Skip to content
Logo
Menu
  • Product
    • Use Cases
      • Cloud Compliance
      • Infrastructure as Code Security
      • Cloud Native Security
      • Container & Kubernetes Security
      • IAM Security
      Cloud Platforms
      • AWS Cloud Security
      • Azure Cloud Security
      • Google Cloud Security
    • Key Capabilities
      • Platform Overview
      • Unified Policy Engine
      • Resource Data Engine
      • Infrastructure as Code
      • Resource Visualizer
      • Compliance Automation
      • Enterprise Reporting
      • Organization Management
      • Drift Detection & Automated Remediation
      • Integrations & APIs
    • Getting Started
      • Fugue Guarantee
      • See Pricing
      • Schedule Demo
      • Free trial
  • Why Us
  • Docs
    • Fugue Documentation
    • Regula Docs
    • API
    • GitHub
  • Customers
  • Resources
    • Cloud Security
      • Cloud Security Posture Management
      • Infrastructure as Code and Security
      • DevSecOps for Cloud Infrastructure Security
    • Cloud Compliance
      • CIS AWS Foundations Benchmark
      • CIS Azure Foundations Benchmark
      • Fugue Best Practices
      • GDPR
      • HIPAA
      • ISO 27001
      • NIST 800-53
      • PCI
      • SOC 2 Cloud Compliance
    • Resources Library
      • Case Studies
      • Datasheets
      • ebooks
      • Events
      • Videos
      • Webinars
      • White Papers & Reports
  • Company
    • Blog
    • About
    • Team
    • Open Source
    • Security
    • Careers
    • Press
    • Contact Us
  • Login
  • Pricing
Version

Fugue v2022.06.29

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Region & Resources, IAM Role)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Azure & Azure Government
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Setup - Azure Active Directory
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Setup - Google Cloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Enable Google Service APIs & Create a Service Account)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Repository (limited beta)
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings
        • Step 3: Compliance
        • Step 4: Review
        • Step 5: Kicking off a Scan
      • Fugue 101
        • Concepts
        • Navigating Fugue
    • Get Started in 5 Minutes
      • Sign up for Fugue
      • Step 1: Environment Setup
      • Step 2: Environment Settings
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
        • Repository
      • Step 3: Select Compliance Families
      • Step 4: Review
        • AWS and AWS GovCloud
        • Azure and Azure Government
        • Google
        • Repository
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS, API (curl)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Set Environment Variables
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • Tutorial: Hello World AWS, API (Postman)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Configure Collection
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Update the Fugue IAM Role
        • Update Role to Enable Enforcement
        • Update IAM Role Trust Policy
      • How To: Add or Remove Azure Resource Groups
        • Updating Selected Resource Groups with curl
        • Updating Selected Resource Groups with Postman
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • How To: Waive a Rule
        • Let’s Go!
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
        • What’s Next?
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
    • Open Source Tool Examples
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Paid Plans
    • Fugue Developer (Free)
    • Plan Comparison
    • Tenant Overview Page
  • Environment Configuration
    • Configuring an Environment
      • Configurable Settings for Environments
      • Updating Scanned or Enforced Resources
        • AWS
        • Azure
        • Google Cloud
      • Updating Region(s) (AWS & AWS GovCloud)
      • Updating Resource Groups (Azure & Azure Government)
      • Updating Resources (Google)
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling or Disabling Enforcement (AWS & AWS GovCloud)
    • Triggering a Scan
  • Baseline Enforcement
  • Compliance
    • Compliance Concepts
      • What is a rule?
      • What is a family?
      • What is a control?
      • How do rules, families, and controls relate to each other?
      • What is a rule result?
      • What is a resource evaluation?
        • Resource evaluation values
      • What is a control evaluation?
        • Control evaluation values
    • Rule Severity Definitions
    • Fugue Best Practices
    • Browsing the Data
      • The Environment Summary
      • The Compliance Tabs
        • 5. Compliance by Resource
        • 6. Compliance by Resource Type
        • 7. Compliance by Control
      • Filtering Results
      • Sharing Filtered Results
      • Changing the Number of Rows
    • Further Reading
  • Rules
    • Contents
      • Enabling and Disabling Rules
        • How to Enable or Disable a Rule
        • Rules Enabled/Disabled by Default
        • Effects on Compliance in an Environment
      • Rule Waivers
        • What is a Rule Waiver?
        • Working with Waiver Scope
        • How Rule Waivers Appear in the UI
        • How to Waive a Rule
        • How to View All Waivers
        • How to Edit a Rule Waiver
        • How to Delete a Rule Waiver
        • When Do Rule Waivers Go Into Effect?
