APIs in API Gateway. Execution logging for API Gateway allows tracking of API requests and responses in CloudWatch, providing insights into API usage and facilitating troubleshooting.

API Keys should only be used for services in cases where other authentication methods are unavailable. In this case, unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API key usage to trusted hosts, HTTP referrers and apps. It is recommended to use the more secure standard authentication flow instead.

API Keys should only be used for services in cases where other authentication methods are unavailable. API keys are always at risk because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to restrict API keys to use (call) only APIs required by an application.

API Keys should only be used for services in cases where other authentication methods are unavailable. If they are in use it is recommended to rotate API keys every 90 days.

Ensure that each API Route in AWS API Gateway API has a mechanisms for controlling and managing access to the API.

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.

Ensure that Azure App Service Plan has at least one attached Azure App. Consider deleting App Service Plans that are empty and have no applications, sites or jobs associated with them.

In order to maintain the highest level of security all connections to an application should be secure by default.

Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.

GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource. Cloud Asset Inventory Service (CAIS) API enablement is not required for operation of the service, but rather enables the mechanism for searching/exporting CAIS asset data directly.

Ensure that all the database instances within your Amazon Aurora clusters have the same accessibility (either public or private) in order to follow AWS best practices.

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.

Ensure that AWS Auto Scaling Groups (ASGs) and Classic Load Balancers (CLBs) are configured to share the same Availability Zones (AZs). This helps optimize application performance by utilizing AWS's low-latency network links across the scaling environment.

Ensure that EC2 instances launched by Auto Scaling Group launch configuration and accessible from behind a load balancer are not assigned public IP addresses.

Ensure that Auto Scaling Groups associated with Elastic Load Balancers (ELBs) are configured to use ELB health checks instead of EC2 health checks. ELB health checks provide more accurate health status for instances behind a load balancer.

Ensure that Capacity Rebalancing is enabled for AWS EC2 Auto Scaling Groups that use a mixed instances launch template. This feature helps improve application availability by proactively launching a replacement Spot Instance when an existing one receives a rebalance recommendation, which is a signal that the instance is at elevated risk of interruption.

Ensure that AWS Auto Scaling Groups are configured across multiple Availability Zones to helps applications remain resilient in case of an Availability Zone failure.

Ensure that the EC2 Auto Scaling Group uses a Launch Template which is configured to require IMDSv2 (Instance Metadata Service Version 2). IMDSv2 is a session-oriented method for accessing instance metadata.

Ensure Auto Scaling groups use Launch Templates instead of Launch Configurations. Launch Configurations are no longer fully supported by AWS and do not receive updates for new EC2 features.

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

Ensure that Breeze Agent is installed on the EC2 Instance. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Ensure that Breeze Agent is installed on the EKS Cluster. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.

AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role, with the appropriate policy assigned, to allow authorized users to manage incidents with AWS Support.

AWS CloudShell is a convenient way of running CLI commands against AWS services. AWSCloudShellFullAccess managed IAM policy provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.

Ensure that Breeze Agent is installed on the Active Directory Device. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Ensure that Breeze Agent is installed on the AKS Cluster. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Ensure that Breeze Agent is installed on the Azure Virtual Machine. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Ensure that Breeze Agent is installed on the VM Scale Set Instance. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Basic Authentication provides the ability to create identities and authentication for an App Service without a centralized Identity Provider. For a more effective, capable, and secure solution for Identity, Authentication, Authorization, and Accountability, a centralized Identity Provider such as Entra ID is strongly advised.

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.

It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are erroneously deleted.

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs.

Enabling blob versioning allows for the automatic retention of previous versions of objects. With blob versioning enabled, earlier versions of a blob are accessible for data recovery in the event of modifications or deletions.

It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.

This policy flags S3 Buckets that are running in AWS regions with higher pricing and could potentially be migrated to more cost-effective regions.

This policy flags Storage Buckets that are running in Google regions with higher pricing and could potentially be migrated to more cost-effective regions.

Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.

Configure Amazon S3 Lifecycle in order to ensure that your objects are stored cost effectively throughout their lifecycle. An S3 Lifecycle configuration is a set of rules that define actions (such as Transition and Expiration actions) that Amazon S3 applies to a group of objects.

Cloud Storage bucket logging provides detailed records of requests made to a bucket, which is crucial for security auditing and operational insights. It is recommended to enable logging for all storage buckets to track access patterns and identify potential unauthorized activities.

Amazon S3 provides an MFA Delete feature to add an optional extra layer of security when deleting objects from your S3 buckets. This feature requires additional authentication via MFA before allowing the deletion of objects, thereby reducing the risk of accidental or unauthorized deletions.

S3 Object Lock can help prevent Amazon S3 objects from being deleted or overwritten for a fixed amount of time or indefinitely. Object Lock uses a write-once-read-many (WORM) model to store objects. You can use Object Lock to help meet regulatory requirements that require WORM storage, or to add another layer of protection against object changes or deletion.

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.

Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.

S3 server access logging enables the tracking and analysis of requests made to S3 buckets. By activating this feature, detailed records are generated, capturing such information as the requester's IP address, the time of the request, the requested resource, and the response status.

It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.

Ensure that AWS S3 Bucket Versioning feature is enabled. Versioning allows users to keep multiple versions of an object in the same S3 bucket and provides a reliable and scalable solution for data protection, recovery, and version control within S3 buckets.

Ensure that S3 buckets with Intelligent-Tiering enabled are configured to automatically move objects to the optional Archive Access and Deep Archive Access tiers to maximize storage cost savings.

Ensure that Object Versioning is enabled for Google Storage buckets configured as destinations for log sinks.

Remove all expired SSL/TLS certificates in AWS Certificate Manager to comply with Amazon Security Best Practices. This action mitigates risks associated with outdated certificates, which can lead to vulnerabilities and compromised security. AWS Certificate Manager provisions, manages, and deploys SSL/TLS certificates for services like Elastic Load Balancing and CloudFront, ensuring secure communications.

Renew your SSL/TLS certificates in AWS ACM that are ineligible for automatic renewal at least 7 days before their expiration date to ensure uninterrupted security coverage and prevent service disruptions. Proactive renewal safeguards your applications and maintains user trust. AWS Certificate Manager simplifies the provisioning, management, and deployment of SSL/TLS certificates for various AWS resources, including Elastic Load Balancers, CloudFront distributions, and APIs on Amazon API Gateway

Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate can match any first-level subdomain, potentially increasing vulnerability if compromised. For example, a wildcard certificate issued for *.cloudaware.com can protect both www.cloudaware.com and images.cloudaware.com.

