| lacework-global-32 | Ensure security contact information is registered | Register security contact information |
| lacework-global-33 | Ensure security questions are registered in the AWS account | Register security questions in the AWS account |
| lacework-global-35 | Ensure MFA is enabled for the 'root' user account | Enable Multi-Factor Authentication (MFA) for the 'root' user account |
| lacework-global-37 | Ensure IAM password policy requires minimum length of 14 or greater | Ensure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater |
| lacework-global-38 | Ensure IAM password policy prevents password reuse | Ensure Identity and Access Management (IAM) password policy prevents password reuse |
| lacework-global-39 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Enable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password |
| lacework-global-40 | Do not setup access keys during initial user setup for all IAM users that have a console password | Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password |
| lacework-global-41 | Ensure credentials unused for 45 days or greater are disabled | Disable credentials unused for 45 days or greater |
| lacework-global-42 | Ensure there is only one active access key available for any single IAM user | Ensure there is only one active access key available for any single Identity and Access Management (IAM) user |
| lacework-global-43 | Ensure access keys are rotated every 90 days or less | Rotate access keys every 90 days or less |
| lacework-global-45 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users |
| lacework-global-46 | Ensure a support role has been created to manage incidents with AWS Support | Create a support role to manage incidents with AWS Support |
| lacework-global-47 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Remove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM) |
| lacework-global-48 | Ensure that IAM Access analyzer is enabled for all regions | Enable Identity and Access Management (IAM) Access analyzer for all regions |
| lacework-global-50 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Configure S3 Buckets with 'Block public access (bucket settings)' |
| lacework-global-51 | Ensure EBS volume encryption is enabled | Enable volume encryption for Elastic Block Store (EBS) |
| lacework-global-52 | Ensure that encryption is enabled for RDS Instances | Enable encryption for Relational Database Service (RDS) Instances |
| lacework-global-53 | Ensure CloudTrail is enabled in all regions | Enable CloudTrail in all regions |
| lacework-global-56 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | Enable S3 bucket access logging on the CloudTrail S3 bucket |
| lacework-global-58 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) |
| lacework-global-60 | Ensure a log metric filter and alarm exist for IAM policy changes | Ensure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes |
| lacework-global-65 | Ensure a log metric filter and alarm exist for VPC changes | Ensure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes |
| lacework-global-67 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | Ensure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports |
| lacework-global-69 | Ensure hardware MFA is enabled for the 'root' user account | Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account |
| lacework-global-70 | Ensure IAM instance roles are used for AWS resource access from instances | Use Identity and Access Management (IAM) instance roles for AWS resource access from instances |
| lacework-global-71 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | Manage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments |
| lacework-global-73 | Ensure S3 Bucket Policy is set to deny HTTP requests | Deny HTTP requests in S3 Bucket Policies |
| lacework-global-74 | Ensure all data in Amazon S3 has been discovered, classified and secured when required | Discover, classify, and secure all data in Amazon S3 when required |
| lacework-global-75 | Ensure CloudTrail log file validation is enabled | Enable CloudTrail log file validation |
| lacework-global-76 | Ensure AWS Config is enabled in all regions | Enable AWS Config in all regions |
| lacework-global-77 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Encrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys |
| lacework-global-78 | Ensure rotation for customer created CMKs is enabled | Enable rotation for Key Management Service (KMS) Keys |
| lacework-global-79 | Ensure VPC flow logging is enabled in all VPCs | Enable Virtual Private Cloud (VPC) flow logging in all VPCs |
| lacework-global-80 | Ensure that Object-level logging for write events is enabled for S3 bucket | Enable Object-level logging for write events on S3 buckets |
| lacework-global-81 | Ensure that Object-level logging for read events is enabled for S3 bucket | Enable Object-level logging for read events on S3 buckets |
| lacework-global-83 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys |
| lacework-global-88 | Ensure routing tables for VPC peering are "least access" | Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access" |
| lacework-global-91 | Ensure Redshift Cluster is encrypted | Encrypt Redshift Clusters |
| lacework-global-92 | Ensure no server certificate has been uploaded before Heartbleed vulnerability | Do not use server certificates uploaded before Heartbleed vulnerability |
