Skip to content
Logo
Menu
  • Product
    • Compliance
    • Visualizer
    • Drift and Guardrails
    • Policy as Code
    • Integrations
  • Docs
    • Docs
    • API
    • GitHub
  • Pricing
  • Customers
  • Resources
    • Cloud Security
      • Cloud Security Posture Management
      • AWS Cloud Security
      • Azure Cloud Security
      • Cloud Security for Google Cloud Platform
      • DevSecOps
    • Cloud Compliance
      • CIS AWS Foundations Benchmark
      • CIS Azure Foundations Benchmark
      • Fugue Best Practices
      • GDPR
      • HIPAA
      • ISO 27001
      • NIST 800-53
      • PCI
      • SOC 2 Cloud Compliance
    • Resource Library
      • Case Studies
      • Datasheets
      • ebooks
      • Videos
      • Webinars
      • White Papers & Reports
      • Infographics
  • Company
    • Blog
    • About
    • Team
    • Investors
    • Security
    • Careers
    • Press
  • Login
  • Try Free
Version

Fugue v2021.10.18

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Region & Resources, IAM Role)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Azure & Azure Government
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Setup - Azure Active Directory
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Setup - Google Cloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Enable Google Service APIs & Create a Service Account)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Repository (limited beta)
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings
        • Step 3: Compliance
        • Step 4: Review
        • Step 5: Kicking off a Scan
      • Fugue 101
        • Concepts
        • Navigating Fugue
    • Get Started in 5 Minutes
      • Sign up for Fugue
      • Step 1: Environment Setup
      • Step 2: Environment Settings
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
        • Repository
      • Step 3: Select Compliance Families
      • Step 4: Review
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
        • Repository
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS, API (curl)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Set Environment Variables
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • Tutorial: Hello World AWS, API (Postman)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Configure Collection
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Update the Fugue IAM Role
        • Update Role to Enable Enforcement
        • Update IAM Role Trust Policy
      • How To: Add or Remove Azure Resource Groups
        • Updating Selected Resource Groups with curl
        • Updating Selected Resource Groups with Postman
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • How To: Waive a Rule
        • Let’s Go!
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
        • What’s Next?
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
    • Open Source Tool Examples
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Paid Plans
    • Fugue Developer (Free)
    • Plan Comparison
    • Tenant Overview Page
  • Environment Configuration
    • Configuring an Environment
      • Configurable Settings for Environments
      • Updating Scanned or Enforced Resources
        • AWS
        • Azure
        • Google Cloud
      • Updating Region(s) (AWS & AWS GovCloud)
      • Updating Resource Groups (Azure & Azure Government)
      • Updating Resources (Google)
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling or Disabling Enforcement (AWS & AWS GovCloud)
    • Triggering a Scan
  • Baseline Enforcement
  • Compliance
    • Compliance Concepts
      • What is a rule?
      • What is a family?
      • What is a control?
      • How do rules, families, and controls relate to each other?
      • What is a rule result?
      • What is a resource evaluation?
        • Resource evaluation values
      • What is a control evaluation?
        • Control evaluation values
    • Rule Severity Definitions
    • Fugue Best Practices
    • Browsing the Data
      • The Environment Summary
      • The Compliance Tabs
        • 5. Compliance by Resource
        • 6. Compliance by Resource Type
        • 7. Compliance by Control
      • Filtering Results
      • Sharing Filtered Results
      • Changing the Number of Rows
    • Further Reading
  • Rules
    • Contents
      • Enabling and Disabling Rules
        • How to Enable or Disable a Rule
        • Rules Enabled/Disabled by Default
        • Effects on Compliance in an Environment
      • Rule Waivers
        • What is a Rule Waiver?
        • How Rule Waivers Appear in the UI
        • How to Waive a Rule
        • How to View All Waivers
        • How to Edit a Rule Waiver
        • How to Delete a Rule Waiver
        • When Do Rule Waivers Go Into Effect?
        • Further Reading
      • Writing Custom Rules
        • What are Custom Rules?