        • Waivers vs. Disabling Rules
        • Further Reading
      • Writing Rules
        • What are Custom Rules?
        • Steps for writing a rule
        • When to use simple vs. advanced rules
        • Other rule parameters
        • Complete rules
        • What’s Next?
      • Simple Custom Rules
        • Optional but recommended step
        • Step 1: Determine provider(s)
        • Step 2: Determine the resource type
        • Step 3: Determine the input type
        • Step 4: Determine resource attribute(s) to check
        • Step 5: Determine whether to write a simple or advanced rule
        • Step 6: Define pass/fail conditions for the resource
        • Step 7: Write metadata
        • What’s Next?
      • Advanced Custom Rules
        • Optional but recommended step
        • Step 1: Determine provider(s)
        • Step 2: Determine the resource type(s)
        • Step 3: Determine the input type
        • Step 4: Determine resource attribute(s) to check
        • Step 5: Determine whether to write a simple or advanced rule
        • Step 6: Define pass/fail conditions for the resource
        • Step 7: Write metadata
        • What’s Next?
      • Custom Rules Reference
        • Rule Templates
        • Rule parameter overview
        • Rule metadata
        • Compatibility with Regula
        • Example Rules
        • Managing Rules in the UI, CLI, and API
        • Learning Rego
      • Testing Custom Rules with Fregot
        • What is Fregot?
        • Installing Fregot and the fugue.rego library
        • Steps for creating a new rule to evaluate with Fregot
        • Test a custom rule with Fregot
      • Using fregot eval to Test Custom Rules
        • Using fregot eval to test a simple rule
        • Using fregot eval to test an advanced rule
        • What’s next?
      • Using fregot repl to Debug Custom Rules
        • Before starting up the REPL
        • Launch the REPL
        • Evaluate the allow, deny, or policy rule
        • Make changes as needed
        • Debug a custom rule
        • What’s next?
      • Creating or Editing Custom Families on the Rules Page
        • Creating a Custom Family - UI
        • Editing an Existing Custom Family - UI
        • Cloning and Editing a Fugue Compliance Family
        • Modifying Rules for Custom Families - UI
      • Managing Rules - UI
        • Viewing Custom Rules
        • Creating Custom Rules - UI
        • Modifying and Deleting Custom Rules - UI
        • Viewing Compliance Results - UI
        • Waiving Custom Rules - UI
        • Disabling and Enabling Custom Rules - UI
        • Creating and Editing Custom Families on the Rules Page - UI
      • Managing Custom Rules - CLI
        • Creating Custom Rules - CLI
        • Modifying and Deleting Custom Rules - CLI
        • Viewing Compliance Results - CLI
        • Waiving Custom Rules - CLI
        • Disabling and Enabling Custom Rules - CLI
      • Managing Custom Rules - API
        • Creating Custom Rules - API
        • Modifying and Deleting Custom Rules - API
        • Viewing Compliance Results - API
        • Waiving Custom Rules - API
        • Disabling and Enabling Custom Rules - API
    • Navigating the Rules Page
      • Searching for Rules
      • Sorting and Pagination
      • Filtering
  • Families
    • Viewing Families - UI
    • Searching & Filtering Families - UI
      • Searching for Families
      • Filtering for Families
      • Sorting and Pagination
    • Creating Custom Families - UI
    • Modifying Custom Families - UI
    • Viewing Rules for a Compliance Family - UI
    • Deleting Custom Families - UI
    • Sharing Families between Tenants - UI
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
      • Working with Pods
    • Visualizing Resource Compliance State
    • Viewing Groupings
      • Grouped resources
      • Collections
      • Networks
      • Regions
      • How to expand and collapse groupings
      • Nested groups/collections
      • How collapsed groupings show compliance
    • Viewing the Visualizer for Repository Environments
    • Viewing Resource Details
    • Searching
    • Filtering
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • Implicit Resources
      • Supported Azure & Azure Government Resources
        • VNet Attributes
      • Supported Google Resources
      • Supported Fugue IaC Kubernetes Resources (limited beta)
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Integrations
    • Contents
      • AWS CloudTrail Integration
        • Summary
        • Integration Steps
      • AWS Security Hub Integration
        • Summary
        • Architecture
        • Integration Steps
        • Integration Considerations
        • Findings Fields
  • Settings
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Types of Policies
        • Permissions for Users in Multiple Groups
        • Getting Started with RBAC
        • More About User Management
      • Fugue Organizations (Enterprise-only Feature)
        • Using RBAC with Organizations
        • Inviting Users to One or Multiple Tenants
        • Accepting an Invite for an Organization
        • Sharing Families in an Organization
        • FAQ
        • How do I log into Fugue when I have access to more than one tenant?
