Skip to content
Logo
Menu
  • Product
    • Compliance
    • Visualizer
    • Drift and Guardrails
    • Policy as Code
    • Integrations
  • Docs
    • Docs
    • API
    • GitHub
  • Pricing
  • Customers
  • Resources
    • Cloud Security
      • Cloud Security Posture Management
      • AWS Cloud Security
      • Azure Cloud Security
      • Cloud Security for Google Cloud Platform
      • DevSecOps
    • Cloud Compliance
      • CIS AWS Foundations Benchmark
      • CIS Azure Foundations Benchmark
      • Fugue Best Practices
      • GDPR
      • HIPAA
      • ISO 27001
      • NIST 800-53
      • PCI
      • SOC 2 Cloud Compliance
    • Resource Library
      • Case Studies
      • Datasheets
      • ebooks
      • Videos
      • Webinars
      • White Papers & Reports
      • Infographics
  • Company
    • Blog
    • About
    • Team
    • Investors
    • Security
    • Careers
    • Press
  • Login
  • Try Free
Version

Fugue v2021.04.15

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Region & Resources, IAM Role)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Azure & Azure Government
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Setup - Google Cloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Enable Google Service APIs & Create a Service Account)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
        • Google Cloud Support for Regula
      • Fugue 101
        • Concepts
        • Navigating Fugue
      • Use Cases
        • AWS Scanning Compliance
        • Drift
        • Enforcement
    • Get Started in 5 Minutes
      • Sign up for Fugue
      • Step 1: Environment Setup
      • Step 2: Environment Settings
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
      • Step 3: Select Compliance Standards
      • Step 4: Review
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS, API (curl)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Set Environment Variables
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • Tutorial: Hello World AWS, API (Postman)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Configure Collection
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Update the Fugue IAM Role
        • Update Role to Enable Enforcement
        • Update IAM Role Trust Policy
      • How To: Add or Remove Azure Resource Groups
        • Updating Selected Resource Groups with curl
        • Updating Selected Resource Groups with Postman
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • How To: Waive a Rule
        • Let’s Go!
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
        • What’s Next?
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
    • Open Source Tool Examples
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Fugue Enterprise (Paid)
    • Fugue Developer (Free)
    • Plan Comparison
    • Account Overview Page
  • Environment Configuration
    • Configuring an Environment
      • Configurable Settings for Environments
      • Updating Scanned or Enforced Resources
        • AWS
        • Azure
        • Google Cloud
      • Updating Region(s) (AWS & AWS GovCloud)
      • Updating Resource Groups (Azure & Azure Government)
      • Updating Resources (Google)
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling or Disabling Enforcement (AWS & AWS GovCloud)
    • Triggering a Scan
  • Compliance
    • Browsing the Data
      • The Environment Summary
      • The Compliance Tabs
        • 5. Compliance by Resource
        • 6. Compliance by Resource Type
        • 7. Compliance by Control
      • Filtering Results
      • Changing the Number of Rows
    • Compliance Concepts
      • What is a rule?
      • What is a control?
      • How do rules relate to controls?
      • What is a rule result?
      • What is a resource evaluation?
        • Resource evaluation values
      • What is a control evaluation?
        • Control evaluation values
    • Rule Severity Definitions
    • Fugue Best Practices
    • Further Reading
  • Rules
    • Contents
      • Enabling and Disabling Rules
        • How to Enable or Disable a Rule
        • Rules Enabled/Disabled by Default
        • Effects on Compliance in an Environment
      • Rule Waivers
        • What is a Rule Waiver?
        • How Rule Waivers Appear in the UI
        • How to Waive a Rule
        • How to View All Waivers
        • How to Edit a Rule Waiver
        • How to Delete a Rule Waiver
        • When Do Rule Waivers Go Into Effect?
        • Further Reading
      • Writing Custom Rules
        • What are Custom Rules?
        • General Custom Rules Workflow
        • How to Write Custom Rules
        • Example Rules
        • Managing Rules in the UI and API
        • Learning Rego
      • Managing Custom Rules - UI
        • Viewing Custom Rules
        • Creating Custom Rules - UI
        • Modifying and Deleting Custom Rules - UI
        • Viewing Compliance Results - UI
        • Waiving Custom Rules - UI
        • Disabling and Enabling Custom Rules - UI
      • Managing Custom Rules - API
        • Creating, Testing, and Managing Custom Rules - API
        • Example Rules
    • Navigating the Rules Page
      • Searching for Rules
      • Sorting and Pagination
      • Filtering
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
    • Visualizing Resource Compliance State
    • Viewing Groupings
      • Grouped resources
      • Collections
      • Networks
      • Regions
      • How to expand and collapse groupings
      • Nested groups/collections
      • How collapsed groupings show compliance
    • Viewing Resource Details
    • Searching
    • Filtering
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • Implicit Resources
      • Supported Azure & Azure Government Resources