GCP Access Transparency provides audit logs for all actions that Google personnel take in your Google Cloud resources.

It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.

Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Ensure that GKE Clusters are created with VPC-native traffic routing by enabling Alias IP. VPC-native clusters are more scalable and secure as they allow pods to have unique, routable IP addresses within the VPC.

Ensure that Amazon EKS clusters are configured to restrict public access to their Kubernetes API server endpoint to specific CIDR blocks. Unrestricted public access can expose the cluster to unauthorized access and potential attacks.

Ensure that Google GKE Clusters are not running with alpha features enabled, especially in production environments. Alpha features are experimental and not covered by the GKE SLA.

Enable Control Plane Authorized Networks to restrict access to the cluster's control plane to only an allowlist of authorized IPs.

Ensures that the AmazonEKS_CNI_Policy is not attached to the EKS node's IAM role, promoting least privilege for the Amazon VPC CNI plugin by utilizing IAM Roles for Service Accounts (IRSA).

Ensure that AWS EKS clusters have an OpenID Connect (OIDC) provider configured. This is required to enable IAM Roles for Service Accounts (IRSA), which allows IAM roles to be securely assigned to Kubernetes service accounts for fine-grained access to AWS resources.

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

Clusters are considered underutilized if their average CPU utilization is consistently below 20% and their disk I/O is below 50 IOPS over a 30-day period. Such instances might be oversized for their workload.

Ensure that EKS cluster control plane logs are enabled and configured to capture API, audit, authenticator, controller manager, and scheduler activity.

Ensure that Cloud Logging is enabled for GKE Clusters to provide visibility into cluster audit, application, and system logs.

Ensure that GKE clusters have Cloud Monitoring enabled to provide visibility into their performance, uptime, and overall health. Cloud Monitoring collects metrics, events, and metadata from GKE clusters.

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.

Ensures that GKE Cluster Node Pools have the Auto-Repair feature enabled. This feature helps maintain node health by automatically repairing nodes that fail health checks.

Ensure that GKE Cluster Node Pool Auto-Upgrades are enabled. This feature helps keep the nodes in your cluster up to date with the latest stable Kubernetes version, which includes critical security patches and bug fixes, enhancing the overall security and stability of your cluster.

Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default Service account. Unnecessary permissions could be abused in the case of a node compromise.

Ensure that GKE clusters are configured to use Private Google Access. Private Google Access allows cluster hosts in a subnet to reach Google APIs and services using an internal IP address rather than an external IP address.

Ensure that DynamoDB Accelerator (DAX) clusters are encrypted at rest to protect sensitive data from unauthorized access to the underlying storage.

This policy identifies Google GCE Commitments that have expired within the last 30 days to alert teams of potential unplanned increases in cloud spending and verify that the expirations were intentional.

This policy identifies Google GCE Commitments that are set to expire within the next 60 days to help with proactive renewal and cost management.

Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations.

AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, where metric filters and alarms can be established. It is recommended that a metric filter and alarm be utilized for detecting changes to CloudTrail's configurations.

Use corporate login credentials instead of consumer accounts, such as Gmail accounts.

Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys.

Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks.

It is recommended that the IAM policy on Cloud KMS Crypto Key should restrict anonymous and/or public access.

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).

Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers.

The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

This policy flags SQL Database that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

Identify Azure SQL Databases that are underutilized to optimize costs and improve efficiency. Instances are considered underutilized if their average DTU, CPU utilization is consistently below 20%, or App Memory utilization is below 40%, and storage utilization is below 10% over a 30-day period.

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Azure Databricks Diagnostic Logging provides insights into system operations, user activities, and security events within a Databricks workspace. Enabling diagnostic logs helps organizations: - Detect security threats by logging access, job executions, and cluster activities. - Ensure compliance with industry regulations such as SOC 2, HIPAA, and GDPR. - Monitor operational performance and troubleshoot issues proactively.

Network Security Groups (NSGs) should be implemented to control inbound and outbound traffic to Azure Databricks subnets, ensuring only authorized communication. NSGs should be configured with deny rules to block unwanted traffic and restrict communication to essential sources only.

Databricks personal access tokens (PATs) provide API-based authentication for users and applications. By default, users can generate API tokens without expiration, leading to potential security risks if tokens are leaked, improperly stored, or not rotated regularly.

Unity Catalog is a centralized governance model for managing and securing data in Azure Databricks. It provides fine-grained access control to databases, tables, and views using Microsoft Entra ID identities. Unity Catalog also enhances data lineage, audit logging, and compliance monitoring, making it a critical component for security and governance.

To ensure centralized identity and access management, users and groups from Microsoft Entra ID should be synchronized with Azure Databricks. This is achieved through SCIM provisioning, which automates the creation, update, and deactivation of users and groups in Databricks based on Entra ID assignments. Enabling this integration ensures that access controls in Databricks remain consistent with corporate identity governance policies, reducing the risk of orphaned accounts, stale permissions, and unauthorized access.

It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Ensure that the ACCOUNTADMIN role is not set as the Default Role for Snowflake Users to reduce risk and prevent accidental use of broad administrative privileges.

Ensure the Default Role is set for Snowflake Users.

VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.

Ensure that AWS GuardDuty EKS Audit Log Monitoring is enabled to monitor Kubernetes audit logs for potential threats and suspicious activities within your EKS clusters.

Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users that regularly perform duties that explicitly require the use of Device Code to authenticate, such as utilizing Azure with PowerShell.

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

Ensure that a Microsoft Entra diagnostic setting is configured to send Microsoft Entra activity logs to a suitable destination, such as a Log Analytics workspace, storage account, or event hub. This enables centralized monitoring and analysis of Microsoft Entra activity logs.

Ensure that a Microsoft Entra diagnostic setting is configured to send Microsoft Graph activity logs to a suitable destination, such as a Log Analytics workspace, storage account, or event hub. This enables centralized monitoring and analysis of all HTTP requests that the Microsoft Graph service receives and processes for a tenant.

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.

Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.

Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB.

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

Identify persistent GCE Disks that haven't been attached to a GCE Instance for more than 30 days

Ensure that standard logging is enabled for CloudFront Web Distributions.

Ensure that all attached EBS volumes are encrypted to protect data at rest. Encrypting EBS volumes adds a layer of security by rendering data unreadable to unauthorized users.

Consider deleting or archiving AWS EBS Snapshots that are 90 days old or more to reduce storage costs and manage data lifecycle.

Ensure that Amazon EBS snapshots are not publicly accessible to prevent unauthorized access to data. Snapshots should be shared only with specific, trusted AWS accounts.