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Reports & Dashboards
        • Organization View vs. Tenant View
        • Report Actions
        • Compliance Posture Dashboard
        • Resources Dashboard
        • Billing Metrics Dashboard
        • Current Rule Results
        • Current Rule Violations
        • Resources Report
        • Compliance Family Dashboards
        • How to Filter a Report or Dashboard
        • How to Create an Alert
        • How to Download a Report
        • How to Send a Report by Email Immediately
        • How to Schedule a Report by Email
        • How to Drill Down Into a Report
        • Resource ID and Resource Native ID
      • Compliance Report Email (Single Environment)
        • Setting up the Compliance Report Email for an environment
    • Export Data
      • Steps
      • Data
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Further Reading
      • API Request Examples
        • Listing Details for All Environments
        • Creating an Environment
        • Retrieving Details for a Single Environment
        • Updating an Environment
        • Deleting an Environment
        • Retrieving Active Rules for an Environment
        • Listing Scans for an Environment
        • Triggering a New Scan
        • Retrieving Details for a Scan
        • Listing Compliance Results by Control for a Scan
        • Listing Compliance Results by Resource Type for a Scan
        • Listing Compliance/Drift/Baseline Enforcement Events for an Environment
        • Returning Fugue’s OpenAPI 2.0 Specification
        • Listing IAM Permissions Required to Scan/Enforce Resources
        • Listing Supported Resource Types
        • Listing Details for All Notifications
        • Creating a Notification
        • Updating a Notification
        • Listing Details for All Notifications
        • Deleting a Notification
        • Creating a Custom Rule
        • Listing Custom Rules
        • Retrieving Details for a Rule
        • Updating a Custom Rule
        • Deleting a Custom Rule
        • Testing a Custom Rule
        • Getting Input for a Custom Rule Test
        • Getting a List of Details for All Invites
        • Creating a New Invite
        • Fetching an Invite by ID
        • Getting a List of Groups
        • Creating a New Group
        • Editing a List of Users’ Group Assignments
        • Getting a List of Details for All Users
        • Getting a User by ID
        • Listing Details for All Rule Waivers
        • Creating a Rule Waiver
        • Retrieving Details for a Single Rule Waiver
        • Updating a Rule Waiver
        • Deleting a Rule Waiver
        • Retrieving Audit Log Entries
        • Creating a Custom Family
        • Listing Families
        • Looking up a Family
        • Deleting a Family
        • Updating a Family
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • test - Test custom rules
        • test
        • Output Attributes
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
      • macOS installation
      • Linux installation
      • Windows installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
    • Tips
      • env alias
      • Help for any command
      • Debugging
    • macOS Installation Error Message
  • Service Coverage
    • Contents
      • Service Coverage - AWS & AWS GovCloud
        • AWS Account Management (beta)
        • AWS Certificate Manager (ACM)
        • ACM Private Certificate Authority (ACM PCA)
        • API Gateway
        • API Gateway Version 2 (beta)
        • Athena (beta)
        • Auto Scaling
        • CloudFormation (beta)
        • CloudFront
        • CloudTrail
        • CloudWatch
        • Cognito
        • Config
        • Directory Service
        • DocumentDB (beta)
        • DynamoDB
        • EC2
        • ECR
        • ECS
        • EFS
        • EKS
        • ELB (Elastic Load Balancing)
        • ELBv2 (Elastic Load Balancing v2)
        • ElastiCache
        • Elasticsearch (beta)
        • Glacier (S3 Glacier)
        • Glue (beta)
        • GuardDuty
        • IAM (Identity & Access Management)
        • IAM Access Analyzer (beta)
        • Inspector
        • KMS (Key Management Service)
        • Kinesis
        • Lambda
        • MediaStore (Elemental MediaStore)
        • Neptune (beta)
        • Organizations
        • Resource Access Manager (RAM) (beta)
        • RDS
        • Redshift
        • Route 53
        • S3
        • SageMaker (beta)
        • Step Functions (SFN)
        • SNS
        • SQS
        • Systems Manager (SSM)
        • Secrets Manager
        • WAF
        • WAFRegional
        • WAFv2
        • WorkSpaces (beta)
      • Service Coverage - Azure & Azure Government
        • Active Directory (beta)
        • Application Insights
        • Authorization (RBAC)
        • Automation
        • CDN (Content Delivery Network)
        • Compute
        • Container
        • Cosmos DB
        • Data Lake
        • Databricks
        • Key Vault
        • Kubernetes
        • Managed Identity
        • Monitor
        • MySQL
        • Network
        • PostgreSQL
        • Redis
        • Resources
        • Security Center
        • SQL
        • Storage
        • Web
      • Service Coverage - Google Cloud
        • BigQuery
        • Compute Engine
        • Kubernetes (Container) Engine
        • Cloud DNS
        • Cloud IAM
        • Cloud Key Management
        • Cloud Logging
        • Cloud Monitoring
        • Memorystore
        • Resource Manager
        • Cloud SQL
        • Cloud Storage
    • Regions and Resources: Things to Know
      • Supported AWS and AWS GovCloud Regions
      • Changing AWS Region
      • Changing Resource Selection
      • Resources Under Management
      • Resource Types That Don’t Report Drift
  • AWS IAM Policy Permissions
    • SecurityAudit read-only (scan) permissions
    • Supplemental read-only (scan) permissions
    • Fugue IAM role CloudFormation template
      • Finding your tenant’s external ID
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How can I get started with my first environment?