        • VNet Attributes
      • Supported Google Resources
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Organization
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Types of Policies
        • Permissions for Users in Multiple Groups
        • Getting Started with RBAC
        • More About User Management
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Reports & Dashboards
        • Compliance Posture Dashboard
        • Current Rule Violations
        • Resources Dashboard
        • Resources Report
        • Compliance Family Dashboards
        • How to Filter a Report or Dashboard
        • How to Create an Alert
        • How to Download a Report
        • How to Send a Report by Email
        • How to Schedule a Report by Email
        • How to Drill Down Into a Report
      • Compliance Report Email (Single Environment)
        • Setting up the Compliance Report Email for an environment
    • Export Data
      • Steps
      • Data
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • Use Cases
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Further Reading
      • API Request Examples
        • Listing Details for All Environments
        • Creating an Environment
        • Retrieving Details for a Single Environment
        • Updating an Environment
        • Deleting an Environment
        • Listing Scans for an Environment
        • Triggering a New Scan
        • Retrieving Details for a Scan
        • Listing Compliance Results by Control for a Scan
        • Listing Compliance Results by Resource Type for a Scan
        • Listing Compliance/Drift/Baseline Enforcement Events for an Environment
        • Returning Fugue’s OpenAPI 2.0 Specification
        • Listing IAM Permissions Required to Scan/Enforce Resources
        • Listing Supported Resource Types
        • Listing Details for All Notifications
        • Creating a Notification
        • Updating a Notification
        • Listing Details for All Notifications
        • Deleting a Notification
        • Creating a Custom Rule
        • Listing Custom Rules
        • Retrieving Details for a Rule
        • Updating a Custom Rule
        • Deleting a Custom Rule
        • Testing a Custom Rule
        • Getting Input for a Custom Rule Test
        • Getting a List of Details for All Invites
        • Creating a New Invite
        • Fetching an Invite by ID
        • Getting a List of Groups
        • Creating a New Group
        • Editing a List of Users’ Group Assignments
        • Getting a List of Details for All Users
        • Getting a User by ID
        • Listing Details for All Rule Waivers
        • Creating a Rule Waiver
        • Retrieving Details for a Single Rule Waiver
        • Updating a Rule Waiver
        • Deleting a Rule Waiver
        • Retrieving Audit Log Entries
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • test - Test custom rules
        • test
        • Output Attributes
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
      • macOS installation
      • Linux installation
      • Windows installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
      • How to look up fugue arguments
    • Tips
      • env alias
      • Help for any command
      • Debugging
    • macOS Installation Error Message
  • Service Coverage
    • Contents
      • Service Coverage - AWS & AWS GovCloud
        • AWS Standard Regions
        • Recommended Resource Types: AWS
        • Supported Services: AWS GovCloud
        • Recommended Resource Types: AWS GovCloud
        • Resources Not Included In Fugue-Recommended List
      • Service Coverage - Azure & Azure Government
        • Application Insights
        • Active Directory: Beta
        • Authorization (RBAC)
        • Automation
        • CDN (Content Delivery Network)
        • Compute
        • Container
        • Cosmos DB
        • Databricks
        • Data Lake
        • Identity
        • Key Vault
        • Kubernetes
        • Monitor
        • MySQL
        • Network
        • PostgreSQL
        • Redis
        • Security Center
        • SQL
        • Storage
        • Web
      • Service Coverage - Google Cloud (Beta)
        • BigQuery
        • Compute Engine
        • Kubernetes (Container) Engine
        • Cloud DNS
        • Cloud IAM
        • Cloud Key Management
        • Cloud Logging
        • Cloud Monitoring
        • Memorystore
        • Resource Manager
        • Cloud SQL
        • Cloud Storage
    • Regions and Resources: Things to Know
      • Supported AWS and AWS GovCloud Regions
      • Changing AWS Region
      • Changing Resource Selection
      • Resources Under Management
      • Resource Types That Don’t Report Drift
  • AWS IAM Policy Permissions
    • SecurityAudit read-only (scan) permissions
    • Supplemental read-only (scan) permissions
    • Supplemental read/write permissions
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How can I get started with my first environment?
      • How do I change my Fugue user password?
      • What browsers are supported?
      • What are some use cases for Fugue?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Enterprise, and Developer?
      • How do I upgrade my Fugue account?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • How can I change my environment’s region(s)?
      • Does Fugue support Microsoft Azure and/or Azure Government?
      • Does Fugue support Google Cloud?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • What compliance families are supported?
      • Can I change the compliance standards Fugue uses to evaluate my infrastructure?
      • Can I waive a rule or “ignore” a noncompliant resource?
