Scan Infrastructure for Runtime Misconfigurations
Description
Cloud misconfigurations occur when resources have not been constructed properly, leaving your systems vulnerable to attack. Cloud environment misconfigurations can cause system outages, unwanted downtime, or security risks. Causes can include overly complex environments, insufficient security practice knowledge, and human error due to manual processes.
| Stack layer | Security domain | Security tool initiated by this item |
|---|---|---|
| Cloud Security | Cloud runtime scanning | Prowler |
Integration requirements
Depending on your specific cloud provider(s), you must perform one or more of the following integrations before you can activate this security control.
AWS checklist
This security requirement runs the following checks:
| Cloud Service | Checks |
|---|---|
| IAM | Ensure no root account access key exists |
| Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) | |
| Avoid the use of the root accounts | |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | |
| Ensure users of groups with AdministratorAccess policy have MFA tokens enabled | |
| Ensure MFA is enabled for the root account | |
| Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation | |
| Ensure only hardware MFA is enabled for the root account | |
| Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | |
| S3 | Check if S3 buckets have policies which allow WRITE access |
| Ensure there are no S3 buckets open to Everyone or Any AWS user | |
| Check S3 Account Level Public Access Block | |
| CloudTrail | Ensure the S3 bucket CloudTrail logs is not publicly accessible |
| Ensure CloudTrail is enabled in all regions | |
| SQS | Check if SQS queues have policy set as Public |
| EC2 | Ensure there are no EC2 AMIs set as Public |
| Ensure there are no EBS Snapshots set as Public | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 | |
| Ensure there are no Security Groups without ingress filtering being used | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22 | |
| Ensure the default security group of every VPC restricts all traffic | |
| Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY) | |
| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports | |
| Ensure no security groups allow ingress from wide-open non-RFC1918 address | |
| Find security groups with more than 50 ingress or egress rules | |
| RDS | Ensure there are no Public Accessible RDS instances |
| Check if RDS Snapshots and Cluster Snapshots are public | |
| Check if RDS instances client connections are encrypted (Microsoft SQL Server and PostgreSQL) | |
| Glacier | Check if S3 Glacier vaults have policies which allow access to everyone |
| EFS | Check if EFS have policies which allow access to everyone |
| SNS | Check if SNS topics have policy set as Public |
| Ensure there are no SNS Topics unencrypted | |
| Opensearch | Check if Amazon Elasticsearch/Opensearch Service domains has Amazon Cognito authentication for Kibana enabled |
| Check if Amazon Elasticsearch/Opensearch domains are set as Public or if it has open policy access | |
| SSM | Find secrets in SSM Documents |
| Check if there are SSM Documents set as public | |
| Check if EC2 instances managed by Systems Manager are compliant with patching requirements | |
| AutoScaling | Find secrets in EC2 Auto Scaling Launch Configuration |
| GuardDuty | There are High severity GuardDuty findings |
| Redshift | Check for Publicly Accessible Redshift Clusters |
| CloudFormation | Find secrets in CloudFormation outputs |
| ECR | Ensure there are no ECR repositories set as Public |
| EKS | Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled |
| EMR | EMR Account Public Access Block enabled |
| ACM | Check if ACM Certificates are about to expire in specific days or less |
| CodeArtifact | Ensure CodeArtifact internal packages do not allow external public source publishing |
| WorkSpaces | Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements |
Azure checklist
This security requirement runs the following checks:
| Cloud Service | Checks |
|---|---|
| defender | Ensure That Microsoft Defender for App Services Is Set To 'On' |
| Ensure That Microsoft Defender for Azure Resource Manager Is Set To 'On' | |
| Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | |
| Ensure That Microsoft Defender for Containers Is Set To 'On' | |
| Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | |
| Ensure That Microsoft Defender for Databases Is Set To 'On' | |
| Ensure That Microsoft Defender for DNS Is Set To 'On' | |
| Ensure That Microsoft Defender for KeyVault Is Set To 'On' | |
| Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | |
| Ensure That Microsoft Defender for Servers Is Set to 'On' | |
| Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | |
| Ensure That Microsoft Defender for Storage Is Set To 'On' | |
| IAM | Ensure that no custom subscription owner roles are created |
| storage | Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys |
Google Cloud Platform checklist
This security requirement runs the following checks:
| Cloud Service | Checks |
|---|---|
| bigquery | Ensure BigQuery datasets are encrypted with Customer-Managed Keys (CMKs) |
| Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible. | |
| Ensure BigQuery tables are encrypted with Customer-Managed Keys (CMKs). | |
| cloudsql | Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses |
| Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | |
| Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' | |
| cloudstorage | Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible |
| compute | Check for Virtual Machine Instances with Public IP Addresses |
| Ensure that the default network does not exist | |
| IAM | Ensure Service Account does not have admin privileges |
| KMS | Check for Publicly Accessible Cloud KMS Keys |
Updated 4 months ago