      • How do I change my Fugue user password?
      • What browsers are supported?
      • What are Fugue’s email addresses that should be whitelisted?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Paid Plans, and the Developer Plan?
      • How do I upgrade my Fugue tenant?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • How can I change my AWS environment’s region(s)?
      • Does Fugue support Microsoft Azure and/or Azure Government?
      • Does Fugue support Google Cloud?
      • Does Fugue support infrastructure as code?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS Commercial or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • What does the red “Something went wrong” banner mean?
      • What does the orange “Incomplete Scan Results” banner mean?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • Which compliance families are supported?
      • Can I change the compliance families Fugue uses to evaluate my infrastructure?
      • Can I create my own family?
      • Can I waive a rule or “ignore” a noncompliant resource?
      • Can I disable a rule for all environments?
      • How do I waive a rule?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV or Excel file of compliance results for my Fugue account?
      • How are compliance controls and families displayed in the UI?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • How do I enable enforcement? (AWS & AWS GovCloud)
      • How do I disable enforcement? (AWS & AWS GovCloud)
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS Identity & Access Management (IAM) Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Audit Log
      • Does Fugue have audit logging capabilities?
    • Best Practices
      • AWS Regions and Environments
      • Recommended AWS Resource Types to Scan
      • Avoid Enforcing AWS Auto Scaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Additional Resources about Cloud Security
    • Other
      • What if I have other questions?
  • Open Source Projects
    • Regula
    • Fregot
    • credstash
    • s3fc
  • Terraform Provider for Fugue
  • Glossary
  • Release Notes
    • 2022.06.29
      • Fugue API Update
    • 2022.06.08
      • Fugue Terraform Provider Updates
    • 2022.05.25
      • Visualizer: Expanded AWS Service Coverage
    • 2022.05.19
      • Extended AWS Service Coverage (limited beta)
      • Visualizer: Support for Filtering by Azure Tags
    • 2022.04.19
      • Fugue CLI Enhancements
    • 2022.03.30
    • 2022.03.17
      • Rule Waiver Enhancements
        • Set expiration
        • Apply to all environments
        • Configuration syncing for repository environments (beta)
      • Additional AWS Rules
    • 2022.03.03
      • Extended AWS Service Coverage (limited beta)
    • 2022.02.24
      • Custom Families (General Availability)
      • Report Performance Improvements
      • Fugue CLI Enhancements
    • 2022.02.07
      • Custom Families & AWS ARNs in Reports
    • 2022.02.03
      • Additional AWS Region
    • 2022.01.20
      • Billing Metrics Dashboard
      • Visualizer SVG Export
      • Repository Environment Configuration Syncing (beta)
      • Additional AWS Regions (coming soon)
      • Bug Fix
    • 2021.12.17
    • 2021.12.09
      • Assign all Environments (Current and Future) to an RBAC Group
    • 2021.12.02
      • Share and Enforce Families within an Organization
      • Organization Reports
      • RBAC for API Clients
      • UI/UX Improvements: Reports, Visualizer, & Environment Overview Pages
      • Improvements to Regula
    • 2021.11.11
      • Bug Fixes
    • 2021.10.28
      • Fugue IaC: Kubernetes Manifests
      • Additional Improvements and Bug Fixes
    • 2021.10.18
      • Repository Support in Reports
      • Always Enabled Option for Families
      • Visualizer: Expanded AWS Service Coverage
      • UX Improvement & Bug Fix
    • 2021.09.30
      • Compliance Family Updates (limited beta)
      • Visualizer: Additional Filter Capabilities
      • Regula Kubernetes Support
      • Fugue Terraform Provider Updates
      • Bug Fixes
    • 2021.09.16
      • Visualizer: Additional Filter Capabilities (limited beta)
      • Regula Improvements
      • Navigation Updates
    • 2021.09.02
      • Fugue IaC: limited beta
      • UX Improvements to the Compliance Pages
      • Additional Azure Rules
    • 2021.08.19
      • Visualizer: Expanded AWS & Azure Service Coverage
      • Regula Improvements
    • 2021.08.05
      • Custom Families: beta
      • Additional Azure Rules
      • Regula: Resource Line Number Feedback
    • 2021.07.09
      • AWS Resource Types (beta)
    • 2021.06.24
      • Pods for Visualizer
      • Schedule/Send All Reports to an S3 Bucket
      • Bug Fix
    • 2021.06.10
      • Saved Filter State for Compliance, Baseline, and Events Pages
      • Updates CIS Azure v1.3.0 Rules
    • 2021.05.27
      • Resource Name and Tag Patterns for Waivers
      • AMI & Launch Time Attributes to EC2 Instances
      • Fugue CLI Flag: Fail on Scan Failures
      • Regula CLI
      • Regula Terraform HCL (.tf) Support
      • Additional Controls for CIS Azure 1.3.0 General Availability
    • 2021.05.13
      • Current Rule Results Report
      • General Availability: AWS Resource Types
      • CIS Azure Foundations Benchmark v1.3.0 (limited beta)
      • User Experience Improvements: Hyperlinks to the Rules Page and Saving Search Terms/Filters
    • 2021.04.29
      • General Availability: Google Cloud
      • New RBAC Policy: Manager
      • Rules Page Improvements
      • Waivers Page Improvements
      • Compliance Page Improvements
      • Bug Fixes
    • 2021.04.15
      • Search Capabilities on the Waivers Page
      • Compliance Pages Improvements to Display Resource Name & ID
      • Scan Google Cloud Project Without Enabling Compute Engine API
      • Fugue Rule Improvements
    • 2021.04.01
      • Google Cloud Enhancements (limited beta)
      • New Default View for the Environment Summary Page
      • Regula Improvements
      • Fugue Terraform Provider Updates
    • 2021.03.18
      • Support for Google Cloud (limited beta)
      • Additional Compliance Family Dashboards
      • Audit Log Support via the API
      • Improvements to the Environment Summary Page
      • Regula Support for AWS CloudFormation
      • Bug Fixes & Misc. Improvements
    • 2021.03.04
      • Visualizer: Support for Filtering by Regions, Tags, and Services
      • Rule Update
    • 2021.02.18
      • Six New Rules for AWS CIS Foundations Benchmark 1.3.0
      • Expanded Azure Service Coverage
      • Waiver Support in the API and CLI
      • CLI: Additional Filter Support on the Environments API Endpoint
    • 2021.02.04