| lacework-global-93 | RDS should not have a Public Interface | Relational Database Service (RDS) should not have a Public Interface |
| lacework-global-94 | Ensure the S3 bucket requires MFA to delete objects | Ensure the S3 bucket requires Multi-Factor Authentication (MFA) to delete objects |
| lacework-global-103 | EC2 instance should be deployed in EC2-VPC platform | Deploy EC2 instances in EC2-VPC platform |
| lacework-global-105 | No IAM users with password-based console access should exist | No Identity and Access Management (IAM) users with password-based console access should exist |
| lacework-global-108 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 1434 (SQLServer) |
| lacework-global-109 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (Mini SQL (mSQL)) |
| lacework-global-110 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (Virtual Network Computing (VNC) Listener) |
| lacework-global-111 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (Virtual Network Computing (VNC) Server) |
| lacework-global-112 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 137 (NetBIOS) |
| lacework-global-113 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 138 (NetBIOS) |
| lacework-global-114 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 445 (Common Internet File System (CIFS)) |
| lacework-global-115 | Ensure access keys are rotated every 30 days or less | Rotate access keys every 30 days or less |
| lacework-global-116 | Ensure access keys are rotated every 45 days or less | Rotate access keys every 45 days or less |
| lacework-global-117 | Ensure public ssh keys are rotated every 30 days or less | Rotate public ssh keys every 30 days or less |
| lacework-global-118 | Ensure public ssh keys are rotated every 45 days or less | Rotate public ssh keys every 45 days or less |
| lacework-global-119 | Ensure public ssh keys are rotated every 90 days or less | Rotate public ssh keys every 90 days or less |
| lacework-global-120 | Ensure active access keys are used every 90 days or less | Deactivate access keys not used in 90 days |
| lacework-global-121 | IAM user should not be inactive for more than 30 days | Identity and Access Management (IAM) user should not be inactive for more than 30 days |
| lacework-global-122 | OpenSearch Domain should not be exposed | Exposed OpenSearch Domain |
| lacework-global-127 | Security group should not allow inbound traffic from all to all ICMP | Security group should not allow inbound traffic from all to all Internet Control Message Protocol (ICMP) |
| lacework-global-130 | Ensure the bucket ACL does not grant 'Everyone' READ permission [list S3 objects] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ permission [list S3 objects] |
| lacework-global-131 | Ensure the bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' write permission [create, overwrite, and delete S3 objects] |
| lacework-global-132 | Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ_ACP permission [read bucket ACL] |
| lacework-global-133 | Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] |
| lacework-global-134 | Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| lacework-global-135 | Ensure the bucket ACL does not grant AWS users READ permission [list S3 objects] | Ensure the bucket Access Control List (ACL) does not grant AWS users READ permission [list S3 objects] |
| lacework-global-136 | Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] | Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] |
| lacework-global-137 | Ensure the bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant AWS users READ_ACP permission [read bucket ACL] |
| lacework-global-138 | Ensure the bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL] |
| lacework-global-139 | Ensure the bucket ACL does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | Ensure the bucket Access Control List (ACL) does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| lacework-global-141 | Ensure access keys are rotated every 180 days or less | Rotate access keys every 180 days or less |
| lacework-global-142 | Ensure access keys are rotated every 350 days or less | Rotate access keys every 350 days or less |
| lacework-global-144 | Lambda Function should not have VPC access | Lambda Function should not have Virtual Private Cloud (VPC) access |
| lacework-global-145 | Network ACLs do not allow unrestricted inbound traffic | Network Access Control Lists (ACL) do not allow unrestricted inbound traffic |
| lacework-global-146 | Network ACLs do not allow unrestricted outbound traffic | Network Access Control Lists (ACL) do not allow unrestricted outbound traffic |
| lacework-global-147 | AWS VPC endpoints should not be exposed | Exposed AWS Virtual Private Cloud (VPC) endpoints |
| lacework-global-155 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows Remote Procedure Call (RPC)) |
| lacework-global-156 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows Server Message Block (SMB)) |
| lacework-global-157 | No Default VPC should be present in an AWS account | No Default Virtual Private Cloud (VPC) should be present in an AWS account |
| lacework-global-160 | Ensure No Public EBS Snapshots | Ensure No Public Elastic Block Store (EBS) Snapshots |
| lacework-global-161 | OpenSearch Domain should have Encryption with KMS (Customer Managed Keys) | OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys |
