Disable Old CIS Policies - Legacy Policies and Reports
When selecting to Disable old CIS policies from the Lacework Console (Settings > General > Disable old CIS policies), the following policies and reports will be disabled indefinitely for the specified cloud vendor.
note
All AWS/GCP policies and reports listed will be deprecated on 28th February 2023. All Azure policies and reports listed will be deprecated on 31st March 2023.
Legacy AWS Policies
Core Policies for AWS CIS 1.1.0
| Lacework Policy ID | Description |
|---|---|
| AWS_CIS_1_1 | Avoid the use of the "root" account |
| AWS_CIS_1_2 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| AWS_CIS_1_3 | Ensure credentials unused for 90 days or greater are disabled |
| AWS_CIS_1_4 | Ensure access keys are rotated every 90 days or less |
| AWS_CIS_1_5 | Ensure IAM password policy requires at least one uppercase letter |
| AWS_CIS_1_6 | Ensure IAM password policy require at least one lowercase letter |
| AWS_CIS_1_7 | Ensure IAM password policy require at least one symbol |
| AWS_CIS_1_8 | Ensure IAM password policy require at least one number |
| AWS_CIS_1_9 | Ensure IAM password policy requires minimum length of 14 or greater |
| AWS_CIS_1_10 | Ensure IAM password policy prevents password reuse |
| AWS_CIS_1_11 | Ensure IAM password policy expires passwords within 90 days or less |
| AWS_CIS_1_12 | Ensure no root account access key exists |
| AWS_CIS_1_13 | Ensure MFA is enabled for the "root" account |
| AWS_CIS_1_14 | Ensure hardware MFA is enabled for the "root" account |
| AWS_CIS_1_15 | Ensure security questions are registered in the AWS account |
| AWS_CIS_1_16 | Ensure IAM policies are attached only to groups or roles |
| AWS_CIS_1_17 | Enable detailed billing |
| AWS_CIS_1_19 | Maintain current contact details |
| AWS_CIS_1_20 | Ensure security contact information is registered |
| AWS_CIS_1_21 | Ensure IAM instance roles are used for AWS resource access from instances |
| AWS_CIS_1_22 | Ensure a support role has been created to manage incidents with AWS Support |
| AWS_CIS_1_23 | Do not setup access keys during initial user setup for all IAM users that have a console password |
| AWS_CIS_1_24 | Ensure IAM policies that allow full "*:*" administrative privileges are not created |
| AWS_CIS_2_1 | Ensure CloudTrail is enabled in all regions |
| AWS_CIS_2_2 | Accounts, Regions, Trail Name |
| AWS_CIS_2_3 | Ensure S3 bucket CloudTrail logs is not publicly accessible |
| AWS_CIS_2_4 | Accounts, Regions, Trail Name |
| AWS_CIS_2_5 | Accounts, Regions, Recorder Name |
| AWS_CIS_2_6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| AWS_CIS_2_7 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| AWS_CIS_2_8 | Ensure rotation for customer created CMKs is enabled |
| AWS_CIS_2_9 | Ensure Flow Logging for VPC is enabled and active |
| AWS_CIS_3_1 | Ensure a log metric filter and alarm exist for unauthorized api calls |
| AWS_CIS_3_2 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| AWS_CIS_3_3 | Ensure a log metric filter and alarm exist for usage of "root" account |
| AWS_CIS_3_4 | Ensure a log metric filter and alarm exist for IAM policy changes |
| AWS_CIS_3_5 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| AWS_CIS_3_6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| AWS_CIS_3_7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
| AWS_CIS_3_8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
| AWS_CIS_3_9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
| AWS_CIS_3_10 | Ensure a log metric filter and alarm exist for security group changes |
| AWS_CIS_3_11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| AWS_CIS_3_12 | Ensure a log metric filter and alarm exist for changes to network gateways |
| AWS_CIS_3_13 | Ensure a log metric filter and alarm exist for route table changes |
| AWS_CIS_3_14 | Ensure a log metric filter and alarm exist for VPC changes |
| AWS_CIS_3_15 | Ensure appropriate subscribers to each SNS topic |
| AWS_CIS_4_1 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
| AWS_CIS_4_2 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
| AWS_CIS_4_4 | Ensure the default security group of every VPC restricts all traffic |
| AWS_CIS_4_5 | Ensure routing tables for VPC peering are "least access" |
Lacework Custom Policies for Amazon S3
| Lacework Policy ID | Description |
|---|---|
| LW_S3_1 | Ensure the S3 bucket ACL does not grant 'Everyone' READ permission [list S3 objects] |
| LW_S3_2 | Ensure the S3 bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects] |
| LW_S3_3 | Ensure the S3 bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL] |
| LW_S3_4 | Ensure the S3 bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] |
| LW_S3_5 | Ensure the S3 bucket ACL does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| LW_S3_6 | Ensure the S3 bucket ACL does not grant AWS users READ permission [list S3 objects] |
| LW_S3_7 | Ensure the S3 bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] |
| LW_S3_8 | Ensure the S3 bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL] |
| LW_S3_9 | Ensure the S3 bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL] |