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

This policy flags AWS EBS Volumes that are either unattached for more than 30 days or attached but show no read/write operations for the past 30 days.

Identifies provisioned IOPS EBS Volumes (gp3, io1, io2) with low read/write activity over the last 30 days

Identify and release unused Elastic IP addresses to avoid unnecessary charges. Elastic IPs that are allocated but not associated with a running resource incur costs.

Identifies Azure SQL Elastic Pools that are underutilized to optimize costs. An elastic pool is considered underutilized if its average DTU/CPU consumption is below 20% and its storage utilization is below 10% over the last 30 days.

Ensure that AWS DMS Endpoints use Secure Sockets Layer (SSL) to encrypt connections between the DMS replication instance and your database endpoints.

Install endpoint protection for all virtual machines.

Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

Enhanced health reporting is a feature that can be enabled within your environment to allow AWS Elastic Beanstalk to collect additional data about its associated resources. Elastic Beanstalk uses this data to provide a more comprehensive view of the environment’s overall health and to help identify potential issues that could impact application availability.

An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment.

Ensures that external Google Cloud forwarding rules use Target HTTPS Proxies for secure, encrypted traffic, instead of unencrypted Target HTTP Proxies.

File Integrity Monitoring (FIM) is a feature that monitors critical system files in Windows or Linux for potential signs of attack or compromise.

Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.

Ensure that SMB file shares are configured to use the latest supported SMB protocol version. Keeping the SMB protocol updated helps mitigate risks associated with older SMB versions, which may contain vulnerabilities and lack essential security controls.

Azure Files offers soft delete for file shares, allowing you to easily recover your data when it is mistakenly deleted by an application or another storage account user.

EFS data should be encrypted at rest using AWS KMS (Key Management Service)

Enable audit_log_enabled on MySQL Servers.

Set audit_log_events to include CONNECTION on MySQL flexible servers.

Enable connection_throttling on PostgreSQL Servers.

Disable access from Azure services to PostgreSQL Database Server.

Enable log_checkpoints on PostgreSQL Flexible Servers.

Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs.

By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.

Ensure that Firewall Rules Logging is enabled for all GCE firewall rules. This feature records network connections that match a firewall rule, providing crucial data for security auditing, incident response, and network troubleshooting.

This policy flags GCE Instances that are running in Google regions with higher pricing and could potentially be migrated to more cost-effective regions.

Ensure that all static IP addresses in your Google Cloud Platform project are associated with a running resource. Unused external static IP addresses can incur unnecessary costs and may pose a security risk if they are inadvertently attached to a resource in the future.

Ensure that no GCE Firewall Rules allow unrestricted ingress access from any IP address (0.0.0.0/0) to CiscoSecure/WebSM port 9090.

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the DNS port (53).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the POP3 port (TCP 110).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the SMTP port (TCP 25).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the SSH port (TCP 22).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the Telnet port (TCP 23).

Ensure that no GCE Firewall Rules allow unrestricted ingress access from any IP address (0.0.0.0/0) to all ports.

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to Cassandra ports (7000, 7001, 7199, 8888, 9042, 9160, 61620, 61621).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the Memcached ports (TCP/UDP 11211, 11214, or 11215).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to Oracle Database ports (TCP 1521, 2483, 2484).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the Redis port (TCP 6379).

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to common Directory Services port 445.

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to MongoDB ports (TCP 27017-27019).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the MySQL port (TCP 3306).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to NetBIOS ports (TCP/UDP 137, 138, 139).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the RDP port (TCP/UDP 3389).

Ensure that every VPC Network includes at least one egress firewall rule with a deny action. Implementing a default-deny egress policy enforces the principle of least privilege by controlling and restricting outbound traffic from the network.

Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.

This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.

Setup multi-factor authentication for Google Cloud Platform accounts.

Ensure that Breeze Agent is installed on the GCE Instance. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to FTP ports (TCP 20, 21).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the HTTP port (TCP 80).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to common LDAP ports (389 and 636).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to Elasticsearch ports (TCP 9200, 9300).

GCP Firewall Rules should not allow unrestricted ingress traffic from the internet (0.0.0.0/0) to the PostgreSQL port (TCP/UDP 5432).

API Keys should only be used for services in cases where other authentication methods are unavailable. Unused keys with their permissions in tact may still exist within a project. Keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. It is recommended to use standard authentication flow instead.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. It is recommended that GuardDuty be enabled in all supported AWS regions to ensure comprehensive threat coverage.

Restrict invitations to users with specific administrative roles only.

Microsoft Entra ID has native and extended identity functionality allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities.

Limit guest user permissions.

Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Secure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS) features clients are permitted to use when connecting to load balancers. To prevent usage of insecure features, SSL policies should use (a) at least TLS 1.2 with the MODERN profile; or (b) the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or (3) a CUSTOM profile that does not support any of the following features: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

Enable IAM Access analyzer for IAM policies about all resources in each active AWS region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.

Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.

IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.

IAM provides last used information to help you identify unused roles so that you can remove them. An IAM role is considered unused if there has been no usage/activity for this role in the past 90 days. This helps you to better adhere to the best practice of least privilege.

It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for a specific service account rather than assigning the role to a user at project level.

IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.

Identify Azure VM Scale Set Instances that are associated with Network Interfaces linked to NSGs containing inbound rules that allow unrestricted traffic from the public internet(0.0.0.0/0, ::/0, Internet, Any, or *) to all destination ports (*, 0-65535, or unspecified). Restrict access to only the specific destination port and/or IP address ranges that require connectivity.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the CIFS port 445. Unrestricted access to CIFS from the public internet poses a significant security risk, potentially exposing file shares and sensitive data to unauthorized access and ransomware attacks.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the DNS port 53. Exposing DNS to the internet from a VM can pose security risks, such as participation in DNS amplification attacks or unauthorized DNS resolution.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the FTP traffic (ports 20 and 21), which can expose systems to unauthorized access and potential attacks.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the HTTP/HTTPS ports 80 and 443. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Ensure that Azure VM Scale Set Instances are not exposed to unrestricted public access on MongoDB ports (27017-27020) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure VM Scale Set Instances are not exposed to unrestricted public access on MSSQL ports (1433) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure VM Scale Set Instances are not exposed to unrestricted public access on MySQL ports (3306) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public NetBIOS traffic (TCP/UDP 137, 138, 139).

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the Oracle DBMS (ports 1521, 1830, 2483 and 2484) by limiting access to trusted IP addresses or internal networks.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to the PostgreSQL port 5432 and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public RDP (port 3389) traffic.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public access to RPC port (135/TCP and 135/UDP). RPC protocol enables inter-process communication and, if improperly secured, can expose VMs to unauthorized access.