        • General Custom Rules Workflow
        • How to Write Custom Rules
        • Example Rules
        • Managing Rules in the UI and API
        • Learning Rego
      • Creating or Editing Custom Families on the Rules Page (beta)
        • Creating a Custom Family - UI
        • Editing an Existing Custom Family - UI
        • Cloning and Editing a Fugue Compliance Family
        • Modifying Rules for Custom Families - UI
      • Managing Rules - UI
        • Viewing Custom Rules
        • Creating Custom Rules - UI
        • Modifying and Deleting Custom Rules - UI
        • Viewing Compliance Results - UI
        • Waiving Custom Rules - UI
        • Disabling and Enabling Custom Rules - UI
        • Creating and Editing Custom Families on the Rules Page - UI
      • Managing Custom Rules - API
        • Creating, Testing, and Managing Custom Rules - API
        • Example Rules
    • Navigating the Rules Page
      • Searching for Rules
      • Sorting and Pagination
      • Filtering
  • Families (beta)
    • Viewing Families - UI
    • Searching & Filtering Families - UI
      • Searching for Families
      • Filtering for Families
      • Sorting and Pagination
    • Creating Custom Families - UI
    • Modifying Custom Families - UI
    • Viewing Rules for a Compliance Family - UI
    • Deleting Custom Families - UI
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
      • Working with Pods
    • Visualizing Resource Compliance State
    • Viewing Groupings
      • Grouped resources
      • Collections
      • Networks
      • Regions
      • How to expand and collapse groupings
      • Nested groups/collections
      • How collapsed groupings show compliance
    • Viewing the Visualizer for Repository Environments
    • Viewing Resource Details
    • Searching
    • Filtering
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • Implicit Resources
      • Supported Azure & Azure Government Resources
        • VNet Attributes
      • Supported Google Resources
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Settings
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Types of Policies
        • Permissions for Users in Multiple Groups
        • Getting Started with RBAC
        • More About User Management
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Reports & Dashboards
        • Compliance Posture Dashboard
        • Current Rule Violations
        • Current Rule Results
        • Resources Dashboard
        • Resources Report
        • Compliance Family Dashboards
        • How to Filter a Report or Dashboard
        • How to Create an Alert
        • How to Download a Report
        • How to Send a Report by Email
        • How to Schedule a Report by Email
        • How to Drill Down Into a Report
      • Compliance Report Email (Single Environment)
        • Setting up the Compliance Report Email for an environment
    • Export Data
      • Steps
      • Data
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • Use Cases
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Further Reading
      • API Request Examples
        • Listing Details for All Environments
        • Creating an Environment
        • Retrieving Details for a Single Environment
        • Updating an Environment
        • Deleting an Environment
        • Listing Scans for an Environment
        • Triggering a New Scan
        • Retrieving Details for a Scan
        • Listing Compliance Results by Control for a Scan
        • Listing Compliance Results by Resource Type for a Scan
        • Listing Compliance/Drift/Baseline Enforcement Events for an Environment
        • Returning Fugue’s OpenAPI 2.0 Specification
        • Listing IAM Permissions Required to Scan/Enforce Resources
        • Listing Supported Resource Types
        • Listing Details for All Notifications
        • Creating a Notification
        • Updating a Notification
        • Listing Details for All Notifications
        • Deleting a Notification
        • Creating a Custom Rule
        • Listing Custom Rules
        • Retrieving Details for a Rule
        • Updating a Custom Rule
        • Deleting a Custom Rule
        • Testing a Custom Rule
        • Getting Input for a Custom Rule Test
        • Getting a List of Details for All Invites
        • Creating a New Invite
        • Fetching an Invite by ID
        • Getting a List of Groups
        • Creating a New Group
        • Editing a List of Users’ Group Assignments
        • Getting a List of Details for All Users
        • Getting a User by ID
        • Listing Details for All Rule Waivers
        • Creating a Rule Waiver
        • Retrieving Details for a Single Rule Waiver
        • Updating a Rule Waiver
        • Deleting a Rule Waiver
        • Retrieving Audit Log Entries
        • Creating a Custom Family
        • Listing Families
        • Looking up a Family
        • Deleting a Family
        • Updating a Family
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • test - Test custom rules
        • test
        • Output Attributes
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
      • macOS installation
      • Linux installation
      • Windows installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
      • How to look up fugue arguments
    • Tips
      • env alias
      • Help for any command
      • Debugging
    • macOS Installation Error Message
  • Service Coverage
    • Contents
      • Service Coverage - AWS & AWS GovCloud
        • AWS Standard Regions
        • Recommended Resource Types: AWS
        • Supported Services: AWS GovCloud
        • Recommended Resource Types: AWS GovCloud
        • Resources Not Included In Fugue-Recommended List
      • Service Coverage - Azure & Azure Government
        • Active Directory (beta)
        • Application Insights
        • Authorization (RBAC)
        • Automation
        • CDN (Content Delivery Network)
        • Compute
        • Container
        • Cosmos DB
        • Data Lake
        • Databricks
        • Key Vault
        • Kubernetes
        • Managed Identity
        • Monitor
        • MySQL
        • Network
        • PostgreSQL
        • Redis
        • Resources
        • Security Center
        • SQL
        • Storage
        • Web
      • Service Coverage - Google Cloud
        • BigQuery
        • Compute Engine
        • Kubernetes (Container) Engine
        • Cloud DNS
        • Cloud IAM
        • Cloud Key Management
        • Cloud Logging
        • Cloud Monitoring
        • Memorystore
        • Resource Manager
        • Cloud SQL
        • Cloud Storage
    • Regions and Resources: Things to Know
      • Supported AWS and AWS GovCloud Regions
      • Changing AWS Region
      • Changing Resource Selection
      • Resources Under Management
      • Resource Types That Don’t Report Drift
  • AWS IAM Policy Permissions
    • SecurityAudit read-only (scan) permissions
    • Supplemental read-only (scan) permissions
    • Supplemental read/write permissions
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How can I get started with my first environment?