| lacework-global-171 | Ensure RDS database is encrypted with customer managed KMS key | Encrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key |
| lacework-global-182 | Ensure ELB has latest Secure Cipher policies Configured for Session Encryption | Ensure Elastic Load Balancer (ELB) has latest Secure Cipher policies Configured for Session Encryption |
| lacework-global-183 | Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566) | Ensure Elastic Load Balancer (ELB) is not affected by POODLE Vulnerability (CVE-2014-3566) |
| lacework-global-184 | ELB should not use insecure Ciphers | Elastic Load Balancer (ELB) should not use insecure Ciphers |
| lacework-global-207 | VCN has Internet Gateway attached | Virtual Cloud Network (VCN) has Internet Gateway attached |
| lacework-global-211 | IAM group has too few members | Identity and Access Management (IAM) group has too few members |
| lacework-global-212 | IAM group has too many members | Identity and Access Management (IAM) group has too many members |
| lacework-global-222 | EC2 instance should not allow inbound traffic from all to UDP port 53 | EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 53 |
| lacework-global-223 | ELB Security Group should have Outbound Rules attached to it | Elastic Load Balancer (ELB) Security Group should have Outbound Rules attached to it |
| lacework-global-224 | Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption | Ensure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption |
| lacework-global-225 | ELB SSL Certificate expires in 5 Days | Elastic Load Balancer (ELB) SSL Certificate expires in 5 Days |
| lacework-global-226 | ELB SSL Certificate expires in 45 Days | Elastic Load Balancer (ELB) SSL Certificate expires in 45 Days |
| lacework-global-229 | Security group attached to RDS DB instance should not allow inbound traffic from all ports | Security group attached to Relational Database Service (RDS) DB instance should not allow inbound traffic from all ports |
| lacework-global-232 | Ensure that Corporate Login Credentials are Used | Use Corporate Login Credentials |
| lacework-global-236 | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | Ensure That Identity and Access Management (IAM) Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level |
| lacework-global-237 | Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | Rotate User-Managed/External Keys for Service Accounts Every 90 Days or Fewer |
| lacework-global-238 | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | Ensure That Cloud Key Management Service (KMS) Cryptokeys Are Not Anonymously or Publicly Accessible |
| lacework-global-239 | Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | Rotate Key Management Service (KMS) Encryption Keys Within a Period of 90 Days |
| lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | Restrict API Keys to Only APIs That Application Needs Access |
| lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days | Rotate API Keys Every 90 Days |
| lacework-global-243 | Ensure Essential Contacts is Configured for Organization | Configure Essential Contacts for Organization |
| lacework-global-245 | Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project | Configure Cloud Audit Logging Properly Across All Services and All Users From a Project |
| lacework-global-246 | Ensure That Sinks Are Configured for All Log Entries | Configure Sinks for All Log Entries |
| lacework-global-250 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Firewall Rule Changes |
| lacework-global-252 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes |
| lacework-global-253 | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage Identity and Access Management (IAM) Permission Changes |
| lacework-global-255 | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | Enable Cloud Domain Name System (DNS) Logging for All Virtual Private Cloud (VPC) Networks |
| lacework-global-259 | Ensure That DNSSEC Is Enabled for Cloud DNS | Enable DNSSEC for Cloud Domain Name System (DNS) |
| lacework-global-260 | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | Ensure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC |
| lacework-global-261 | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key (ZSK) in Cloud Domain Name System (DNS) DNSSEC |
| lacework-global-262 | Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | Enable Virtual Private Cloud (VPC) Flow Logs for Every Subnet in a VPC Network |
| lacework-global-266 | Ensure Block Project-Wide SSH Keys Is Enabled for VM Instances | Enable Block Project-Wide SSH Keys for VM Instances |
| lacework-global-267 | Ensure Oslogin Is Enabled for a Project | Enable Oslogin for a Project |
| lacework-global-273 | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | Configure Cloud SQL Database Instances With Automated Backups |
| lacework-global-275 | Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' | Set 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance to 'On' |
| lacework-global-276 | Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' | Set the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance to 'Off' |
| lacework-global-278 | Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Set the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' |
| lacework-global-279 | Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | Set 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Appropriately |