Ensure Azure VM Scale Set Instances do not allow unrestricted public access to the SMTP port 25.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public SSH (port 22) traffic.

Ensure Azure VM Scale Set Instances do not allow unrestricted public access to the Telnet port 23. Telnet is an insecure protocol that transmits data, including credentials, in plaintext, making it vulnerable to eavesdropping and unauthorized access.

Ensure that Azure VM Scale Set Instances do not allow unrestricted public UDP protocol.

Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.

It is recommended to have all SQL database instances set to enable automated backups.

Ensure that automated backups are enabled for AWS RDS DB instances. Automated backups allow you to recover your database to any point in time within your retention period.

It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use, while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC™ CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.

Ensure that detailed monitoring is enabled for Amazon EC2 instances. This configuration improves the granularity of monitoring data from AWS CloudWatch, enabling 1-minute data points instead of the default 5-minute intervals.

Google Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed. This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

Ensure that Amazon Connect Instances have CloudWatch logging enabled to capture contact flow logs.

Compute instances should not be configured to have external IP addresses.

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. 'AWS Access' means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. Forwarding of data packets should be disabled to prevent data loss or information disclosure.

To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.

It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.

Identify and address idle Amazon EC2 instances to optimize costs by stopping, terminating, or downscaling instances with low utilization. Instances are considered idle if their average CPU utilization is below 5%, maximum CPU utilization is below 15%, and average network I/O is below 100 MB over a 14-day period.

Identify AWS RDS Instances that appear to be idle and take action to stop or terminate them. By default, an RDS instance is considered idle when it satisfies the following criteria over the past 30 days: 1) Average CPU utilization has been below 5%; and 2) The total number of database connections has been zero.

Identify idle GCE Instances to optimize costs by stopping, terminating, or downscaling instances with low utilization. Instances are considered idle if their average CPU utilization is below 5%, maximum CPU utilization is below 15%, and average network I/O is below 100 MB over a 14-day period.

Identify idle Google Cloud SQL Instances to optimize costs by stopping, terminating, or downscaling instances with low utilization. Instances are considered idle if their average CPU utilization is below 5% and they have an average of zero connections over a 30-day period.

To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.

This policy flags EC2 Instances that are running in AWS regions with higher pricing and could potentially be migrated to more cost-effective regions.

This policy flags RDS Instances that are running in AWS regions with higher pricing and could potentially be migrated to more cost-effective regions.

This policy flags SQL Instances that are running in Google regions with higher pricing and could potentially be migrated to more cost-effective regions.

Identify and address overutilized Amazon EC2 instances to prevent performance degradation and optimize resource allocation. Instances are considered overutilized if their average CPU utilization exceeds 80% and maximum CPU utilization consistently spikes above 95% over a 14-day period.

Identify any AWS RDS Instances that appear to be overutilized. Instances are considered overutilized if its average CPU utilization is consistently above 90% over a 30-day period.

Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

Identify and address underutilized Amazon EC2 instances to optimize costs and improve efficiency. Instances are considered underutilized if their average CPU utilization is consistently below 40% and maximum CPU utilization does not spike above 50% over a 14-day period. These instances might be oversized for their workload.

Instances are considered underutilized if their average CPU utilization is consistently below 20% and their disk I/O is below 50 IOPS over a 30-day period. Such instances might be oversized for their workload.

GCE Instances are considered underutilized if their average CPU utilization is consistently below 40% and maximum CPU utilization does not spike above 50% over a 14-day period. These instances might be oversized for their workload.

This policy checks Cloud SQL Instances that appear to be underutilized and downsize (resize) them to optimize cloud expenditure. By default, a SQL Instance is considered underutilized if its average CPU utilization is below 20%, Memory utilization is below 40%, and Disk I/O < 50 IOPS over a 30-day period.

Amazon RDS offers Multi-AZ deployments that provide enhanced availability and durability for your databases, using synchronous replication to replicate data to a standby instance in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS automatically fails over to the standby to minimize downtime and ensure business continuity.

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Ensure that your Amazon RDS databases instances are not using their default endpoint ports (i.e. MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432, etc) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.

Ensure that Amazon EC2 instances are using Hardware Virtual Machine (HVM) virtualization instead of the legacy paravirtual (PV) type to take advantage of enhanced performance and access to the latest AWS features and instance types.

EC2 instances launched into a default subnet are automatically assigned both public and private IPv4 addresses, which may result in unintended public exposure.

Migrate EC2 instances that don't need internet access to a private subnet, or remove the direct route to an Internet Gateway within the subnet. EC2 Instances without a public IPv4/IPv6 address are unable to connect to the internet thus making it a potential misconfiguration that can lead to security breaches, convoluted network architecture, and unnecessary management overhead. Consider using a bastion host or NAT device to provide internet access to EC2 instances that do not require to be public.

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.

Ensure that Intune logs are captured and fed into a central log analytics workspace.

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant cloud service that safeguards cryptographic keys using FIPS 140-2 Level 3 validated HSMs.

Ensures that AWS ELB Load Balancers have cross-zone load balancing enabled to distribute traffic evenly across all registered instances in all enabled Availability Zones.

Ensures that AWS ELB Load Balancers are configured for high availability by being registered in more than one Availability Zone.

Ensure that AWS Elastic Load Balancers are actively serving traffic. A load balancer is considered unused if it has no listeners configured or no healthy instances or targets registered. Unused load balancers can incur costs without providing any benefit and may represent a misconfiguration in the environment.

Enable automatic provisioning of the monitoring agent to collect security data.

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, 'who did what, where, and when?' within GCP projects.

It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.

In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored.

It is recommended that a metric filter and alarm be established for SQL instance configuration changes.

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).

Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state.

Consider deleting or archiving a managed disk that is not attached to any virtual machine for more than 30 days.

The setting 'Enable public access from all networks' is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors. If a disk to network connection is required, the preferred setup is to disable public access and enable private access.

Consider deleting or archiving Azure Managed Disk Snapshots that are 90 days old or more.

Ensure Azure Managed Disk snapshots are stored on Standard storage instead of Premium SSDs Managed Disk storage.

This policy flags SQL Managed Instance that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

Identify underutilized Azure SQL Managed Instances to optimize costs by downscaling instances with low utilization. Instances are considered underutilized if their average CPU utilization is below 20%, and average disk I/O is below 50 MB over a 30-day period.

Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.

DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

Memcached Clusters are considered underutilized if their average CPU utilization is consistently below 40% over a 30-day period. These clusters might be oversized for their workload.