      • How do I change my Fugue user password?
      • What browsers are supported?
      • What are Fugue’s email addresses that should be whitelisted?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Paid Plans, and the Developer Plan?
      • How do I upgrade my Fugue tenant?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • How can I change my AWS environment’s region(s)?
      • Does Fugue support Microsoft Azure and/or Azure Government?
      • Does Fugue support Google Cloud?
      • Does Fugue support infrastructure as code?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS Commercial or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • What does the red “Something went wrong” banner mean?
      • What does the orange “Incomplete Scan Results” banner mean?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • Which compliance families are supported?
      • Can I change the compliance families Fugue uses to evaluate my infrastructure?
      • Can I create my own family?
      • Can I waive a rule or “ignore” a noncompliant resource?
      • Can I disable a rule for all environments?
      • How do I waive a rule?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV or Excel file of compliance results for my Fugue account?
      • How are compliance controls and families displayed in the UI?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • How do I enable enforcement? (AWS & AWS GovCloud)
      • How do I disable enforcement? (AWS & AWS GovCloud)
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS Identity & Access Management (IAM) Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Audit Log
      • Does Fugue have audit logging capabilities?
    • Best Practices
      • AWS Regions and Environments
      • Recommended AWS Resource Types to Scan
      • Recommended AWS Resource Types to Enforce
        • Read permissions
        • Write permissions
      • Avoid Enforcing AWS Auto Scaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Additional Resources about Cloud Security
    • Other
      • What if I have other questions?
  • Open Source Projects
    • Regula
    • Fregot
    • credstash
    • s3fc
  • Terraform Provider for Fugue
  • Glossary
  • Release Notes
    • 2021.10.18
      • Repository Support in Reports
      • Always Enabled Option for Families
      • Visualizer: Expanded AWS Service Coverage
      • UX Improvement & Bug Fix
    • 2021.09.30
      • Compliance Family Updates (limited beta)
      • Visualizer: Additional Filter Capabilities
      • Regula Kubernetes Support
      • Fugue Terraform Provider Updates
      • Bug Fixes
    • 2021.09.16
      • Visualizer: Additional Filter Capabilities (limited beta)
      • Regula Improvements
      • Navigation Updates
    • 2021.09.02
      • Fugue IaC: limited beta
      • UX Improvements to the Compliance Pages
      • Additional Azure Rules
    • 2021.08.19
      • Visualizer: Expanded AWS & Azure Service Coverage
      • Regula Improvements
    • 2021.08.05
      • Custom Families: beta
      • Additional Azure Rules
      • Regula: Resource Line Number Feedback
    • 2021.07.09
      • AWS Resource Types (beta)
    • 2021.06.24
      • Pods for Visualizer
      • Schedule/Send All Reports to an S3 Bucket
      • Bug Fix
    • 2021.06.10
      • Saved Filter State for Compliance, Baseline, and Events Pages
      • Updates CIS Azure v1.3.0 Rules
    • 2021.05.27
      • Resource Name and Tag Patterns for Waivers
      • AMI & Launch Time Attributes to EC2 Instances
      • Fugue CLI Flag: Fail on Scan Failures
      • Regula CLI
      • Regula Terraform HCL (.tf) Support
      • Additional Controls for CIS Azure 1.3.0 General Availability
    • 2021.05.13
      • Current Rule Results Report
      • General Availability: AWS Resource Types
      • CIS Azure Foundations Benchmark v1.3.0 (limited beta)
      • User Experience Improvements: Hyperlinks to the Rules Page and Saving Search Terms/Filters
    • 2021.04.29
      • General Availability: Google Cloud
      • New RBAC Policy: Manager
      • Rules Page Improvements
      • Waivers Page Improvements
      • Compliance Page Improvements
      • Bug Fixes
    • 2021.04.15
      • Search Capabilities on the Waivers Page
      • Compliance Pages Improvements to Display Resource Name & ID
      • Scan Google Cloud Project Without Enabling Compute Engine API
      • Fugue Rule Improvements
    • 2021.04.01
      • Google Cloud Enhancements (limited beta)
      • New Default View for the Environment Summary Page
      • Regula Improvements
      • Fugue Terraform Provider Updates
    • 2021.03.18
      • Support for Google Cloud (limited beta)
      • Additional Compliance Family Dashboards
      • Audit Log Support via the API
      • Improvements to the Environment Summary Page
      • Regula Support for AWS CloudFormation
      • Bug Fixes & Misc. Improvements
    • 2021.03.04
      • Visualizer: Support for Filtering by Regions, Tags, and Services
      • Rule Update
    • 2021.02.18
      • Six New Rules for AWS CIS Foundations Benchmark 1.3.0
      • Expanded Azure Service Coverage
      • Waiver Support in the API and CLI
      • CLI: Additional Filter Support on the Environments API Endpoint
    • 2021.02.04
      • SSO: Okta Tile Support
      • CIS Docker 1.2.0 & CIS AWS 1.3.0 Compliance Families
      • Visualizer: Filter by Region
      • Expanded AWS and Azure Service Coverage: Beta
      • API Updates: Environment Queries
      • CLI Support for Users and Groups
      • UX Improvements to the MFA Authentication Screen
    • 2021.01.21
      • New Rules Page
      • Enable/Disable Rules for your Organization
      • API Support for Users and Groups
      • Visualizer: Expanded AWS Service Coverage
      • Updated Fugue Rules
    • 2021.01.05
      • Enable or Disable a Rule for Your Entire Organization: Beta
      • Improvements to Visualizer
    • 2020.12.09
      • Reporting Updates
      • Rules Updates
      • Azure Subscription Onboarding
      • Expanded Service Coverage: Azure
      • API Updates: Events
    • 2020.12.01
      • Visualizer: Expanded AWS and Azure Service Coverage
      • Bug Fixes
    • 2020.11.10
      • Added Advanced Reporting Capabilities - Beta
      • Expanded Default Compliance Standard Library- CSA CCM
    • 2020.10.27
      • UX Improvements to the Environment Overview Page
      • UX Improvements to Tables
      • Expanded Azure Service Coverage - Beta
      • Visualizer - Azure Service Coverage
      • Bug Fixes
    • 2020.10.13
      • UX Improvements to the Environment Compliance Summary
      • Create a Waiver on a Missing Resource
      • Scheduled Report Improvements
      • Deprecated Support for TLS 1.0 and TLS 1.1
    • 2020.09.23
      • RBAC Improvements
      • Deprecating TLS 1.0 and TLS 1.1