| LW_S3_10 | Ensure the S3 bucket ACL does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| LW_S3_11 | Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone |
| LW_S3_12 | Ensure the S3 bucket requires MFA to delete objects |
| LW_S3_13 | Ensure the S3 bucket has access logging enabled |
| LW_S3_14 | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| LW_S3_15 | Ensure all data is transported from the S3 bucket securely |
| LW_S3_16 | Ensure the S3 bucket has versioning enabled |
| LW_S3_17 | Ensure the S3 bucket access is restricted to a whitelist of IP networks. |
| LW_S3_18 | Ensure the attached S3 bucket policy does not grant global 'Get' permission. |
| LW_S3_19 | Ensure the attached S3 bucket policy does not grant global 'Delete' permission. |
| LW_S3_20 | Ensure the attached S3 bucket policy does not grant global 'List' permission. |
| LW_S3_21 | Ensure the attached S3 bucket policy does not grant global 'Put' permission. |
Lacework Custom Policies for AWS IAM
| Lacework Policy ID | Description |
|---|---|
| LW_AWS_IAM_1 | Ensure access keys are rotated every 30 days or less |
| LW_AWS_IAM_2 | Ensure access keys are rotated every 45 days or less |
| LW_AWS_IAM_3 | Ensure public ssh keys are rotated every 30 days or less |
| LW_AWS_IAM_4 | Ensure public ssh keys are rotated every 45 days or less |
| LW_AWS_IAM_5 | Ensure public ssh keys are rotated every 90 days or less |
| LW_AWS_IAM_6 | Ensure active access keys are used every 90 days or less |
| LW_AWS_IAM_7 | IAM user should not be inactive from last 30 days or more |
| LW_AWS_IAM_8 | Ensure IAM configuration has valid Identity Providers configuration |
| LW_AWS_IAM_9 | Ensure IAM Role restrict access to a list of whitelist of IP networks |
| LW_AWS_IAM_10 | Ensure IAM User restrict access to a list of whitelist of IP networks |
| LW_AWS_IAM_11 | Ensure non-root user exists in the account |
| LW_AWS_IAM_12 | Ensure access keys are rotated every 350 days or less |
| LW_AWS_IAM_13 | Ensure access keys are rotated every 180 days or less |
| LW_AWS_IAM_14 | No IAM users with password-based console access should exist |
Lacework Custom Policies for AWS General Security
| Lacework Policy ID | Description |
|---|---|
| LW_AWS_GENERAL_SECURITY_1 | EC2 instance does not have any tags |
| LW_AWS_GENERAL_SECURITY_2 | Ensure EBS Volumes are Encrypted |
| LW_AWS_GENERAL_SECURITY_3 | Ensure No Public EBS Snapshots |
| LW_AWS_GENERAL_SECURITY_4 | Ensure RDS database is encrypted with customer managed KMS key |
| LW_AWS_GENERAL_SECURITY_5 | Ensure Redshift Cluster is encrypted |
| LW_AWS_GENERAL_SECURITY_6 | Ensure no server certificate has been uploaded before Heartbleed vulnerability |
| LW_AWS_GENERAL_SECURITY_7 | Ensure ELB has latest Secure Cipher policies Configured for Session Encryption |
| LW_AWS_GENERAL_SECURITY_8 | Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566) |
Lacework Custom Policies for AWS Networking
| Lacework Policy ID | Description |
|---|---|
| LW_AWS_NETWORKING_1 | Security groups are not attached to an in-use network interface |
| LW_AWS_NETWORKING_2 | Network ACLs do not allow unrestricted inbound traffic |
| LW_AWS_NETWORKING_3 | Network ACLs do not allow unrestricted outbound traffic |
| LW_AWS_NETWORKING_4 | AWS VPC endpoints should not be exposed |
| LW_AWS_NETWORKING_5 | Security Group should not be open to all(unrestricted) |
| LW_AWS_NETWORKING_6 | Security Group should not accept traffic other than 80 and 443 |
| LW_AWS_NETWORKING_7 | Unrestricted Security Group should not be attached to EC2 instance |
| LW_AWS_NETWORKING_8 | Unrestricted Security Group should not be attached to RDS database |
| LW_AWS_NETWORKING_9 | Unrestricted Security Group should not be attached to Network Interface |
| LW_AWS_NETWORKING_10 | Unrestricted Security Group should not be attached to Classical Load Balancer |
| LW_AWS_NETWORKING_11 | Unrestricted Security Group should not be attached to Application Load Balancer |
| LW_AWS_NETWORKING_12 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 9300 (Elasticsearch) |
| LW_AWS_NETWORKING_13 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5601 (Kibana) |
| LW_AWS_NETWORKING_14 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 6379 (Redis) |
| LW_AWS_NETWORKING_15 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 2379 (etcd) |
| LW_AWS_NETWORKING_16 | ELB SSL Certificate expires in 5 Days |
| LW_AWS_NETWORKING_17 | ELB SSL Certificate expires in 45 Days |
| LW_AWS_NETWORKING_18 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet) |
| LW_AWS_NETWORKING_19 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC) |
| LW_AWS_NETWORKING_20 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB) |
| LW_AWS_NETWORKING_21 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL) |
| LW_AWS_NETWORKING_22 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL) |
| LW_AWS_NETWORKING_23 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer) |
| LW_AWS_NETWORKING_24 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer) |
| LW_AWS_NETWORKING_25 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL) |
| LW_AWS_NETWORKING_26 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener) |
| LW_AWS_NETWORKING_27 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server) |