      • Can I disable a rule for all environments?
      • How do I waive a rule?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV or Excel file of compliance results for my Fugue account?
      • How are compliance controls and families displayed in the UI?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • How do I enable enforcement? (AWS & AWS GovCloud)
      • How do I disable enforcement? (AWS & AWS GovCloud)
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS Identity & Access Management (IAM) Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Audit Log
      • Does Fugue have audit logging capabilities?
    • Best Practices
      • AWS Regions and Environments
      • Recommended AWS Resource Types to Scan
      • Recommended AWS Resource Types to Enforce
        • Read permissions
        • Write permissions
      • Avoid Enforcing AWS Auto Scaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Additional Resources about Cloud Security
    • Other
      • What if I have other questions?
  • Open Source Projects
    • Fregot
    • Regula
    • credstash
    • s3fc
  • Glossary
  • Release Notes
    • 2021.04.15
      • Search Capabilities on the Waivers Page
      • Compliance Pages Improvements to Display Resource Name & ID
      • Scan Google Cloud Project Without Enabling Compute Engine API
      • Fugue Rule Improvements
    • 2021.04.01
      • Google Cloud Enhancements (limited beta)
      • New Default View for the Environment Summary Page
      • Regula Improvements
      • Fugue Terraform Provider Updates
    • 2021.03.18
      • Support for Google Cloud (limited beta)
      • Additional Compliance Family Dashboards
      • Audit Log Support via the API
      • Improvements to the Environment Summary Page
      • Regula Support for AWS CloudFormation
      • Bug Fixes & Misc. Improvements
    • 2021.03.04
      • Visualizer: Support for Filtering by Regions, Tags, and Services
      • Rule Update
    • 2021.02.18
      • Six New Rules for AWS CIS Foundations Benchmark 1.3.0
      • Expanded Azure Service Coverage
      • Waiver Support in the API and CLI
      • CLI: Additional Filter Support on the Environments API Endpoint
    • 2021.02.04
      • SSO: Okta Tile Support
      • CIS Docker 1.2.0 & CIS AWS 1.3.0 Compliance Families
      • Visualizer: Filter by Region
      • Expanded AWS and Azure Service Coverage: Beta
      • API Updates: Environment Queries
      • CLI Support for Users and Groups
      • UX Improvements to the MFA Authentication Screen
    • 2021.01.21
      • New Rules Page
      • Enable/Disable Rules for your Organization
      • API Support for Users and Groups
      • Visualizer: Expanded AWS Service Coverage
      • Updated Fugue Rules
    • 2021.01.05
      • Enable or Disable a Rule for Your Entire Organization: Beta
      • Improvements to Visualizer
    • 2020.12.09
      • Reporting Updates
      • Rules Updates
      • Azure Subscription Onboarding
      • Expanded Service Coverage: Azure
      • API Updates: Events
    • 2020.12.01
      • Visualizer: Expanded AWS and Azure Service Coverage
      • Bug Fixes
    • 2020.11.10
      • Added Advanced Reporting Capabilities - Beta
      • Expanded Default Compliance Standard Library- CSA CCM
    • 2020.10.27
      • UX Improvements to the Environment Overview Page
      • UX Improvements to Tables
      • Expanded Azure Service Coverage - Beta
      • Visualizer - Azure Service Coverage
      • Bug Fixes
    • 2020.10.13
      • UX Improvements to the Environment Compliance Summary
      • Create a Waiver on a Missing Resource
      • Scheduled Report Improvements
      • Deprecated Support for TLS 1.0 and TLS 1.1
    • 2020.09.23
      • RBAC Improvements
      • Deprecating TLS 1.0 and TLS 1.1
      • Enhancements to Scanning of S3 Resources
      • Bug Fixes
    • 2020.09.09
      • New Azure Rules
      • Expanded Service Coverage for Azure - Beta
      • Expanded Service Coverage for AWS - Beta
      • Visualizer - Azure Service Coverage
      • UX Improvements to the Group and Notification Pages
    • 2020.08.17
      • New Azure Rules
      • Custom Rule Severity
      • Waiver Improvements
      • Azure Government Support
      • Expanded Azure Service Coverage- Beta
      • Visualizer Updates
      • UX Improvements
      • Bug Fixes
    • 2020.08.04
      • Enhancements to the All Environments Landing Page
      • Visualizer
      • Extended Service Coverage Support for Azure
    • Deprecating TLS 1.0 and TLS 1.1
    • 2020.07.30
    • 2020.07.21
      • Environment Search Capability
      • Compliance Family
      • Updates to Data Export
      • Bug Fixes
    • 2020.07.08
      • Rule Waivers
      • Rule Severity on the Compliance by Resource Page
      • Two New RBAC Policies
      • UX Update to the Top Navigation
      • Bug Fixes
    • 2020.06.05
      • Ability to export compliance data via the UI
    • 2020.06.04
      • Extended Azure Service Coverage Beta
      • Visualizer Updates
      • Updates to Compliance Rules
    • 2020.05.29
      • Visualizer Updates
      • Expanded AWS Service Coverage
      • Bug Fixes
    • 2020.05.12
      • Support for CIS Controls 7.1
      • Visualizer Updates
      • Updates to Compliance Terminology
    • 2020.04.29
      • Scoping Environments to Multiple Regions
      • Responsive Registration Page and More
      • Visualizer Updates
    • 2020.04.16
      • Role Based Access Control (RBAC)
      • Cloud Resource Visualization
    • 2020.04.07
      • UX Improvements
      • Rule Engine Upgrade
      • New IAM Permissions Required
      • Compliance Event Notifications
      • Bug Fixes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should expire passwords within 90 days
