AC_AWS_0603 | Ensure that public access is not given to Amazon Relational Database Service (Amazon RDS) Instance | AWS | Compliance Validation | MEDIUM |
AC_AWS_0604 | Ensure S3 bucket encryption 'kms_master_key_id' is not empty or null | AWS | Data Protection | HIGH |
AC_AWS_0605 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0606 | Ensure MFA Delete is enabled on S3 buckets | AWS | Security Best Practices | HIGH |
AC_AWS_0607 | Ensure S3 Bucket Policy is set to deny HTTP requests | AWS | Infrastructure Security | HIGH |
AC_AWS_0608 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0609 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | AWS | Infrastructure Security | HIGH |
AC_AWS_0610 | Ensure no security groups allow ingress from ::/0 to remote server administration ports | AWS | Infrastructure Security | HIGH |
AC_AWS_0611 | Ensure AWS Security Hub is enabled | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0612 | Ensure VPC flow logging is enabled in all VPCs | AWS | Logging and Monitoring | LOW |
AC_AWS_0613 | Ensure AWS Lambda function is configured with a Dead Letter Queue | AWS | Logging and Monitoring | LOW |
AC_AWS_0614 | Ensure AWS Lambda Functions have associated tags | AWS | Compliance Validation | LOW |
AC_AWS_0615 | Ensure AWS Lambda functions are configured to use provisioned concurrency | AWS | Resilience | LOW |
AC_AWS_0616 | Ensure Code Signing is enabled for AWS Lambda functions | AWS | Data Protection | HIGH |
AC_AWS_0618 | Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0619 | Ensure AWS Lambda function permissions have a source ARN specified | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0620 | Ensure there is no policy with wildcards (*) used in principal for Amazon Simple Notification Service (SNS) Topic | AWS | Identity and Access Management | LOW |
AC_AWS_0626 | Ensure CloudTrail is enabled in all regions | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0627 | Ensure IAM Users Receive Permissions Only Through Groups | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0628 | Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0631 | Ensure AWS Security Hub is enabled | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0632 | Ensure AWS Config is enabled in all regions | AWS | Logging and Monitoring | HIGH |
AC_AWS_0633 | Ensure that IAM Access analyzer is enabled for all regions | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0634 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | AWS | Compliance Validation | HIGH |
AC_AWS_0646 | Ensure S3 Bucket Policy is set to deny HTTP requests | AWS | Infrastructure Security | HIGH |
AC_AZURE_0001 | Ensure SQL Server Threat Detection Retention is set to a value greater than 90 days for Azure SQL Database | Azure | Logging and Monitoring | MEDIUM |
AC_AZURE_0002 | Ensure notification email setting is enabled for Azure SQL Database Threat Detection Policy | Azure | Logging and Monitoring | LOW |
AC_AZURE_0003 | Ensure that 'Threat Detection' is enabled for Azure SQL Database | Azure | Logging and Monitoring | MEDIUM |
AC_AZURE_0019 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | Azure | Compliance Validation | MEDIUM |
AC_AZURE_0021 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | Azure | Data Protection | MEDIUM |
AC_AZURE_0025 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Azure | Infrastructure Security | HIGH |
AC_AZURE_0026 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Azure | Data Protection | HIGH |
AC_AZURE_0028 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Azure | Data Protection | HIGH |
AC_AZURE_0036 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Azure | Data Protection | MEDIUM |
AC_AZURE_0038 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Azure | Identity and Access Management | MEDIUM |
AC_AZURE_0039 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Azure | Identity and Access Management | MEDIUM |
AC_AZURE_0040 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Azure | Identity and Access Management | MEDIUM |
AC_AZURE_0044 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Azure | Identity and Access Management | HIGH |
AC_AZURE_0045 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Azure | Infrastructure Security | MEDIUM |
AC_AZURE_0046 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | Azure | Logging and Monitoring | MEDIUM |
AC_AZURE_0047 | Ensure That 'All users with the following roles' is set to 'Owner' | Azure | Logging and Monitoring | MEDIUM |
AC_AZURE_0048 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Azure | Logging and Monitoring | MEDIUM |
AC_AZURE_0053 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Azure | Infrastructure Security | HIGH |
AC_AZURE_0058 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Azure | Resilience | MEDIUM |
AC_AZURE_0059 | Ensure that HTTP(S) access from the Internet is evaluated and restricted | Azure | Infrastructure Security | LOW |
AC_AZURE_0060 | Ensure that UDP access from the Internet is evaluated and restricted | Azure | Infrastructure Security | HIGH |
AC_AZURE_0061 | Ensure that SSH access from the Internet is evaluated and restricted | Azure | Infrastructure Security | HIGH |
AC_AZURE_0062 | Ensure that RDP access from the Internet is evaluated and restricted | Azure | Infrastructure Security | HIGH |
AC_AZURE_0066 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Azure | Data Protection | MEDIUM |
AC_AZURE_0069 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Azure | Logging and Monitoring | MEDIUM |