| LW_AWS_NETWORKING_28 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS) |
| LW_AWS_NETWORKING_29 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS) |
| LW_AWS_NETWORKING_30 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS) |
| LW_AWS_NETWORKING_31 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 21 (FTP) |
| LW_AWS_NETWORKING_32 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 20 (FTP-Data) |
| LW_AWS_NETWORKING_33 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 25 (SMTP) |
| LW_AWS_NETWORKING_34 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 53 (DNS) |
| LW_AWS_NETWORKING_35 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 53 (DNS) |
| LW_AWS_NETWORKING_36 | Security group attached to EC2 instance should not allow inbound traffic from all to All Ports |
| LW_AWS_NETWORKING_37 | Redshift Cluster should not be Publicly Accessible |
| LW_AWS_NETWORKING_38 | ELB Security Group should have Outbound Rules attached to it |
| LW_AWS_NETWORKING_39 | ELB should not use insecure Cipher(s) |
| LW_AWS_NETWORKING_40 | EC2 instance should be deployed in EC2-VPC platform |
| LW_AWS_NETWORKING_41 | CloudFront Origin Protocol Policy should use https-only |
| LW_AWS_NETWORKING_42 | CloudFront Origin SSL Protocols should not use insecure Cipher(s) |
| LW_AWS_NETWORKING_43 | Security group should not allow inbound traffic from all to all ICMP |
| LW_AWS_NETWORKING_44 | ELB should have VPC ingress security group |
| LW_AWS_NETWORKING_45 | Classic LBs should have a valid and secure security group |
| LW_AWS_NETWORKING_46 | No Default VPC should be present in an AWS account |
| LW_AWS_NETWORKING_47 | EC2 instances should not have a Public IP address attached |
| LW_AWS_NETWORKING_48 | Attached VPC CIDR block(s) should be in whitelist |
| LW_AWS_NETWORKING_49 | Load Balancers should have Access Logs enabled |
| LW_AWS_NETWORKING_50 | CloudFront View Protocol Policy should use https-only |
| LW_AWS_NETWORKING_51 | ELBs should have a valid and secure security group |
Lacework Custom Policies for AWS Serverless
| Lacework Policy ID | Description |
|---|---|
| LW_AWS_SERVERLESS_1 | Lambda Function should not have Admin Privileges |
| LW_AWS_SERVERLESS_2 | Lambda Function should not have Cross Account Access |
| LW_AWS_SERVERLESS_3 | Lambda Function should not have Same IAM Role for more than one lambda function |
| LW_AWS_SERVERLESS_4 | Lambda Function should have tracing enabled |
| LW_AWS_SERVERLESS_5 | Lambda Function should not have VPC access |
Legacy AWS Reports
- AWS CIS Benchmark and S3 Report
- AWS HIPAA Report
- AWS ISO 27001:2013 Report
- AWS NIST 800-171 Report
- AWS NIST 800-53 Report
- AWS PCI DSS Report
- AWS SOC 2 Report
- AWS SOC 2 Report Rev2
Legacy Azure Policies
Azure CIS 1.0 Policies
| Lacework Policy ID | Description |
|---|---|
| Azure_CIS_1_1 | Ensure that multi-factor authentication is enabled for all privileged users |
| Azure_CIS_1_2 | Ensure that multi-factor authentication is enabled for all non-privileged users |
| Azure_CIS_1_3 | Ensure that there are no guest users |
| Azure_CIS_1_4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' |
| Azure_CIS_1_5 | Ensure that 'Number of methods required to reset' is set to '2' |
| Azure_CIS_1_6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' |
| Azure_CIS_1_7 | Ensure that 'Notify users on password resets?' is set to 'Yes' |
| Azure_CIS_1_8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
| Azure_CIS_1_9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' |
| Azure_CIS_1_10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' |
| Azure_CIS_1_11 | Ensure that 'Users can register applications' is set to 'No' |
| Azure_CIS_1_12 | Ensure that 'Guest users permissions are limited' is set to 'Yes' |
| Azure_CIS_1_13 | Ensure that 'Members can invite' is set to 'No' |
| Azure_CIS_1_14 | Ensure that 'Guests can invite' is set to 'No' |
| Azure_CIS_1_15 | Restrict access to Azure AD administration portal' is set to 'Yes' |
| Azure_CIS_1_16 | Ensure that 'Self-service group management enabled' is set to 'No' |
| Azure_CIS_1_17 | Ensure that 'Users can create security groups' is set to 'No' |
| Azure_CIS_1_19 | Ensure that 'Users can create Office 365 groups' is set to 'No' |
| Azure_CIS_2_1 | Ensure that standard pricing tier is selected |
| Azure_CIS_2_3 | Ensure that 'System updates' is set to 'On' |
| Azure_CIS_2_5 | Ensure that 'Endpoint protection' is set to 'On' |
| Azure_CIS_2_6 | Ensure that 'Disk encryption' is set to 'On' |
| Azure_CIS_2_7 | Ensure that 'Network security groups' is set to 'On' |
| Azure_CIS_2_8 | Ensure that 'Web application firewall' is set to 'On' |
| Azure_CIS_2_9 | Ensure that 'Next generation firewall' is set to 'On' |
| Azure_CIS_2_10 | Ensure that 'Vulnerability assessment' is set to 'On' |
| Azure_CIS_2_11 | Ensure that 'Storage Encryption' is set to 'On' |
| Azure_CIS_2_12 | Ensure that 'JIT Network Access' is set to 'On' |
| Azure_CIS_2_13 | Ensure that 'Adaptive Application Controls' is set to 'On' |
| Azure_CIS_2_14 | Ensure that 'SQL auditing & Threat detection' is set to 'On' |
| Azure_CIS_2_15 | Ensure that 'SQL Encryption' is set to 'On' |