| lacework-global-280 | Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | Set 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance to 'on' |
| lacework-global-281 | Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' | Set the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance to at least 'Warning' |
| lacework-global-282 | Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | Set 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance to 'Error' or Stricter |
| lacework-global-283 | Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | Set the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance to '-1' (Disabled) |
| lacework-global-284 | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | Set 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance to 'on' For Centralized Logging |
| lacework-global-286 | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance is set to 'off' | Set the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance to 'off' |
| lacework-global-287 | Ensure 'user Connections' Database Flag for Cloud SQL on SQL Server Instance Is Set to a Non-limiting Value | Set 'user Connections' Database Flag for Cloud SQL on SQL Server Instance to a Non-limiting Value |
| lacework-global-288 | Ensure 'user options' database flag for Cloud SQL on SQL Server instance is not configured | Do not configure 'user options' database flag for Cloud SQL on SQL Server instance |
| lacework-global-289 | Ensure 'remote access' database flag for Cloud SQL on SQL Server instance is set to 'off' | Set 'remote access' database flag for Cloud SQL on SQL Server instance to 'off' |
| lacework-global-290 | Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'off' | Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'off' |
| lacework-global-291 | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | Set the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance to 'off' |
| lacework-global-293 | Ensure that Security Key Enforcement is Enabled for All Admin Accounts | Enable Security Key Enforcement for All Admin Accounts |
| lacework-global-294 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | Enforce Separation of Duties While Assigning Service Account Related Roles to Users |
| lacework-global-295 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | Enforce Separation of Duties While Assigning Key Management Service (KMS) Related Roles to Users |
| lacework-global-297 | Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | Encrypt Dataproc Cluster using Customer-Managed Encryption Key (CMEK) |
| lacework-global-298 | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | Configure Retention Policies on Cloud Storage Buckets Used for Exporting Logs Using Bucket Lock |
| lacework-global-301 | Ensure That SSH Access Is Restricted From the Internet | Restrict SSH Access From the Internet |
| lacework-global-302 | Ensure That RDP Access Is Restricted From the Internet | Restrict Remote Desktop Protocol (RDP) Access From the Internet |
| lacework-global-304 | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | Encrypt VM Disks for Critical VMs With Customer-Supplied Encryption Keys (CSEK) |
| lacework-global-305 | Ensure Compute Instances Are Launched With Shielded VM Enabled | Launch Compute Instances With Shielded VM Enabled |
| lacework-global-309 | Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | Install the Latest Operating System Updates On Your Virtual Machines in All Projects |
| lacework-global-312 | Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | Set 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance to 'DEFAULT' or Stricter |
| lacework-global-314 | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | Specify a Default Customer-Managed Encryption Key (CMEK) for All BigQuery Data Sets |
| lacework-global-316 | Ensure that the kubeconfig file permissions are set to 644 or more restrictive | Set the kubeconfig file permissions to 644 or more restrictive |
| lacework-global-317 | Ensure that the kubelet kubeconfig file ownership is set to root:root | Set the kubelet kubeconfig file ownership to root:root |
| lacework-global-319 | Ensure that the kubelet configuration file ownership is set to root:root | Set the kubelet configuration file ownership to root:root |
| lacework-global-320 | Ensure that the --anonymous-auth argument is set to false | Set the --anonymous-auth argument to false |
| lacework-global-322 | Ensure that the --client-ca-file argument is set as appropriate | Set the --client-ca-file argument as appropriate |
| lacework-global-323 | Ensure that the --read-only-port is secured | Secure the --read-only-port |
| lacework-global-325 | Ensure that the --protect-kernel-defaults argument is set to true | Set the --protect-kernel-defaults argument to true |
| lacework-global-326 | Ensure that the --make-iptables-util-chains argument is set to true | Set the --make-iptables-util-chains argument to true |
| lacework-global-328 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | Set the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture |
| lacework-global-330 | Ensure that the RotateKubeletServerCertificate argument is set to true | Set the RotateKubeletServerCertificate argument to true |
| lacework-global-346 | Ensure latest CNI version is used | Use latest Container Network Interface (CNI) version |
| lacework-global-352 | The default namespace should not be used | Do not use default namespace |
