Cloud Security

Available

AWS · Azure · OCI

IAM, logging, networking, data protection, and key management across AWS, Azure, and OCI — each control paired with a read-only command you can run yourself.

3 domains · 78 controls · 78 tests

Amazon Web Services Microsoft Azure Oracle Cloud Read-only checks across AWS, Azure, and OCI
AWS

Amazon Web Services (AWS)

31 controls
AWS-001 Root account MFA is enabled. Root account MFA is enabled. AWS-002 No access keys exist on the root account. No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced. Strong IAM password policy is enforced. AWS-005 MFA is enabled for all IAM users with console access. MFA is enabled for all IAM users with console access. AWS-006 No IAM identity has unrestricted administrator (*:*) policies beyond a justified few. No IAM identity has unrestricted administrator (*:*) policies beyond a justified few. AWS-007 Active access keys are rotated at least every 90 days. Active access keys are rotated at least every 90 days. AWS-008 Credentials unused for 90+ days are disabled. Credentials unused for 90+ days are disabled. AWS-009 Permissions are granted via groups/roles, not directly to users. Permissions are granted via groups/roles, not directly to users. AWS-010 CloudTrail is enabled in ALL regions with a multi-region trail. CloudTrail is enabled in ALL regions with a multi-region trail. AWS-011 CloudTrail log-file validation is enabled. CloudTrail log-file validation is enabled. AWS-012 CloudTrail logs are encrypted with a KMS CMK. CloudTrail logs are encrypted with a KMS CMK. AWS-013 AWS Config is enabled in all regions. AWS Config is enabled in all regions. AWS-014 Amazon GuardDuty is enabled. Amazon GuardDuty is enabled. AWS-015 CloudWatch metric filters & alarms exist for critical events. CloudWatch metric filters & alarms exist for critical events. AWS-016 No Security Group allows unrestricted (0.0.0.0/0) ingress to SSH (22) or RDP (3389). No Security Group allows unrestricted (0.0.0.0/0) ingress to SSH (22) or RDP (3389). AWS-017 Default security group of every VPC restricts all traffic. Default security group of every VPC restricts all traffic. AWS-018 VPC Flow Logs are enabled on all VPCs. VPC Flow Logs are enabled on all VPCs. AWS-019 No Security Group exposes database ports (3306/5432/1433/27017) to 0.0.0.0/0. No Security Group exposes database ports (3306/5432/1433/27017) to 0.0.0.0/0. AWS-020 S3 Block Public Access is enabled at the account level. S3 Block Public Access is enabled at the account level. AWS-021 No individual S3 bucket is publicly readable/writable. No individual S3 bucket is publicly readable/writable. AWS-022 S3 default encryption is enabled on all buckets. S3 default encryption is enabled on all buckets. AWS-023 EBS volume encryption-by-default is enabled per region. EBS volume encryption-by-default is enabled per region. AWS-024 RDS instances are encrypted at rest. RDS instances are encrypted at rest. AWS-025 RDS instances are not publicly accessible. RDS instances are not publicly accessible. AWS-026 Automatic rotation is enabled on KMS customer keys. Automatic rotation is enabled on KMS customer keys. AWS-027 EC2 instances enforce IMDSv2 (token-required metadata). EC2 instances enforce IMDSv2 (token-required metadata). AWS-028 Public-facing EC2 instances are intentional and minimal. Public-facing EC2 instances are intentional and minimal. AWS-029 Lambda functions hold no secrets in plaintext env vars and use least-privilege roles. Lambda functions hold no secrets in plaintext env vars and use least-privilege roles. AWS-030 ECR repositories have image scanning enabled. ECR repositories have image scanning enabled. AWS-031 EKS clusters log control-plane and restrict public API endpoint. EKS clusters log control-plane and restrict public API endpoint.
AZURE