| Azure_CIS_2_16 | Ensure that 'Security contact emails' is set |
| Azure_CIS_2_17 | Ensure that security contact 'Phone number' is set |
| Azure_CIS_2_18 | Ensure that 'Send me emails about alerts' is set to 'On' |
| Azure_CIS_2_19 | Ensure that 'Send email also to subscription owners' is set to 'On' |
| Azure_CIS_3_1 | Ensure that 'Secure transfer required' is set to 'Enabled' |
| Azure_CIS_3_2 | Ensure that 'Storage service encryption' is set to Enabled for Blob Service |
| Azure_CIS_3_3 | Ensure that storage account access keys are periodically regenerated |
| Azure_CIS_3_4 | Ensure that shared access signature tokens expire within an hour |
| Azure_CIS_3_5 | Ensure that shared access signature tokens are allowed only over https |
| Azure_CIS_3_6 | Ensure that 'Storage service encryption' is set to Enabled for File Service |
| Azure_CIS_3_7 | Ensure that 'Public access level' is set to Private for blob containers |
| Azure_CIS_4_1_1 | Ensure that 'Auditing' is set to 'On' |
| Azure_CIS_4_1_2 | Ensure that 'Threat Detection' is set to 'On' |
| Azure_CIS_4_1_3 | Ensure that 'Threat Detection types' is set to 'All' |
| Azure_CIS_4_1_4 | Ensure that 'Send alerts to' is set |
| Azure_CIS_4_1_5 | Ensure that 'Email service and co-administrators' is 'Enabled' |
| Azure_CIS_4_1_6 | Ensure that 'Auditing' Retention is 'greater than 90 days' |
| Azure_CIS_4_1_7 | Ensure that 'Threat Detection' Retention is 'greater than 90 days' |
| Azure_CIS_4_1_8 | Ensure that Azure Active Directory Admin is configured |
| Azure_CIS_4_2_1 | Ensure that 'Auditing' is set to 'On' |
| Azure_CIS_4_2_2 | Ensure that 'Threat Detection' is set to 'On' |
| Azure_CIS_4_2_3 | Ensure that 'Threat Detection types' is set to 'All' |
| Azure_CIS_4_2_4 | Ensure that 'Send alerts to' is set |
| Azure_CIS_4_2_5 | Ensure that 'Email service and co-administrators' is 'Enabled' |
| Azure_CIS_4_2_6 | Ensure that 'Data encryption' is set to 'On' |
| Azure_CIS_4_2_7 | Ensure that 'Auditing' Retention is 'greater than 90 days' |
| Azure_CIS_4_2_8 | Ensure that 'Threat' Retention is 'greater than 90 days' |
| Azure_CIS_5_1 | Ensure that a Log Profile exists |
| Azure_CIS_5_2 | Ensure that Activity Log Retention is set 365 days or greater |
| Azure_CIS_5_3 | Ensure that Activity Log Alert exists for Create Policy Assignment |
| Azure_CIS_5_4 | Ensure that Activity Log Alert exists for Create or Update Network Security Group |
| Azure_CIS_5_5 | Ensure that Activity Log Alert exists for Delete Network Security Group |
| Azure_CIS_5_6 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
| Azure_CIS_5_7 | Ensure that Activity Log Alert exists for Delete Network Security Group Rule |
| Azure_CIS_5_8 | Ensure that Activity Log Alert exists for Create or Update Security Solution |
| Azure_CIS_5_9 | Ensure that Activity Log Alert exists for Delete Security Solution |
| Azure_CIS_5_10 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
| Azure_CIS_5_11 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
| Azure_CIS_5_12 | Ensure that Activity Log Alert exists for Update Security Policy |
| Azure_CIS_5_13 | Ensure that logging for Azure KeyVault is 'Enabled' |
| Azure_CIS_6_1 | Ensure that RDP access is restricted from the internet |
| Azure_CIS_6_2 | Ensure that SSH access is restricted from the internet |
| Azure_CIS_6_3 | Ensure that SQL server access is restricted from the internet |
| Azure_CIS_6_4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
| Azure_CIS_6_5 | Ensure that Network Watcher is 'Enabled' |
| Azure_CIS_7_1 | Ensure that VM agent is installed |
| Azure_CIS_7_2 | Ensure that 'OS disk' are encrypted |
| Azure_CIS_7_3 | Ensure that 'Data disks' are encrypted |
| Azure_CIS_7_4 | Ensure that only approved extensions are installed |
| Azure_CIS_7_5 | Ensure that the latest OS Patches for all Virtual Machines are applied |
| Azure_CIS_7_6 | Ensure that the endpoint protection for all Virtual Machines is installed |
| Azure_CIS_8_1 | Ensure that the expiry date is set on all Keys |
| Azure_CIS_8_2 | Ensure that the expiry date is set on all Secrets |
| Azure_CIS_8_3 | Ensure that Resource Locks are set for mission critical Azure resources |
Azure CIS 1.3.1 Policies
| Lacework Policy ID | Description |
|---|---|
| Azure_CIS_131_1_1 | Ensure that multi-factor authentication is enabled for all privileged users |
| Azure_CIS_131_1_2 | Ensure that multi-factor authentication is enabled for all non-privileged users |
| Azure_CIS_131_1_3 | Ensure guest users are reviewed on a monthly basis |
| Azure_CIS_131_1_4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' |
| Azure_CIS_131_1_5 | Ensure that 'Number of methods required to reset' is set to '2' |
| Azure_CIS_131_1_6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' |
| Azure_CIS_131_1_7 | Ensure that 'Notify users on password resets?' is set to 'Yes' |
| Azure_CIS_131_1_8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
| Azure_CIS_131_1_9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' |
| Azure_CIS_131_1_10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' |
| Azure_CIS_131_1_11 | Ensure that 'Users can register applications' is set to 'No' |
| Azure_CIS_131_1_12 | Ensure that 'Guest users permissions are limited' is set to 'Yes' |