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront viewer protocol policy should be set to https-only or redirect-to-https
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 listener protocol should not be set to http
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EBS volume encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one lowercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one symbol
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one number
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require a minimum length of 14
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted using KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS CMK rotation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global “.” access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SNS subscriptions should deny access via HTTP
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Load balancer access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log groups should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS queue server-side encryption should be enabled (AWS-managed keys)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should be protected by WAFs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC default security group should restrict all traffic
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB listener security groups should not be set to TCP all
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ElastiCache transport encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have backup retention periods configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines unattached disks should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow all actions for all IAM principals and public users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow list actions for all IAM principals and public users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log data events for S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Exactly one CloudTrail trail should monitor global services
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log management events
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should have at least one CloudTrail trail set to a multi-region trail
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should not be associated with missing SNS topics
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/ port 1433 (MSSQL Server)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • Require Multi Availability Zones turned on for RDS Instances
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS master keys should not be publicly accessible
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles used for trust relationships should have MFA or external IDs
      • Description
      • Console Remediation Steps to Enable MFA
      • Console Remediation Steps to Add an External ID
      • CLI Remediation Steps for to Enable MFA via the CLI
      • CLI Remediation Steps to Add an External ID
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • Redshift cluster ‘Publicly Accessible’ should not be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EC2 instances should not have a public IP association (IPv4)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM users should be members of at least one group
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM users should have MFA (virtual or hardware) enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket replication (cross-region or same-region) should be enabled
      • Description
      • Console Remediation
      • CLI Remediation Steps
      • Documentation Links
    • Lambda function policies should not allow global access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 buckets should not be publicly readable
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instance ‘Publicly Accessible’ should not be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies and ACLs should not be configured for public read access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instance ‘Deletion Protection’ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server auditing should be enabled
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • SQL Server auditing retention should be greater than 90 days
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • Virtual Network security group flow log retention period should be set to 90 days or greater
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Active Directory custom subscription owner roles should not be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center pricing tier should be set to ‘Standard’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor System Updates’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor JIT Network Access” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Auditing” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center contact emails should be set
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_checkpoints’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_connections’ should be on
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create Policy Assignment
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Update Security Policy
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Azure Kubernetes Service instances should have RBAC enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_disconnections’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_duration’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘connection_throttling’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor log profile should be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor ‘Activity Log Retention’ should be 365 days or greater