      • SSO: Okta Tile Support
      • CIS Docker 1.2.0 & CIS AWS 1.3.0 Compliance Families
      • Visualizer: Filter by Region
      • Expanded AWS and Azure Service Coverage: Beta
      • API Updates: Environment Queries
      • CLI Support for Users and Groups
      • UX Improvements to the MFA Authentication Screen
    • 2021.01.21
      • New Rules Page
      • Enable/Disable Rules for your Organization
      • API Support for Users and Groups
      • Visualizer: Expanded AWS Service Coverage
      • Updated Fugue Rules
    • 2021.01.05
      • Enable or Disable a Rule for Your Entire Organization: Beta
      • Improvements to Visualizer
    • 2020.12.09
      • Reporting Updates
      • Rules Updates
      • Azure Subscription Onboarding
      • Expanded Service Coverage: Azure
      • API Updates: Events
    • 2020.12.01
      • Visualizer: Expanded AWS and Azure Service Coverage
      • Bug Fixes
    • 2020.11.10
      • Added Advanced Reporting Capabilities - Beta
      • Expanded Default Compliance Standard Library- CSA CCM
    • 2020.10.27
      • UX Improvements to the Environment Overview Page
      • UX Improvements to Tables
      • Expanded Azure Service Coverage - Beta
      • Visualizer - Azure Service Coverage
      • Bug Fixes
    • 2020.10.13
      • UX Improvements to the Environment Compliance Summary
      • Create a Waiver on a Missing Resource
      • Scheduled Report Improvements
      • Deprecated Support for TLS 1.0 and TLS 1.1
    • 2020.09.23
      • RBAC Improvements
      • Deprecating TLS 1.0 and TLS 1.1
      • Enhancements to Scanning of S3 Resources
      • Bug Fixes
    • 2020.09.09
      • New Azure Rules
      • Expanded Service Coverage for Azure - Beta
      • Expanded Service Coverage for AWS - Beta
      • Visualizer - Azure Service Coverage
      • UX Improvements to the Group and Notification Pages
    • 2020.08.17
      • New Azure Rules
      • Custom Rule Severity
      • Waiver Improvements
      • Azure Government Support
      • Expanded Azure Service Coverage- Beta
      • Visualizer Updates
      • UX Improvements
      • Bug Fixes
    • 2020.08.04
      • Enhancements to the All Environments Landing Page
      • Visualizer
      • Extended Service Coverage Support for Azure
    • Deprecating TLS 1.0 and TLS 1.1
    • 2020.07.30
    • 2020.07.21
      • Environment Search Capability
      • Compliance Family
      • Updates to Data Export
      • Bug Fixes
    • 2020.07.08
      • Rule Waivers
      • Rule Severity on the Compliance by Resource Page
      • Two New RBAC Policies
      • UX Update to the Top Navigation
      • Bug Fixes
    • 2020.06.05
      • Ability to export compliance data via the UI
    • 2020.06.04
      • Extended Azure Service Coverage Beta
      • Visualizer Updates
      • Updates to Compliance Rules
    • 2020.05.29
      • Visualizer Updates
      • Expanded AWS Service Coverage
      • Bug Fixes
    • 2020.05.12
      • Support for CIS Controls 7.1
      • Visualizer Updates
      • Updates to Compliance Terminology
    • 2020.04.29
      • Scoping Environments to Multiple Regions
      • Responsive Registration Page and More
      • Visualizer Updates
    • 2020.04.16
      • Role Based Access Control (RBAC)
      • Cloud Resource Visualization
    • 2020.04.07
      • UX Improvements
      • Rule Engine Upgrade
      • New IAM Permissions Required
      • Compliance Event Notifications
      • Bug Fixes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should expire passwords within 90 days
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudFront viewer protocol policy should be set to https-only or redirect-to-https
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • AWSCloudFormation
        • Terraform
    • ELBv1 listener protocol should not be set to http
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
      • CloudFormation
        • Terraform
    • EBS volume encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • AWSCloudFormation
        • Terraform
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require at least one lowercase character
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
        • Terraform
    • IAM password policies should require at least one symbol
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require at least one number
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM password policies should require a minimum length of 14
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted with customer managed KMS keys
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • KMS CMK rotation should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group inbound rules should not permit ingress from a public address to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global "*.*" access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SNS subscriptions should deny access via HTTP
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC flow logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Load balancer access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • CloudFront access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudWatch log groups should be encrypted with customer managed KMS keys
      • Description
      • Remediation Steps
      • AWS Console
      • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • DynamoDB tables should be encrypted with AWS or customer managed KMS keys
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • SQS queue server-side encryption should be enabled with KMS keys
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • CloudFront distributions should be protected by WAFs
      • Description
      • Remediation Steps
        • AWS Console
      • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • CloudFormation
        • Terraform
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of customer managed KMS keys should be configured
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
      • Documentation Links
        • Runtime
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC default security group should restrict all traffic
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • RDS instances and Aurora DB clusters should be encrypted
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instances should be encrypted with customer managed KMS keys
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • ELB listener security groups should not be set to TCP all
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • ElastiCache transport encryption should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • RDS instances should have backup retention periods configured
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