| Azure_CIS_131_1_13 | Ensure that 'Members can invite' is set to 'No' |
| Azure_CIS_131_1_14 | Ensure that 'Guests can invite' is set to 'No' |
| Azure_CIS_131_1_15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
| Azure_CIS_131_1_16 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' |
| Azure_CIS_131_1_17 | Ensure that 'Users can create security groups in Azure Portals' is set to 'No' |
| Azure_CIS_131_1_18 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' |
| Azure_CIS_131_1_19 | Ensure that 'Users can create Office 365 groups' is set to 'No' |
| Azure_CIS_131_1_20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' |
| Azure_CIS_131_1_21 | Ensure that no custom subscription owner roles are created |
| Azure_CIS_131_1_22 | Ensure Security Defaults is enabled on Azure Active Directory |
| Azure_CIS_131_1_23 | Ensure Custom Role is assigned for Administering Resource Locks |
| Azure_CIS_131_2_1 | Ensure that Azure Defender is set to On for Servers |
| Azure_CIS_131_2_2 | Ensure that Azure Defender is set to On for App Service |
| Azure_CIS_131_2_3 | Ensure that Azure Defender is set to On for Azure SQL database servers |
| Azure_CIS_131_2_4 | Ensure that Azure Defender is set to On for SQL servers on machines |
| Azure_CIS_131_2_5 | Ensure that Azure Defender is set to On for Storage |
| Azure_CIS_131_2_6 | Ensure that Azure Defender is set to On for Kubernetes |
| Azure_CIS_131_2_7 | Ensure that Azure Defender is set to On for Container Registries |
| Azure_CIS_131_2_8 | Ensure that Azure Defender is set to On for Key Vault |
| Azure_CIS_131_2_9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected |
| Azure_CIS_131_2_10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected |
| Azure_CIS_131_2_11 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' |
| Azure_CIS_131_2_12 | Ensure any of the ASC Default policy setting is not set to "Disabled" |
| Azure_CIS_131_2_13 | Ensure 'Additional email addresses' is configured with a security contact email |
| Azure_CIS_131_2_14 | Ensure that 'Notify about alerts with the following severity' is set to 'High' |
| Azure_CIS_131_2_15 | Ensure that 'All users with the following roles' is set to 'Owner' |
| Azure_CIS_131_3_1 | Ensure that 'Secure transfer required' is set to 'Enabled' |
| Azure_CIS_131_3_2 | Ensure that storage account access keys are periodically regenerated |
| Azure_CIS_131_3_3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests |
| Azure_CIS_131_3_4 | Ensure that shared access signature tokens expire within an hour |
| Azure_CIS_131_3_5 | Ensure that 'Public access level' is set to Private for blob containers |
| Azure_CIS_131_3_6 | Ensure default network access rule for Storage Accounts is set to deny |
| Azure_CIS_131_3_7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
| Azure_CIS_131_3_8 | Ensure soft delete is enabled for Azure Storage |
| Azure_CIS_131_3_9 | Ensure storage for critical data are encrypted with Customer Managed Key |
| Azure_CIS_131_3_10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests |
| Azure_CIS_131_3_11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests |
| Azure_CIS_131_4_1_1 | Ensure that 'Auditing' is set to 'On' |
| Azure_CIS_131_4_1_2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database |
| Azure_CIS_131_4_1_3 | Ensure that 'Auditing' Retention is 'greater than 90 days' |
| Azure_CIS_131_4_2_1 | Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' |
| Azure_CIS_131_4_2_2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
| Azure_CIS_131_4_2_3 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
| Azure_CIS_131_4_2_4 | Ensure that VA setting Send scan reports to is configured for a SQL server |
| Azure_CIS_131_4_2_5 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
| Azure_CIS_131_4_3_1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| Azure_CIS_131_4_3_2 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
| Azure_CIS_131_4_3_3 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
| Azure_CIS_131_4_3_4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
| Azure_CIS_131_4_3_5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
| Azure_CIS_131_4_3_6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| Azure_CIS_131_4_3_7 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
| Azure_CIS_131_4_3_8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
| Azure_CIS_131_4_4 | Ensure that Azure Active Directory Admin is configured |
| Azure_CIS_131_4_5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key |
| Azure_CIS_131_5_1_1 | Ensure that a 'Diagnostics Setting' exists |
| Azure_CIS_131_5_1_2 | Ensure Diagnostic Setting captures appropriate categories |
| Azure_CIS_131_5_1_3 | Ensure the storage container storing the activity logs is not publicly accessible |
| Azure_CIS_131_5_1_4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
| Azure_CIS_131_5_1_5 | Ensure that logging for Azure KeyVault is 'Enabled' |
| Azure_CIS_131_5_2_1 | Ensure that Activity Log Alert exists for Create Policy Assignment |
| Azure_CIS_131_5_2_2 | Ensure that Activity Log Alert exists for Delete Policy Assignment |
| Azure_CIS_131_5_2_3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group |