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • Monitor audit profile should log all activities
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor log profile should have activity logs for global services and all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Key Vault logging should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web app authentication should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘HTTPS only’ enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘Incoming client certificates’ enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM users should only have one active access key available
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket object-level logging for write events should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket object-level logging for read events should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not use the root user
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not add Linux capabilities beyond defaults and should drop ‘NET_RAW’
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not mount sensitive host system directories
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should limit memory usage for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should set CPU limit for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should mount the container’s root filesystem as read-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS container definitions should not mount volumes with mount propagation set to shared
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS tasks should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Service accounts should only have Google-managed service account keys
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • User-managed service accounts should not have admin privileges
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should be rotated every 90 days or less
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should not exempt any users
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • At least one project-level logging sink should be configured with an empty filter
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging storage bucket retention policies and Bucket Lock should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network firewall rule changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network route changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for Storage IAM permission changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for SQL instance configuration changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • The default network for a project should be deleted
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Networks should not be in legacy mode
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC key-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC zone-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 3389 (RDP)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network subnet flow logs should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Load balancer HTTPS or SSL proxy SSL policies should not have weak cipher suites
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account with full access to all Cloud APIs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance ‘block-project-ssh-keys’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute project metadata ‘OS Login’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘Enable connecting to serial ports’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘IP forwarding’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance Shielded VM should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not have public IP addresses
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instances should not have a passwordless default root user
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instance ‘local_infile’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_checkpoints’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_connections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_disconnections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_lock_waits’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_messages’ database flag should be set appropriately
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_temp_files’ database flag should be set to ‘0’ (on)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_duration_statement’ database flag should be set to ‘-1’ (disabled)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘cross db ownership chaining’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘contained database authentication’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should require incoming connections to use SSL
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not permit access from 0.0.0.0/0
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not have public IPs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instance automated backups should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • BigQuery datasets should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • bq CLI
      • Documentation Links
        • Runtime
  • Home
  • API

API¶

Contents¶

  • API User Guide
  • API Request Examples
  • API Reference
Previous Page

Compliance Report Email (Single Environment)

Next Page

API User Guide

Fugue Wordmark
LinkedIn icon LinkedIn Twitter icon Twitter Facebook icon Facebook GitHub icon GitHub
GET DEMO CONTACT US
© Fugue, Inc. 2021
Gartner Cool Vendor 2017 AWS Partner Network: Advanced Technology Partner