    • Storage Account default network access rules should deny all traffic
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Virtual Machines unattached disks should be encrypted
      • Description
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Blob Storage containers should have public access disabled
      • Description
        • Azure Portal
        • Azure Powershell
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Storage Accounts should have ‘Trusted Microsoft Services’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies should not allow all actions for all IAM principals and public users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies should not allow list actions for all IAM principals and public users
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • MySQL Database server “enforce SSL connection” should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database server “enforce SSL connection” should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Console and CLI
        • Terraform
    • CloudTrail trails should be configured to log data events for S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Exactly one CloudTrail trail should monitor global services
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log management events
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • CloudTrail should have at least one CloudTrail trail set to a multi-region trail
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should not be associated with missing SNS topics
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Require Multi Availability Zones turned on for RDS Instances
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • KMS master keys should not be publicly accessible
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • IAM roles used for trust relationships should have MFA or external IDs
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Redshift cluster ‘Publicly Accessible’ should not be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • EC2 instances should not have a public IP association (IPv4)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should be members of at least one group
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should have MFA (virtual or hardware) enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • S3 bucket replication (cross-region or same-region) should be enabled
      • Description
      • Remediation
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • Lambda function policies should not allow global access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • S3 buckets should not be publicly readable
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • RDS instance ‘Publicly Accessible’ should not be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • S3 bucket policies and ACLs should not be configured for public read access
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • CloudFormation
        • Terraform
    • RDS instance ‘Deletion Protection’ should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • SQL Server auditing should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • SQL Server auditing retention should be 90 days or greater
      • Description
        • Azure Portal
        • PowerShell
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Virtual Network security group flow log retention period should be set to 90 days or greater
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Active Directory custom subscription owner roles should not be created
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Security Center pricing tier should be set to ‘Standard’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor System Updates’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor JIT Network Access” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Auditing” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center contact emails should be set
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_checkpoints’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database configuration ‘log_connections’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Monitor Activity Log Alert should exist for Create Policy Assignment
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Update Security Policy
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Azure Kubernetes Service instances should have RBAC enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database configuration ‘log_disconnections’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database configuration ‘log_duration’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database configuration ‘connection_throttling’ should be on
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Monitor log profile should be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor ‘Activity Log Retention’ should be 365 days or greater
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • Monitor audit profile should log all activities
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Monitor log profile should have activity logs for global services and all regions
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • Key Vault logging should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • App Service web app authentication should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • App Service web apps should have ‘HTTPS only’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • App Service web apps should have ‘Incoming client certificates’ enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
        • Terraform
      • Documentation Links
        • Runtime
        • Azure Resource Manager
        • Terraform
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • AWS Console and CLI
        • Terraform
    • IAM users should only have one active access key available
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket object-level logging for write events should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
      • Documentation Links
        • Runtime
        • CloudFormation
    • S3 bucket object-level logging for read events should be enabled
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
      • Documentation Links
        • Runtime
        • CloudFormation
    • CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
      • Documentation Links
        • Runtime
        • CloudFormation
    • VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
      • Documentation Links
        • Runtime
        • CloudFormation
    • ECS task definitions should not use the root user
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not add Linux capabilities beyond defaults and should drop ‘NET_RAW’