      • Enhancements to Scanning of S3 Resources
      • Bug Fixes
    • 2020.09.09
      • New Azure Rules
      • Expanded Service Coverage for Azure - Beta
      • Expanded Service Coverage for AWS - Beta
      • Visualizer - Azure Service Coverage
      • UX Improvements to the Group and Notification Pages
    • 2020.08.17
      • New Azure Rules
      • Custom Rule Severity
      • Waiver Improvements
      • Azure Government Support
      • Expanded Azure Service Coverage- Beta
      • Visualizer Updates
      • UX Improvements
      • Bug Fixes
    • 2020.08.04
      • Enhancements to the All Environments Landing Page
      • Visualizer
      • Extended Service Coverage Support for Azure
    • Deprecating TLS 1.0 and TLS 1.1
    • 2020.07.30
    • 2020.07.21
      • Environment Search Capability
      • Compliance Family
      • Updates to Data Export
      • Bug Fixes
    • 2020.07.08
      • Rule Waivers
      • Rule Severity on the Compliance by Resource Page
      • Two New RBAC Policies
      • UX Update to the Top Navigation
      • Bug Fixes
    • 2020.06.05
      • Ability to export compliance data via the UI
    • 2020.06.04
      • Extended Azure Service Coverage Beta
      • Visualizer Updates
      • Updates to Compliance Rules
    • 2020.05.29
      • Visualizer Updates
      • Expanded AWS Service Coverage
      • Bug Fixes
    • 2020.05.12
      • Support for CIS Controls 7.1
      • Visualizer Updates
      • Updates to Compliance Terminology
    • 2020.04.29
      • Scoping Environments to Multiple Regions
      • Responsive Registration Page and More
      • Visualizer Updates
    • 2020.04.16
      • Role Based Access Control (RBAC)
      • Cloud Resource Visualization
    • 2020.04.07
      • UX Improvements
      • Rule Engine Upgrade
      • New IAM Permissions Required
      • Compliance Event Notifications
      • Bug Fixes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should expire passwords within 90 days
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudFront viewer protocol policy should be set to https-only or redirect-to-https
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
      • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • ELBv1 listener protocol should not be set to http
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • EBS volume encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require at least one lowercase character
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
        • Terraform
    • IAM password policies should require at least one symbol
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require at least one number
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require a minimum length of 14
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted using KMS CMKs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • KMS CMK rotation should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group inbound rules should not permit ingress from a public address to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global "*.*" access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SNS subscriptions should deny access via HTTP
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC flow logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Load balancer access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudFront access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudWatch log groups should be encrypted with KMS CMKs
      • Description
      • Remediation Steps
      • AWS Console
      • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SQS queue server-side encryption should be enabled (AWS-managed keys)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudFront distributions should be protected by WAFs
      • Description
      • Remediation Steps
        • AWS Console
      • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC default security group should restrict all traffic
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instances should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • ELB listener security groups should not be set to TCP all
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • ElastiCache transport encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instances should have backup retention periods configured
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
    • Storage Account default network access rules should deny all traffic
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Virtual Machines unattached disks should be encrypted
      • Description
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Storage Accounts should have ‘Trusted Microsoft Services’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies should not allow all actions for all IAM principals and public users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies should not allow list actions for all IAM principals and public users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • MySQL Database server “enforce SSL connection” should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database server “enforce SSL connection” should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • CloudTrail trails should be configured to log data events for S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Exactly one CloudTrail trail should monitor global services
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log management events
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudTrail should have at least one CloudTrail trail set to a multi-region trail
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should not be associated with missing SNS topics
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Require Multi Availability Zones turned on for RDS Instances
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • KMS master keys should not be publicly accessible
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM roles used for trust relationships should have MFA or external IDs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Redshift cluster ‘Publicly Accessible’ should not be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • EC2 instances should not have a public IP association (IPv4)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should be members of at least one group
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should have MFA (virtual or hardware) enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket replication (cross-region or same-region) should be enabled
      • Description
      • Remediation
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Lambda function policies should not allow global access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 buckets should not be publicly readable