| Azure_CIS_131_5_2_4 | Ensure that Activity Log Alert exists for Delete Network Security Group |
| Azure_CIS_131_5_2_5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule |
| Azure_CIS_131_5_2_6 | Ensure that activity log alert exists for the Delete Network Security Group Rule |
| Azure_CIS_131_5_2_7 | Ensure that Activity Log Alert exists for Create or Update Security Solution |
| Azure_CIS_131_5_2_8 | Ensure that Activity Log Alert exists for Delete Security Solution |
| Azure_CIS_131_5_2_9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule |
| Azure_CIS_131_5_3 | Ensure that Diagnostic Logs are enabled for all services which support it |
| Azure_CIS_131_6_1 | Ensure that RDP access is restricted from the internet |
| Azure_CIS_131_6_2 | Ensure that SSH access is restricted from the internet |
| Azure_CIS_131_6_3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) |
| Azure_CIS_131_6_4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
| Azure_CIS_131_6_5 | Ensure that Network Watcher is 'Enabled' |
| Azure_CIS_131_6_6 | Ensure that UDP Services are restricted from the Internet |
| Azure_CIS_131_7_1 | Ensure Virtual Machines are utilizing Managed Disks |
| Azure_CIS_131_7_2 | Ensure that 'OS and Data' disks are encrypted with CMK |
| Azure_CIS_131_7_3 | Ensure that 'Unattached disks' are encrypted with CMK |
| Azure_CIS_131_7_4 | Ensure that only approved extensions are installed |
| Azure_CIS_131_7_5 | Ensure that the latest OS Patches for all Virtual Machines are applied |
| Azure_CIS_131_7_6 | Ensure that the endpoint protection for all Virtual Machines is installed |
| Azure_CIS_131_7_7 | Ensure that VHD's are encrypted |
| Azure_CIS_131_8_1 | Ensure that the expiration date is set on all Keys |
| Azure_CIS_131_8_2 | Ensure that the expiration date is set on all Secrets |
| Azure_CIS_131_8_3 | Ensure that Resource Locks are set for mission critical Azure resources |
| Azure_CIS_131_8_4 | Ensure the key vault is recoverable |
| Azure_CIS_131_8_5 | Enable role-based access control (RBAC) within Azure Kubernetes Services |
| Azure_CIS_131_9_1 | Ensure App Service Authentication is set on Azure App Service |
| Azure_CIS_131_9_2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
| Azure_CIS_131_9_3 | Ensure web app is using the latest version of TLS encryption |
| Azure_CIS_131_9_4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
| Azure_CIS_131_9_5 | Ensure that Register with Azure Active Directory is enabled on App Service |
| Azure_CIS_131_9_6 | Ensure that 'PHP version' is the latest, if used to run the web app |
| Azure_CIS_131_9_7 | Ensure that 'Python version' is the latest, if used to run the web app |
| Azure_CIS_131_9_8 | Ensure that 'Java version' is the latest, if used to run the web app |
| Azure_CIS_131_9_9 | Ensure that 'HTTP Version' is the latest, if used to run the web app |
| Azure_CIS_131_9_10 | Ensure FTP deployments are disabled |
| Azure_CIS_131_9_11 | Ensure Azure Keyvaults are used to store secrets |
Legacy Azure Reports
- Azure CIS Benchmark 1.3.1
- Azure HIPAA Report
- Azure ISO 27001 Report
- Azure NIST 800-171 Rev2 Report
- Azure NIST 800-53 Rev5 Report
- Azure NIST CSF Report
- Azure PCI Benchmark Rev2
- Azure SOC 2 Report Rev2
- Azure CIS Benchmark
- Azure PCI Benchmark
- Azure SOC 2 Report
Legacy GCP Policies
GCP CIS 1.0 Policies
| Lacework Policy ID | Description |
|---|---|
| GCP_CIS_1_1 | Ensure that corporate login credentials are used instead of Gmail accounts |
| GCP_CIS_1_2 | Ensure that multi-factor authentication is enabled for all non-service accounts |
| GCP_CIS_1_3 | Ensure that there are only GCP-managed service account keys for each service account |
| GCP_CIS_1_4 | Ensure that ServiceAccount has no Admin privileges |
| GCP_CIS_1_5 | Ensure that IAM users are not assigned Service Account User role at project level |
| GCP_CIS_1_6 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
| GCP_CIS_1_7 | Ensure that Separation of duties is enforced while assigning service account related roles to users |
| GCP_CIS_1_8 | Ensure Encryption keys are rotated within a period of 365 days |
| GCP_CIS_1_9 | Ensure that Separation of duties is enforced while assigning KMS related roles to users |
| GCP_CIS_1_10 | Ensure API keys are not created for a project |
| GCP_CIS_1_11 | Ensure API keys are restricted to use by only specified Hosts and Apps |
| GCP_CIS_1_12 | Ensure API keys are restricted to only APIs that application needs access |
| GCP_CIS_1_13 | Ensure API keys are rotated every 90 days |
| GCP_CIS_2_1 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
| GCP_CIS_2_2 | Ensure that sinks are configured for all Log entries |
| GCP_CIS_2_3 | Ensure that object versioning is enabled on log-buckets |
| GCP_CIS_2_4 | Ensure log metric filter and alerts exists for Project Ownership assignments/changes |
| GCP_CIS_2_5 | Ensure log metric filter and alerts exists for Audit Configuration Changes |
| GCP_CIS_2_6 | Ensure log metric filter and alerts exists for Custom Role changes |
| GCP_CIS_2_7 | Ensure log metric filter and alerts exists for VPC Network Firewall rule changes |
| GCP_CIS_2_8 | Ensure log metric filter and alerts exists for VPC network route changes |