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should not mount sensitive host system directories
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should limit memory usage for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should set CPU limit for containers
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS task definitions should mount the container’s root filesystem as read-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS container definitions should not mount volumes with mount propagation set to shared
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ECS tasks should be configured with a health check
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
        • CloudFormation
      • Documentation Links
        • Runtime
        • CloudFormation
    • API Gateway v2 custom domains should use secure TLS protocol versions (1.2 and above)
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
      • Terraform
        • Example
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • CloudFormation
        • Terraform
      • Documentation Links
        • Runtime
        • CloudFormation
        • Terraform
    • KMS crypto keys should be rotated at least once every 365 days
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • VPC firewall rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • Service accounts should only have Google-managed service account keys
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • User-managed service accounts should not have admin privileges
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have project-level ‘Service Account User’ or ‘Service Account Token Creator’ roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • KMS keys should be rotated every 90 days or less
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • IAM default audit log config should not exempt any users
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • At least one project-level logging sink should be configured with an empty filter
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging storage bucket retention policies and Bucket Lock should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for project ownership assignments/changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network firewall rule changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network route changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for network changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for Storage IAM permission changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Logging metric filter and alert for SQL instance configuration changes should be configured
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • The default network for a project should be deleted
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Networks should not be in legacy mode
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC key-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • DNS managed zone DNSSEC zone-signing keys should not use RSASHA1
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network firewall rules should not permit ingress from 0.0.0.0/0 to port 3389 (RDP)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Network subnet flow logs should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Load balancer HTTPS or SSL proxy SSL policies should not have weak cipher suites
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not use the default service account with full access to all Cloud APIs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance ‘block-project-ssh-keys’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute project metadata ‘OS Login’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘Enable connecting to serial ports’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances ‘IP forwarding’ should not be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instance Shielded VM should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Compute instances should not have public IP addresses
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • Storage bucket uniform access control should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instances should not have a passwordless default root user
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • MySQL database instance ‘local_infile’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_checkpoints’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_connections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_disconnections’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_lock_waits’ database flag should be set to ‘on’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_messages’ database flag should be set appropriately
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_temp_files’ database flag should be set to ‘0’ (on)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • PostgreSQL database instance ‘log_min_duration_statement’ database flag should be set to ‘-1’ (disabled)
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘cross db ownership chaining’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL Server database instance ‘contained database authentication’ database flag should be set to ‘off’
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should require incoming connections to use SSL
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not permit access from 0.0.0.0/0
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instances should not have public IPs
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • SQL database instance automated backups should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
      • Documentation Links
        • Runtime
    • BigQuery datasets should not be anonymously or publicly accessible
      • Description
      • Remediation Steps
        • Google Cloud Console
        • bq CLI
      • Documentation Links
        • Runtime
    • VPC subnet ‘Private Google Access’ should be enabled
      • Description
      • Remediation Steps
        • Google Cloud Console
        • gcloud CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • Custom Role should be assigned for administering resource locks
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
      • Documentation Links
        • Runtime
    • Storage Account queue service logging should be enabled for read, write, and delete requests
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • Storage Account soft delete should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Storage Accounts for critical data should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Storage Accounts that include activity logs should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Monitor Activity Log alert should be configured for ‘Delete Policy Assignment’