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instance ‘Publicly Accessible’ should not be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies and ACLs should not be configured for public read access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instance ‘Deletion Protection’ should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SQL Server auditing should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
        • Terraform
      • Documentation Links
        • Azure Portal and PowerShell
        • Terraform
    • SQL Server auditing retention should be greater than 90 days
      • Description
        • Azure Portal
        • PowerShell
        • Terraform
      • Documentation Links
        • Azure Portal and PowerShell
        • Terraform
    • Virtual Network security group flow log retention period should be set to 90 days or greater
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Active Directory custom subscription owner roles should not be created
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Security Center pricing tier should be set to ‘Standard’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor System Updates’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor JIT Network Access” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Auditing” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center contact emails should be set
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_checkpoints’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database configuration ‘log_connections’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Monitor Activity Log Alert should exist for Create Policy Assignment
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Update Security Policy
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Azure Kubernetes Service instances should have RBAC enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database configuration ‘log_disconnections’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database configuration ‘log_duration’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database configuration ‘connection_throttling’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Monitor log profile should be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor ‘Activity Log Retention’ should be 365 days or greater
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • Monitor audit profile should log all activities
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Monitor log profile should have activity logs for global services and all regions
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • Key Vault logging should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • App Service web app authentication should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • App Service web apps should have ‘HTTPS only’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • App Service web apps should have ‘Incoming client certificates’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Azure Portal and CLI
        • Terraform
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should only have one active access key available
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket object-level logging for write events should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket object-level logging for read events should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not use the root user
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not add Linux capabilities beyond defaults and should drop ‘NET_RAW’
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not mount sensitive host system directories
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should limit memory usage for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should set CPU limit for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should mount the container’s root filesystem as read-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS container definitions should not mount volumes with mount propagation set to shared
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS tasks should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Service accounts should only have Google-managed service account keys
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • User-managed service accounts should not have admin privileges
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should be rotated every 90 days or less
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should not exempt any users
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • At least one project-level logging sink should be configured with an empty filter
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging storage bucket retention policies and Bucket Lock should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network firewall rule changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network route changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for Storage IAM permission changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for SQL instance configuration changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • The default network for a project should be deleted
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Networks should not be in legacy mode
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC key-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC zone-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 3389 (RDP)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network subnet flow logs should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Load balancer HTTPS or SSL proxy SSL policies should not have weak cipher suites
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account with full access to all Cloud APIs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance ‘block-project-ssh-keys’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute project metadata ‘OS Login’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘Enable connecting to serial ports’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘IP forwarding’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance Shielded VM should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not have public IP addresses
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instances should not have a passwordless default root user
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instance ‘local_infile’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_checkpoints’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_connections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_disconnections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_lock_waits’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_messages’ database flag should be set appropriately