| GCP_CIS_2_9 | Ensure log metric filter and alerts exists for VPC network changes |
| GCP_CIS_2_10 | Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes |
| GCP_CIS_2_11 | Ensure log metric filter and alerts exists for SQL instance configuration changes |
| GCP_CIS_3_1 | Ensure the default network does not exist in a project |
| GCP_CIS_3_2 | Ensure legacy networks does not exists for a project |
| GCP_CIS_3_3 | Ensure that DNSSEC is enabled for Cloud DNS |
| GCP_CIS_3_4 | Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC |
| GCP_CIS_3_5 | Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC |
| GCP_CIS_3_6 | Ensure that SSH access is restricted from the internet |
| GCP_CIS_3_7 | Ensure that RDP access is restricted from the internet |
| GCP_CIS_3_8 | Ensure Private Google Access is enabled for all subnetwork in VPC Network |
| GCP_CIS_4_1 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
| GCP_CIS_4_2 | Ensure 'Block Project-wide SSH keys' enabled for VM instances |
| GCP_CIS_4_3 | Ensure oslogin is enabled for a Project |
| GCP_CIS_4_4 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
| GCP_CIS_4_5 | Ensure that IP forwarding is not enabled on Instances |
| GCP_CIS_4_6 | Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys |
| GCP_CIS_5_1 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
| GCP_CIS_5_2 | Ensure that there are no publicly accessible objects in storage buckets |
| GCP_CIS_5_3 | Ensure that logging is enabled for Cloud storage buckets |
| GCP_CIS_6_1 | Ensure that Cloud SQL database instance requires all incoming connections to use SSL |
| GCP_CIS_6_2 | Ensure that Cloud SQL database Instances are not open to the world |
| GCP_CIS_6_3 | Ensure that MySql database instance does not allow anyone to connect with administrative privileges |
| GCP_CIS_6_4 | Ensure that MySQL Database Instance does not allows root login from any Host |
| GCP_CIS_7_1 | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
| GCP_CIS_7_2 | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
| GCP_CIS_7_3 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
| GCP_CIS_7_4 | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
| GCP_CIS_7_5 | Ensure Kubernetes Clusters are configured with Labels |
| GCP_CIS_7_6 | Ensure Kubernetes web UI / Dashboard is disabled |
| GCP_CIS_7_7 | Ensure Automatic node repair is enabled for Kubernetes Clusters |
| GCP_CIS_7_8 | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
| GCP_CIS_7_9 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
| GCP_CIS_7_10 | Ensure Basic Authentication is disabled on Kubernetes Engine Clusters |
| GCP_CIS_7_11 | Ensure Network policy is enabled on Kubernetes Engine Clusters |
| GCP_CIS_7_12 | Ensure Kubernetes Cluster is created with Client Certificate enabled |
| GCP_CIS_7_13 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
| GCP_CIS_7_14 | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
| GCP_CIS_7_15 | Ensure Kubernetes Cluster is created with Private cluster enabled |
| GCP_CIS_7_16 | Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets |
| GCP_CIS_7_17 | Ensure default Service account is not used for Project access in Kubernetes Clusters |
| GCP_CIS_7_18 | Ensure Kubernetes Clusters created with limited service account Access scopes for Project access |
GCP CIS 1.2 Policies
| Lacework Policy ID | Description |
|---|---|
| GCP_CIS12_1_1 | Ensure that corporate login credentials are used |
| GCP_CIS12_1_2 | Ensure that multi-factor authentication is enabled for all non-service accounts |
| GCP_CIS12_1_3 | Ensure that Security Key Enforcement is enabled for all admin accounts |
| GCP_CIS12_1_4 | Ensure that there are only GCP-managed service account keys for each service account |
| GCP_CIS12_1_5 | Ensure that Service Account has no Admin privileges |
| GCP_CIS12_1_6 | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
| GCP_CIS12_1_7 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less |
| GCP_CIS12_1_8 | Ensure that Separation of duties is enforced while assigning service account related roles to users |
| GCP_CIS12_1_9 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
| GCP_CIS12_1_10 | Ensure KMS encryption keys are rotated within a period of 90 days |
| GCP_CIS12_1_11 | Ensure that Separation of duties is enforced while assigning KMS related roles to users |
| GCP_CIS12_1_12 | Ensure API keys are not created for a project |
| GCP_CIS12_1_13 | Ensure API keys are restricted to use by only specified Hosts and Apps |
| GCP_CIS12_1_14 | Ensure API keys are restricted to only APIs that application needs access |
| GCP_CIS12_1_15 | Ensure API keys are rotated every 90 days |
| GCP_CIS12_2_1 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
| GCP_CIS12_2_2 | Ensure that sinks are configured for all log entries |
| GCP_CIS12_2_3 | Ensure that retention policies on log buckets are configured using Bucket Lock |
| GCP_CIS12_2_4 | Ensure log metric filter and alerts exist for project ownership assignments/changes |
| GCP_CIS12_2_5 | Ensure that the log metric filter and alerts exist for Audit Configuration changes |
| GCP_CIS12_2_6 | Ensure that the log metric filter and alerts exist for Custom Role changes |