Ensure that Amazon CloudWatch alarms are configured with at least one action for the ALARM, INSUFFICIENT_DATA, or OK states. Actions are essential for notifying personnel or triggering automated responses when an alarm changes state, ensuring that operational or security events are not missed.

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.

For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.

This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.

Ensure that Multi-Factor Authentication (MFA) is enabled for Snowflake Users to provide an additional layer of security. MFA support is provided as an integrated Snowflake feature, powered by the Duo Security service, which is managed completely by Snowflake.

This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal.

The Microsoft Cloud Security Benchmark (or 'MCSB') is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type Disabled, it is not evaluated and may prevent administrators from being informed of valuable security recommendations.

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Managed Instance Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.

Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.

Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Turning on Microsoft Defender for SQL Servers on Machines enables threat detection for SQL Servers on Machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Ensure that CloudWatch logging is enabled for AWS DMS Replication Tasks.

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Ensure that RDS Multi-AZ database clusters have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades, including security patches and bug fixes.

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances. This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

It is recommended to set the `local_infile` database flag for a Cloud SQL MySQL instance to `off`.

It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on

Microsoft Entra ID Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols.

Network NACLs that are not associated with any subnets are considered unused. While unused NACLs do not incur direct costs, they can represent a security risk if they contain misconfigured rules and are later associated with a subnet.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Ensure that all Global Administrators are notified if any other administrator resets their password.

Ensure that users are notified on their primary and secondary emails on password resets.

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.

Setup Security Key Enforcement for Google Cloud Platform admin accounts.

It is recommended that Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.

Ensure that predefined Redis IAM roles are not assigned at the organization level. These roles should be scoped to individual projects where Redis is used.

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).

Restrict security group management to administrators only.

Ensure that Snowflake User passwords are rotated at regular intervals.

Ensure that Breeze Agent is installed on the Physical Server. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Policies with Credentials Exposure potential allow certain IAM actions without resource constraints. Policy will produce a violation if it detects a statement that contains any of the following action with Effect: Allow, Resource: *. Conditions are not being checked. Actions: chime:CreateApiKey, codepipeline:PollForJobs, cognito-identity:GetOpenIdToken, cognito-identity:GetOpenIdTokenForDeveloperIdentity, cognito-identity:GetCredentialsForIdentity, connect:GetFederationToken, ecr:GetAuthorizationToken, gamelift:RequestUploadCredentials, iam:CreateAccessKey, iam:CreateLoginProfile, iam:CreateServiceSpecificCredential, iam:ResetServiceSpecificCredential, iam:UpdateAccessKey, lightsail:GetInstanceAccessDetails, lightsail:GetRelationalDatabaseMasterUserPassword, rds-db:connect, redshift:GetClusterCredentials, sso:GetRoleCredentials, mediapackage:RotateChannelCredentials, mediapackage:RotateIngestEndpointCredentials, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, sts:GetSessionToken

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

The log_error_verbosity flag controls the verbosity/details of messages logged. Valid values are: TERSE, DEFAULT, VERBOSE. TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information. VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error. Ensure an appropriate value is set to 'DEFAULT' or stricter.

Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.

Ensure that the `log_checkpoints` database flag for the Cloud SQL PostgreSQL instance is set to `on`.

Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.

Enabling the log_disconnections setting logs the end of each session, including the session duration.

The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.

The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include (from lowest to highest severity) DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set.

The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include (from lowest to highest severity) DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. WARNING is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.

The value of log_statement flag determined the SQL statements that are logged. Valid values are: none, ddl, mod, all. The value ddl logs all data definition statements. The value mod logs all ddl statements, plus data-modifying statements. The statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors. When using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included. A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.

Ensure that the `log_temp_files` database flag for the Cloud SQL PostgreSQL instance is set to `0`.

Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.

Private endpoints limit network traffic to approved sources.

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. Securing traffic between services through encryption protects the data from easy interception and reading.

Periodic review of privileged role assignments is performed to ensure that the privileged roles assigned to users are accurate and appropriate.

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal.

Ensures that AWS CodeBuild Project Bitbucket source repository URLs do not contain user credentials.

To prevent use of default network, a project should not have a default network.

In order to prevent use of legacy networks, a project should not have a legacy network configured. As of now, Legacy Networks are gradually being phased out, and you can no longer create projects with them. This recommendation is to check older projects to ensure that they are not using Legacy Networks.

Ensure that projects containing cryptographic keys do not grant the primitive Owner role to any principal, in order to enforce the principle of least privilege and separation of duties. Assigning the Owner role provides unrestricted access to all resources within the project, including the ability to manage and use sensitive cryptographic keys, which creates a significant security risk.

Ensure that Amazon DynamoDB tables are configured to automatically scale read and write capacity to meet demand. This can be achieved by using On-Demand capacity mode or by configuring Auto Scaling for provisioned throughput. This helps maintain performance during traffic spikes and can optimize costs during periods of low activity.

Consider deleting public IP addresses that are not attached to a virtual machine, network interface, internet-facing load balancer, VPN gateway, or application gateway.

Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.

When a Private Endpoint is configured on a Key Vault, traffic from resources within the same subnet routes through the Vault's private IP. However, the public endpoint (mykeyvault.vault.azure.net) remains accessible unless Public network access is explicitly set to Disabled. Disabling public network access removes the public DNS entry, ensuring all traffic is routed through the private endpoint (mykeyvault.vault.privatelink.azure.net), thereby reducing exposure to the public internet.

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts.

The Storage Queue service stores messages that may be read by any client who has access to the storage account. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues.

Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Ensure that the latest OS patches for all virtual machines are applied.

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

Ensures that expired AWS Backup Recovery Points did not fail to delete. This is indicated by recovery points being past their calculated deletion date, or having no calculated deletion date. This can lead to unnecessary costs and data retention issues.

Ensure that ElastiCache Redis clusters have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window.

Ensure that AWS ElastiCache clusters for Valkey and Redis OSS have automatic backups enabled to facilitate point-in-time recovery and protect against data loss.

Do not allow users to remember multi-factor authentication on devices.

Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.

Ensure that AWS DMS Replication Instances have the Auto Minor Version Upgrade feature enabled to automatically receive the latest minor engine upgrades, which include security patches, bug fixes, and new features.

Ensure that AWS Database Migration Service (DMS) replication instances are not publicly accessible to minimize security risks such as unauthorized access, denial-of-service attacks, and data exfiltration.

Ensure that AWS ECR Repositories are configured with image tag immutability. Setting tags to immutable prevents image tags from being overwritten.