Microsoft Azure

25 controls
AZ-001 MFA is enforced for all users, especially privileged roles. MFA is enforced for all users, especially privileged roles. AZ-002 Number of Global Administrators is limited (typically 2-4). Number of Global Administrators is limited (typically 2-4). AZ-003 Privileged Identity Management (PIM) provides just-in-time elevation. Privileged Identity Management (PIM) provides just-in-time elevation. AZ-004 Legacy/basic authentication is blocked. Legacy/basic authentication is blocked. AZ-005 Guest user access and invitations are restricted. Guest user access and invitations are restricted. AZ-006 Diagnostic settings ship Activity Logs to Log Analytics / storage with retention. Diagnostic settings ship Activity Logs to Log Analytics / storage with retention. AZ-007 Microsoft Defender for Cloud is on the Standard/paid tier for key resource types. Microsoft Defender for Cloud is on the Standard/paid tier for key resource types. AZ-008 Activity-log alerts exist for critical changes (NSG, security policy, Key Vault). Activity-log alerts exist for critical changes (NSG, security policy, Key Vault). AZ-009 No NSG allows unrestricted inbound RDP (3389) from the internet. No NSG allows unrestricted inbound RDP (3389) from the internet. AZ-010 No NSG allows unrestricted inbound SSH (22) from the internet. No NSG allows unrestricted inbound SSH (22) from the internet. AZ-011 NSG flow logs are enabled. NSG flow logs are enabled. AZ-012 Storage accounts disallow public blob access. Storage accounts disallow public blob access. AZ-013 Secure transfer (HTTPS-only) is required. Secure transfer (HTTPS-only) is required. AZ-014 Storage account network rules default to Deny with explicit allow-lists. Storage account network rules default to Deny with explicit allow-lists. AZ-015 Storage blob soft delete is enabled. Storage blob soft delete is enabled. AZ-016 Key Vaults have soft-delete and purge protection enabled. Key Vaults have soft-delete and purge protection enabled. AZ-017 Key Vault network access is restricted (firewall / private endpoint). Key Vault network access is restricted (firewall / private endpoint). AZ-018 VM OS and data disks are encrypted (ADE/CMK or platform encryption). VM OS and data disks are encrypted (ADE/CMK or platform encryption). AZ-019 VMs use managed disks (not unmanaged page blobs). VMs use managed disks (not unmanaged page blobs). AZ-020 Azure SQL auditing is enabled. Azure SQL auditing is enabled. AZ-021 Transparent Data Encryption (TDE) is enabled. Transparent Data Encryption (TDE) is enabled. AZ-022 SQL server firewall does not allow 0.0.0.0 (all internet). SQL server firewall does not allow 0.0.0.0 (all internet). AZ-023 Microsoft Defender for SQL (threat detection) is enabled. Microsoft Defender for SQL (threat detection) is enabled. AZ-024 Resource locks protect critical resources from deletion. Resource locks protect critical resources from deletion. AZ-025 Azure Policy assigns guardrails for required configurations. Azure Policy assigns guardrails for required configurations.
OCI

Oracle Cloud Infrastructure (OCI)

22 controls
OCI-001 MFA is enforced for all IAM users, especially administrators. MFA is enforced for all IAM users, especially administrators. OCI-002 Customer secret keys / API keys are rotated regularly (<=90 days). Customer secret keys / API keys are rotated regularly (<=90 days). OCI-003 A strong password policy is configured. A strong password policy is configured. OCI-004 Membership of the Administrators group is minimal. Membership of the Administrators group is minimal. OCI-005 IAM policies follow least privilege (no broad 'manage all-resources'). IAM policies follow least privilege (no broad 'manage all-resources'). OCI-006 Audit log retention is set to the maximum (365 days). Audit log retention is set to the maximum (365 days). OCI-007 Oracle Cloud Guard is enabled at tenancy root. Oracle Cloud Guard is enabled at tenancy root. OCI-008 VCN Flow Logs are enabled. VCN Flow Logs are enabled. OCI-009 Notifications/Events alert on IAM, network and policy changes. Notifications/Events alert on IAM, network and policy changes. OCI-010 Security lists do not allow unrestricted SSH (22) from 0.0.0.0/0. Security lists do not allow unrestricted SSH (22) from 0.0.0.0/0. OCI-011 Security lists do not allow unrestricted RDP (3389) from 0.0.0.0/0. Security lists do not allow unrestricted RDP (3389) from 0.0.0.0/0. OCI-012 Default security list of each VCN restricts traffic. Default security list of each VCN restricts traffic. OCI-013 No Object Storage bucket has public access. No Object Storage bucket has public access. OCI-014 Buckets use customer-managed encryption keys where required. Buckets use customer-managed encryption keys where required. OCI-015 Versioning is enabled on sensitive buckets. Versioning is enabled on sensitive buckets. OCI-016 Vault keys have rotation configured. Vault keys have rotation configured. OCI-017 Block volumes are encrypted (default or CMK). Block volumes are encrypted (default or CMK). OCI-018 Compute instances have no unintended public IPs. Compute instances have no unintended public IPs. OCI-019 Database systems use encryption / TDE. Database systems use encryption / TDE. OCI-020 Autonomous Database network access is restricted (private endpoint / ACLs). Autonomous Database network access is restricted (private endpoint / ACLs). OCI-021 Compartment structure and IAM boundaries isolate workloads. Compartment structure and IAM boundaries isolate workloads. OCI-022 Budget alerts detect anomalous spend (abuse indicator). Budget alerts detect anomalous spend (abuse indicator).