| GCP_CIS12_2_7 | Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes |
| GCP_CIS12_2_8 | Ensure that the log metric filter and alerts exist for VPC network route changes |
| GCP_CIS12_2_9 | Ensure that the log metric filter and alerts exist for VPC network changes |
| GCP_CIS12_2_10 | Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes |
| GCP_CIS12_2_11 | Ensure that the log metric filter and alerts exist for SQL instance configuration changes |
| GCP_CIS12_2_12 | Ensure that Cloud DNS logging is enabled for all VPC networks |
| GCP_CIS12_3_1 | Ensure that the default network does not exist in a project |
| GCP_CIS12_3_2 | Ensure legacy networks do not exist for a project |
| GCP_CIS12_3_3 | Ensure that DNSSEC is enabled for Cloud DNS |
| GCP_CIS12_3_4 | Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC |
| GCP_CIS12_3_5 | Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC |
| GCP_CIS12_3_6 | Ensure that SSH access is restricted from the internet |
| GCP_CIS12_3_7 | Ensure that RDP access is restricted from the internet |
| GCP_CIS12_3_8 | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network |
| GCP_CIS12_3_9 | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
| GCP_CIS12_3_10 | Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses |
| GCP_CIS12_4_1 | Ensure that instances are not configured to use the default service account |
| GCP_CIS12_4_2 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
| GCP_CIS12_4_3 | Ensure "Block Project-wide SSH keys" is enabled for VM instances |
| GCP_CIS12_4_4 | Ensure oslogin is enabled for a Project |
| GCP_CIS12_4_5 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
| GCP_CIS12_4_6 | Ensure that IP forwarding is not enabled on Instances |
| GCP_CIS12_4_7 | Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK) |
| GCP_CIS12_4_8 | Ensure Compute instances are launched with Shielded VM enabled |
| GCP_CIS12_4_9 | Ensure that Compute instances do not have public IP addresses |
| GCP_CIS12_4_10 | Ensure that App Engine applications enforce HTTPS connections |
| GCP_CIS12_4_11 | Ensure that Compute instances have Confidential Computing enabled |
| GCP_CIS12_5_1 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
| GCP_CIS12_5_2 | Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
| GCP_CIS12_6_1_1 | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
| GCP_CIS12_6_1_2 | Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' |
| GCP_CIS12_6_1_3 | Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' |
| GCP_CIS12_6_2_1 | Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
| GCP_CIS12_6_2_2 | Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter |
| GCP_CIS12_6_2_3 | Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
| GCP_CIS12_6_2_4 | Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
| GCP_CIS12_6_2_5 | Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
| GCP_CIS12_6_2_6 | Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on' |
| GCP_CIS12_6_2_7 | Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately |
| GCP_CIS12_6_2_8 | Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately |
| GCP_CIS12_6_2_9 | Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
| GCP_CIS12_6_2_10 | Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
| GCP_CIS12_6_2_11 | Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
| GCP_CIS12_6_2_12 | Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' |
| GCP_CIS12_6_2_13 | Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately |
| GCP_CIS12_6_2_14 | Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter |
| GCP_CIS12_6_2_15 | Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) |
| GCP_CIS12_6_2_16 | Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) |
| GCP_CIS12_6_3_1 | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' |
| GCP_CIS12_6_3_2 | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' |
| GCP_CIS12_6_3_3 | Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate |
| GCP_CIS12_6_3_4 | Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured |
| GCP_CIS12_6_3_5 | Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' |
| GCP_CIS12_6_3_6 | Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' |
| GCP_CIS12_6_3_7 | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' |
| GCP_CIS12_6_4 | Ensure that the Cloud SQL database instance requires all incoming connections to use SSL |
| GCP_CIS12_6_5 | Ensure that Cloud SQL database instances are not open to the world |
| GCP_CIS12_6_6 | Ensure that Cloud SQL database instances do not have public IPs |
| GCP_CIS12_6_7 | Ensure that Cloud SQL database instances are configured with automated backups |
| GCP_CIS12_7_1 | Ensure that BigQuery datasets are not anonymously or publicly accessible |
| GCP_CIS12_7_2 | Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) |
| GCP_CIS12_7_3 | Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets |
Legacy GCP Reports
- GCP CIS Benchmark 1.2
- GCP HIPAA Report Rev2
- GCP ISO 270001 Report
- GCP NIST 800-171 Rev2 Report
- GCP NIST 800-53 Rev4 Report
- GCP NIST CSF Report
- GCP PCI Benchmark Rev2
- GCP SOC 2 Report Rev2
- GCP CIS Benchmark
- GCP HIPAA Report
- GCP K8S Benchmark
- GCP PCI Benchmark
- GCP SOC 2 Report