Ensure that Amazon ECR repositories have a lifecycle policy configured to automatically manage and clean up unused container images, which helps reduce storage costs and maintain repository hygiene.

AWS ECR Repository can be configured to automatically scan container images for software vulnerabilities. It is recommended to enable Scan On Push or Enhanced Scanning to ensure vulnerabilities are identified as soon as an image is pushed to the registry, rather than relying on manual scans.

Make sure to enable encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.

Joining or registering devices to Microsoft Entra ID should require Multi-factor authentication.

Identify Azure Reservations that have expired within the last 30 days. and ensure that these expirations were intentional.

Ensure that expiring Azure Reservations are tracked renewed or addressed beforehand to avoid service disruptions or loss of discounts. Proactive renewal maintains cost efficiency and ensures resources remain covered by reservations.

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users.

The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.

Ensure that each AWS API Gateway REST API stage is associated with a WAF Web ACL to enhance its protection against malicious web traffic. AWS WAF enables configuration of rules to block, allow, or count web requests based on custom security criteria.

Ensure that the REST API Stage in AWS API Gateway is configured to use an SSL certificate for authentication. This ensures secure communication between backend systems and the API Gateway.

Ensure AWS X-Ray active tracing is enabled for API Gateway REST API Stages. This functionality captures real-time metrics and insights into API request flows, helping monitor and optimize performance.

Restrict access to the Microsoft Entra ID administration center to administrators only.

Restrict access to group web interface in the Access Panel portal.

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

It is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for 'root' login attempts to detect the unauthorized use, or attempts to use the root account.

Ensure that the AWS root account credentials have not been used within the past 30 days. Minimize the usage of root account credentials to reduce the risk of unauthorized access or accidental changes to your AWS account.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

Ensure that RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least 2,048 bits since the strength of encryption directly correlates with key size.

Ensure that AWS WAF Rule Groups contain at least one rule. An empty rule group provides no traffic filtering and may indicate an incomplete configuration or an unused resource.

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.

Ensure that secrets stored in AWS Secrets Manager are configured for automatic rotation to minimize the risk associated with long-lived credentials

Ensure that data encryption in transit is enabled. The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection.

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Enables emailing security alerts to the subscription owner or other designated security contact.

Enables emailing attack paths to the subscription owner or other designated security contact.

Enable security alert emails to subscription owners.

Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.

Ensure that Azure Network Security Groups do not allow unrestricted public access to the DNS port 53. Exposing DNS to the internet from a VM can pose security risks, such as participation in DNS amplification attacks or unauthorized DNS resolution.

Identify Azure Network Security Groups that are associated with Network Interfaces linked to NSGs containing inbound rules that allow unrestricted traffic from the public internet(0.0.0.0/0, ::/0, Internet, Any, or *) to all destination ports (*, 0-65535, or unspecified). Restrict access to only the specific destination port and/or IP address ranges that require connectivity.

Ensure that Azure Network Security Groups do not allow unrestricted public access to the CIFS port 445. Unrestricted access to CIFS from the public internet poses a significant security risk, potentially exposing file shares and sensitive data to unauthorized access and ransomware attacks.

Ensure that Azure Network Security Groups do not allow unrestricted public access to the FTP traffic (ports 20 and 21), which can expose systems to unauthorized access and potential attacks.

Ensure that Azure Network Security Groups do not allow unrestricted public access to the HTTP/HTTPS ports 80 and 443. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Ensure that Azure Network Security Groups are not exposed to unrestricted public access on MongoDB ports (27017-27020) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Network Security Groups are not exposed to unrestricted public access on MSSQL ports (1433) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Network Security Groups are not exposed to unrestricted public access on MySQL port (3306) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Network Security Groups do not allow unrestricted public NetBIOS traffic (TCP/UDP 137, 138, 139).

Ensure that Azure Network Security Groups do not allow unrestricted public access to the Oracle DBMS (ports 1521, 1830, 2483 and 2484) by limiting access to trusted IP addresses or internal networks.

Ensure that Azure Network Security Groups do not allow unrestricted public access to the PostgreSQL port 5432 and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Network Security Groups do not allow unrestricted public RDP (port 3389) traffic.

Ensure that Azure Network Security Groups do not allow unrestricted public access to RPC port (135/TCP and 135/UDP). RPC protocol enables inter-process communication and, if improperly secured, can expose VMs to unauthorized access.

Ensure Azure Network Security Groups do not allow unrestricted public access to the SMTP port 25.

Ensure that Azure Network Security Groups do not allow unrestricted public SSH (port 22) traffic.

Ensure Azure Network Security Groups do not allow unrestricted public access to the Telnet port 23. Telnet is an insecure protocol that transmits data, including credentials, in plaintext, making it vulnerable to eavesdropping and unauthorized access.

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols.

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.

Ensure that Azure Network Security Groups do not allow unrestricted public UDP protocol.

Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches.

Ensure that AWS EC2 Security Groups do not allow unrestricted DNS traffic. Review and update security group rules to restrict DNS traffic to only trusted sources and destinations to enhance network security and prevent potential misuse.

Ensure that FTP traffic (ports 20 and 21) is restricted to trusted IP ranges or disable it entirely. Evaluate the security group settings in AWS EC2 to ensure they do not permit unrestricted access to these ports, which can expose systems to unauthorized access and potential attacks.

Ensure that unrestricted ICMP access (including ping requests) is blocked or limited to trusted IP addresses. This ensures that only necessary network diagnostics can occur, mitigating potential security risks associated with exposing ICMP to the public internet.

Ensure that AWS EC2 security groups do not allow unrestricted NetBIOS traffic (TCP: 137, 139; UDP: 137, 138).

Ensure that AWS EC2 Security Groups are configured to restrict inbound RPC traffic to only trusted IP ranges or instances. RPC protocol enables inter-process communication and, if improperly secured, can expose EC2 instances to unauthorized access.

Ensure that AWS EC2 Security Groups are configured to restrict inbound SMTP traffic (port 25) to trusted IP addresses.

Ensure that AWS EC2 Security Groups do not allow unrestricted Telnet traffic. This involves reviewing and modifying Security Group rules to restrict access to port 23, typically used for Telnet, to prevent unauthorized or insecure access.

Ensure that AWS EC2 Security Groups are configured to avoid unrestricted traffic to all ports. This involves reviewing and limiting overly permissive inbound rules that expose all ports (0-65535) to unrestricted IP ranges (0.0.0.0/0).

Ensure that AWS EC2 Security Groups are configured to restrict access to MongoDB. This involves reviewing the Security Group rules to prevent unrestricted access (0.0.0.0/0) to MongoDB on ports 27017-27020 and ensuring that it is only accessible by trusted sources.