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_temp_files’ database flag should be set to ‘0’ (on)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_duration_statement’ database flag should be set to ‘-1’ (disabled)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘cross db ownership chaining’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘contained database authentication’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should require incoming connections to use SSL
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not permit access from 0.0.0.0/0
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not have public IPs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instance automated backups should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • BigQuery datasets should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • bq CLI
      • Documentation Links
        • Runtime
    • Custom Role should be assigned for administering resource locks
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
      • Documentation Links
        • Runtime
    • Storage Account soft delete should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Storage Accounts for critical data should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Storage Accounts that include activity logs should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Monitor Activity Log alert should be configured for ‘Delete Policy Assignment’
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Network security groups should not permit ingress from the internet to UDP ports
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Virtual Machines should use Managed Disks
      • Description
      • Remediation Steps
        • Azure Portal
        • Powershell
      • Documentation Links
        • Runtime
    • Virtual Machine OS and data disks should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
      • Documentation Links
        • Runtime
    • Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Key Vault keys should have an expiration date
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Key Vault secrets should have an expiration date
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • App Service web app ‘Register with Azure Active Directory’ should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • App Service web app HTTP version should be the latest
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • App Service web app FTP deployments should be disabled
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Azure Defender should be enabled for Virtual Machines
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for App Services
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for SQL Servers
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for SQL Servers on Virtual Machines
      • Description
      • Remediation Steps
        • Azure Portal
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Storage Accounts
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Kubernetes Services
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Container Registries
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Key Vaults
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘periodic recurring scans’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘send scan reports’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘also send email notifications to admins and subscription owners’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • Virtual Machine legacy virtual hard disks should be encrypted
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Security Center setting ‘Notify about alerts with the following severity’ should be set to ‘High’
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Security Center setting ‘All users with the following roles’ should be set to ‘Owner’
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Database transparent data encryption should be enabled
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server Active Directory Admin should be configured
      • Description
        • Azure Portal
        • Azure Powershell
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server TDE protector should be encrypted with a Key Vault CMK
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Security Center monitoring agent should be automatically provisioned
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • The ‘cluster-admin’ role should not be used
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not grant ‘get’, ‘list’, or ‘watch’ permissions for secrets
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not grant ‘create’ permissions for pods
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Default service account ‘automountServiceAccountToken’ should be set to ‘false’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Service account ‘automountServiceAccountToken’ should be set to ‘false’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run privileged containers
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host process ID namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host IPC namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host network namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with allowPrivilegeEscalation
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers as the root user
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with the NET_RAW capability
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with added capabilities
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with default capabilities assigned
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not use secrets stored in environment variables
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pod seccomp profile should be set to ‘docker/default’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods and containers should apply a security context
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • The default namespace should not be used
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not be bound to the default service account
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Lambda permissions with a service principal should apply to only one resource and AWS account
      • Description
        • Terraform
      • Documentation Links
        • Terraform
        • AWS
  • Home
  • API

API¶

Contents¶

  • API User Guide
  • API Request Examples
  • API Reference
Previous Page

Compliance Report Email (Single Environment)
Next Page

API User Guide
Fugue Wordmark
LinkedIn icon LinkedIn Twitter icon Twitter Facebook icon Facebook GitHub icon GitHub
GET DEMO CONTACT US
© Fugue, Inc. 2021
Gartner Cool Vendor 2017 AWS Partner Network: Advanced Technology Partner