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Network security groups should not permit ingress from the internet to UDP ports
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Virtual Machines should use Managed Disks
      • Description
      • Remediation Steps
        • Azure Portal
        • Powershell
      • Documentation Links
        • Runtime
    • Virtual Machine OS and data disks should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • PowerShell
      • Documentation Links
        • Runtime
    • Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Key Vault keys should have an expiration date
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Key Vault secrets should have an expiration date
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • App Service web apps should use a system-assigned managed service identity
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • App Service web app HTTP version should be the latest
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • App Service web app FTP deployments should be disabled
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Runtime
    • Azure Defender should be enabled for Virtual Machines
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for App Services
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for SQL Servers
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for SQL Servers on Virtual Machines
      • Description
      • Remediation Steps
        • Azure Portal
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Storage Accounts
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Kubernetes Services
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Container Registries
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Azure Defender should be enabled for Key Vaults
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘periodic recurring scans’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘send scan reports’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • SQL Server ‘also send email notifications to admins and subscription owners’ for vulnerability assessments should be enabled
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure PowerShell
      • Documentation Links
        • Azure Portal and PowerShell
    • Virtual Machine legacy virtual hard disks should be encrypted
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Security Center ‘Send email notification for high severity alerts’ should be enabled
      • Description
        • Azure Portal
        • Azure CLI
        • Azure Resource Manager
      • Documentation Links
        • Runtime
        • Azure Resource Manager
    • Security Center setting ‘All users with the following roles’ should be set to ‘Owner’
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Database transparent data encryption should be enabled
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server Active Directory Admin should be configured
      • Description
        • Azure Portal
        • Azure Powershell
      • Documentation Links
        • Azure Portal and CLI
    • SQL Server TDE protector should be encrypted with a Key Vault CMK
      • Description
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • Security Center monitoring agent should be automatically provisioned
      • Description
      • Remediation Steps
        • Azure Portal
        • Azure CLI
      • Documentation Links
        • Azure Portal and CLI
    • The ‘cluster-admin’ role should not be used
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not grant ‘get’, ‘list’, or ‘watch’ permissions for secrets
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not grant ‘create’ permissions for pods
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Default service account ‘automountServiceAccountToken’ should be set to ‘false’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Service account ‘automountServiceAccountToken’ should be set to ‘false’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run privileged containers
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host process ID namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host IPC namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers wishing to share the host network namespace
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with allowPrivilegeEscalation
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers as the root user
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with the NET_RAW capability
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with added capabilities
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not run containers with default capabilities assigned
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods should not use secrets stored in environment variables
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pod seccomp profile should be set to ‘docker/default’
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Pods and containers should apply a security context
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • The default namespace should not be used
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Roles and cluster roles should not be bound to the default service account
      • Description
      • Remediation Steps
        • Kubernetes Manifest (YAML)
      • Documentation Links
        • Kubernetes Manifest
    • Lambda permissions with a service principal should apply to only one resource and AWS account
      • Description
        • Terraform
      • Documentation Links
        • Terraform
        • AWS
    • WAFv2 web ACLs should include the ‘AWSManagedRulesKnownBadInputsRuleSet’ managed rule group
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
        • Terraform
      • Documentation Links
        • Runtime
        • Terraform
    • Account alternate contact should be configured
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
      • Documentation Links
        • Runtime
    • Account alternate contact should be configured
      • Description
      • Remediation Steps
        • AWS Console
        • AWS CLI
      • Documentation Links
        • Runtime
  • Home
  • Integrations

Integrations¶

Contents¶

  • AWS CloudTrail Integration
  • AWS Security Hub Integration
Previous Page

Visualizer

Next Page

AWS CloudTrail Integration

Fugue Wordmark
LinkedIn icon LinkedIn Twitter icon Twitter Facebook icon Facebook GitHub icon GitHub
GET DEMO CONTACT US
© Fugue, Inc. 2022
Gartner Cool Vendor 2017 AWS Partner Network: Advanced Technology Partner