Ensure that AWS EC2 Security Groups are configured to restrict access to Microsoft SQL Server (MSSQL) on port 1433 by limiting inbound traffic to trusted IP addresses.

Ensure that AWS EC2 Security Groups are configured to restrict inbound access to MySQL instances on port 3306 by limiting access to trusted IP addresses or internal networks.

Ensure that AWS EC2 Security Groups are configured to restrict inbound traffic to Oracle DBMS (ports 1521, 1830, 2483 and 2484) by limiting access to trusted IP addresses or internal networks.

Ensure that AWS EC2 Security Groups restrict inbound access to PostgreSQL on port 5432 by limiting traffic to trusted IP addresses or internal networks.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie.

Ensures that two alternate forms of identification are provided before allowing a password reset.

BigQuery tables can contain sensitive data that for security purposes should be discovered, monitored, classified, and protected. Google Cloud's Sensitive Data Protection tools can automatically provide data classification of all BigQuery data across an organization.

Auditing tracks database events and writes them to an audit log in the Azure storage account. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited.

SQL Server Audit Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.

Identify idle Azure PostgreSQL Servers to optimize costs and improve efficiency. Servers are considered idle if their average CPU is below 5% and I/O utilization is 0% over a 30-day period.

This policy flags MySQL Server that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

This policy flags PostgreSQL Server that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

Identify underutilized Azure MySQL Servers to optimize costs and improve efficiency. Servers are considered underutilized if their average CPU and I/O utilization are consistently below 20% and memory below is 40% over a 30-day period.

Identify underutilized Azure PostgreSQL Servers to optimize costs and improve efficiency. Servers are considered underutilized if their average CPU and I/O utilization are consistently below 20% and memory is below 40% over a 30-day period.

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.

A service account is a special Google account that belongs to an application or a VM, instead of to an individual end-user. The application uses the service account to call the service's Google API so that users aren't directly involved. It's recommended not to use admin access for ServiceAccount.

User-managed service accounts should not have user-managed keys.

Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google Cloud services accessible to that particular service account. It is recommended that all Service Account keys are regularly rotated.

Expire shared access signature tokens within an hour.

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials or by using the account access key for Shared Key authorization.

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled. If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level.

Enable log_connections on PostgreSQL Single Servers.

Enable log_disconnections on PostgreSQL Servers.

Consider deleting or archiving AWS RDS Snapshots that are 90 days old or more to reduce storage costs and manage data lifecycle.

Consider deleting or archiving Google GCE Snapshots that are 90 days old or more.

Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible (i.e. shared with all AWS accounts and users) in order to avoid exposing your private data.

It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc.

It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to 'on'.

It is recommended not to set contained database authentication database flag for Cloud SQL on the SQL Server instance to 'on'.

It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to 'off'.

It is recommended to set `external scripts enabled` database flag for Cloud SQL SQL Server instance to `off`

It is recommended to set remote access database flag for Cloud SQL SQL Server instance to 'off'.

It is recommended to check the user connections for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.

It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.

This policy flags Storage Accounts that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

Azure Resource Manager CannotDelete (Delete) locks can prevent users from accidentally or maliciously deleting a storage account. This feature ensures that while the Storage account can still be modified or used, deletion of the Storage account resource requires removal of the lock by a user with appropriate permissions. This feature is a protective control for the availability of data. By ensuring that a storage account or its parent resource group cannot be deleted without first removing the lock, the risk of data loss is reduced.

Consider switching Storage Account SKU to the recommended zone-redundant storage (ZRS), geo-redundant storage (GRS), or geo-zone-redundant storage (GZRS). LRS is the lowest-cost redundancy option and offers the least durability compared to other options.

Adding an Azure Resource Manager ReadOnly lock can prevent users from accidentally or maliciously deleting a storage account, modifying its properties and containers, or creating access assignments. The lock must be removed before the storage account can be deleted or updated. It provides more protection than a CannotDelete-type of resource manager lock. This feature prevents POST operations on a storage account and containers to the Azure Resource Manager control plane, management.azure.com. Blocked operations include listKeys which prevents clients from obtaining the account shared access keys. Microsoft does not recommend ReadOnly locks for storage accounts with Azure Files and Table service containers. This Azure Resource Manager REST API documentation (spec) provides information about the control plane POST operations for Microsoft.Storage resources.

Ensure that AWS VPC Subnets are not configured to automatically assign public IP addresses to EC2 Instances launched within them.

Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.

AWS KMS allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customer-created CMK. It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys.

This policy flags DynamoDB Tables that are running in AWS regions with higher pricing and could potentially be migrated to more cost-effective regions.

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables.

Ensure that Point-in-Time Recovery (PITR) is enabled for your Amazon DynamoDB tables to protect against accidental writes or deletes. PITR provides continuous backups, allowing you to restore your table to any point in time during the last 35 days.

Ensure that AWS DataSync task logging is enabled to capture detailed information about task executions, data transfers, and potential errors in Amazon CloudWatch Logs.

Ensure that VPC Transit Gateways are not configured to automatically accept shared attachments. Disabling this feature ensures that all cross-account attachment requests are manually reviewed and approved.

Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules.

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.

For added security, only install organization-approved extensions on VMs.

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.

The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its broad privileges, this role should be assigned only for the duration of the necessary changes at the root scope and then removed immediately. For ongoing operations, define and use custom roles that grant only the minimum permissions required.

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Allow users to provide consent for selected permissions when a request is coming from a verified publisher.

Require administrators to provide consent for applications before use.

It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy. 2) attach a policy directly to a user. 3) add the user to an IAM group that has an attached policy. 4) add the user to an IAM group that has an inline policy. Only the third implementation is recommended.

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)

A user has one of the following IAM basic roles: roles/owner, roles/editor, or roles/viewer. These roles are too permissive and shouldn't be used.

Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.

Restrict Microsoft 365 group creation to administrators only.

Restrict security group creation to administrators only.

Require administrators or appropriately delegated users to register third-party applications.

Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as: Service Co-Administrators, Subscription Owners Contributors

Ensure that all Recovery Points within an AWS Backup Vault are encrypted. Unencrypted recovery points can expose sensitive backup data to unauthorized access.

Ensure that Breeze Agent is installed on the vCenter Virtual Machine. The Breeze Agent streams OS-level data into Cloudaware CMDB and seamlessly enables other Cloudaware modules such as Intrusion Detection (IDS), Vulnerability Scanning, Patch Management, CIS Benchmarking, and Event Monitoring.

Identify Azure Virtual Machines that are associated with Network Interfaces linked to NSGs containing inbound rules that allow unrestricted traffic from the public internet(0.0.0.0/0, ::/0, Internet, Any, or *) to all destination ports (*, 0-65535, or unspecified). Restrict access to only the specific destination port and/or IP address ranges that require connectivity.

Ensure that Azure Virtual Machines do not allow unrestricted public access to the CIFS port 445. Unrestricted access to CIFS from the public internet poses a significant security risk, potentially exposing file shares and sensitive data to unauthorized access and ransomware attacks.

Ensure that Azure Virtual Machines do not allow unrestricted public access to the DNS port 53. Exposing DNS to the internet from a VM can pose security risks, such as participation in DNS amplification attacks or unauthorized DNS resolution.

Ensure that Azure Virtual Machines do not allow unrestricted public access to the FTP traffic (ports 20 and 21), which can expose systems to unauthorized access and potential attacks.

Ensure that Azure Virtual Machines do not allow unrestricted public access to the HTTP/HTTPS ports 80 and 443. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.

Ensure that Azure Virtual Machines are not exposed to unrestricted public access on MongoDB ports (27017-27020) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Virtual Machines are not exposed to unrestricted public access on MSSQL ports (1433) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Virtual Machines are not exposed to unrestricted public access on MySQL port (3306) and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Virtual Machines do not allow unrestricted public NetBIOS traffic (TCP/UDP 137, 138, 139).

Ensure that Azure Virtual Machines do not allow unrestricted public access to the Oracle DBMS (ports 1521, 1830, 2483 and 2484) by limiting access to trusted IP addresses or internal networks.

Ensure that Azure Virtual Machines do not allow unrestricted public access to the PostgreSQL port 5432 and only accessible by authorized IP address ranges or internal networks.

Ensure that Azure Virtual Machines do not allow unrestricted public RDP (port 3389) traffic.

Ensure that Azure Virtual Machines do not allow unrestricted public access to RPC port (135/TCP and 135/UDP). RPC protocol enables inter-process communication and, if improperly secured, can expose VMs to unauthorized access.

Ensure Azure Virtual Machines do not allow unrestricted public access to the SMTP port 25.

Ensure that Azure Virtual Machines do not allow unrestricted public SSH (port 22) traffic.

Ensure Azure Virtual Machines do not allow unrestricted public access to the Telnet port 23. Telnet is an insecure protocol that transmits data, including credentials, in plaintext, making it vulnerable to eavesdropping and unauthorized access.

Ensure that Azure Virtual Machines do not allow unrestricted public UDP protocol.

Identify and address idle Azure Virtual Machines to optimize costs by stopping, terminating, or downscaling VMs with low utilization. VMs are considered idle if their average CPU utilization is below 5%, maximum CPU utilization is below 15%, and average network I/O is below 100 MB over a 14-day period.

This policy flags SQL Virtual Machines that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

This policy flags Virtual Machines that are running in Azure regions with higher pricing and could potentially be migrated to more cost-effective regions.

Migrate blob-based VHDs to Managed Disks on Virtual Machines toexploit the default features of this configuration. The features include: 1. Default Disk Encryption 2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3. Reduction of costs over storage accounts

Identify Azure Virtual Machines that appear to be overutilized and upgrade (resize) them in order to help your Azure-hosted applications to handle the workload better and improve the response time. By default, an Azure Virtual Machine is considered overutilized if their average CPU utilization exceeds 80% and maximum CPU utilization consistently spikes above 95% over a 14-day period

Identify Azure Virtual Machines that appear to be underutilized and downsize (resize) them to optimize cloud expenditure. By default, a Virtual Machine is considered underutilized if their average CPU utilization is consistently below 40% and maximum CPU utilization does not spike above 50% over a 14-day period.

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

Ensure that virtual network flow logs are captured and fed into a central log analytics workspace.

Ensure that virtual network flow logs are retained for greater than or equal to 90 days.

Consider deleting Network Gateways that do not have any active connections configured. Unused gateways incur unnecessary costs.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.

Ensures that Amazon VPCs have a VPC Endpoint configured for the EC2 service to establish private connection between your VPC and an AWS service using a network interface.

Ensure both tunnels for an AWS Site-to-Site VPN Connection are in the UP state. AWS provides two tunnels for each VPN connection to ensure high availability and redundancy. If one tunnel is down, the VPN connection becomes a single point of failure, risking connectivity loss during maintenance or an unexpected failure of the active tunnel.

Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.

Ensure that AWS WAF web ACLs have at least one rule or rule group to provide protection against common web exploits and malicious traffic.

Ensures that CloudFront distribution cache behaviors are configured to enforce encrypted connections (HTTPS) by redirecting or allowing only HTTPS traffic. This prevents unencrypted HTTP communication between viewers and CloudFront.

Ensure that CloudFront Web Distributions have a default root object configured to serve a specific file (e.g., index.html) when a user requests the root URL of the distribution.

Ensure that CloudFront Distributions are configured to use connections over HTTPS when communicating with custom origins.

Ensure that AWS CloudFront Distributions are configured to use Server Name Indication (SNI) for serving SSL/TLS-protected content. Using dedicated IP addresses is a legacy method that incurs additional costs and is generally unnecessary as almost all modern clients support SNI.

Ensure that AWS CloudFront Distributions are configured with a custom SSL/TLS certificate from AWS Certificate Manager (ACM) or IAM, instead of the default CloudFront certificate.

Ensure that AWS CloudFront Web Distributions are configured to use TLSv1.2 or later SSL/TLS protocols to protect data in transit. Older protocols like SSLv3 and early TLS versions have known vulnerabilities and should be disabled.

Ensure that AWS Athena Workgroup has CloudWatch Metrics enabled.

Deploy Azure Databricks Workspaces using customer-managed Virtual Network injection so that compute clusters and control-plane components reside securely within your organization's network perimeter. The default Databricks-managed VNet offers only limited control over network security policies, firewall configurations and routing.

Ensure that Azure Databricks Workspaces are encrypted with a customer-managed key. By default, data at rest is encrypted using Microsoft-managed keys. Azure Databricks encrypts data in transit using TLS 1.2+ to secure API, workspace, and cluster communications.

This policy identifies AWS WorkSpaces that have not been used for an extended period. A WorkSpace is considered unused if it is running and there has been no user connections for the last 30 days.

By default, data exchanged between worker nodes in an Azure Databricks cluster is not encrypted. To ensure that data is encrypted at all times, whether at rest or in transit, you can create an initialization script that configures your clusters to encrypt traffic between worker nodes using AES 256-bit encryption over a TLS 1.3 connection.