| lacework-global-353 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | Ensure Image Vulnerability Scanning using Amazon Elastic Container Registry (ECR) image scanning or a third party provider |
| lacework-global-354 | Minimize user access to Amazon ECR | Minimize user access to Amazon Elastic Container Registry (ECR) |
| lacework-global-355 | Minimize cluster access to read-only for Amazon ECR | Minimize cluster access to read-only for Amazon Elastic Container Registry (ECR) |
| lacework-global-361 | Ensure clusters are created with Private Nodes | Create clusters with Private Nodes |
| lacework-global-362 | Ensure Network Policy is Enabled and set as appropriate | Enable Network Policy and set as appropriate |
| lacework-global-363 | Encrypt traffic to HTTPS load balancers with TLS certificates | Encrypt traffic to HTTPS load balancers with Transport Layer Security (TLS) certificates |
| lacework-global-364 | Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes | Manage Kubernetes Role-Based Access Control (RBAC) users with AWS Identity and Access Management (IAM) Authenticator for Kubernetes |
| lacework-global-483 | ELBs should have a secure security group | Elastic Load Balancers (ELB) should have a secure security group |
| lacework-global-485 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to groups |
| lacework-global-486 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to roles |
| lacework-global-487 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder | Configure Cloud Audit Logging Properly Across All Users From a Folder |
| lacework-global-488 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization | Configure Cloud Audit Logging Properly Across All Users From an Organization |
| lacework-global-499 | Ensure Guest Users Are Reviewed on a Regular Basis | Review Guest Users on a Regular Basis |
| lacework-global-501 | Ensure That 'Number of methods required to reset' is set to '2' | Set 'Number of methods required to reset' to '2' |
| lacework-global-502 | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | Set a Custom Bad Password List to 'Enforce' for your Organization |
| lacework-global-504 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Set 'Notify users on password resets?' to 'Yes' |
| lacework-global-505 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Set 'Notify all admins when other admins reset their password?' to 'Yes' |
| lacework-global-506 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Set 'Users can consent to apps accessing company data on their behalf' to 'No' |
| lacework-global-507 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Set 'Users can add gallery apps to My Apps' to 'No' |
| lacework-global-508 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Set 'Users Can Register Applications' to 'No' |
| lacework-global-509 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects' |
| lacework-global-510 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Set 'Restrict access to Azure AD administration portal' to 'Yes' |
| lacework-global-511 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes' |
| lacework-global-513 | Ensure Security Defaults is enabled on Azure Active Directory | Enable Security Defaults on Azure Active Directory |
| lacework-global-515 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | Enable 'Restore multi-factor authentication on all remembered devices' |
| lacework-global-516 | Ensure Trusted Locations Are Defined | Define Trusted Locations |
| lacework-global-517 | Ensure that an exclusionary Geographic Access Policy is considered | Consider an exclusionary Geographic Access Policy |
| lacework-global-520 | Ensure Multi-factor Authentication is Required for Risky Sign-ins | Require Multi-factor Authentication for Risky Sign-ins |
| lacework-global-521 | Ensure Multi-factor Authentication is Required for Azure Management | Require Multi-factor Authentication for Azure Management |
| lacework-global-523 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' |
| lacework-global-524 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' |
| lacework-global-525 | Ensure That 'All users with the following roles' is set to 'Owner' | Set 'All users with the following roles' to 'Owner' |
| lacework-global-526 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | Configure 'Additional email addresses' with a Security Contact Email |
| lacework-global-527 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Set 'Notify about alerts with the following severity' to 'High' |
| lacework-global-528 | Ensure that 'Secure transfer required' is set to 'Enabled' | Set 'Secure transfer required' to 'Enabled' |
| lacework-global-529 | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | Enable 'Enable key rotation reminders' for each Storage Account |
| lacework-global-532 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Disable 'Public access level' for storage accounts with blob containers |
| lacework-global-533 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | Set Default Network Access Rule for Storage Accounts to Deny |
| lacework-global-535 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | Enable Soft Delete for Azure Containers and Blob Storage |
| lacework-global-536 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" |
| lacework-global-537 | Ensure that 'Auditing' is set to 'On' | Set 'Auditing' to 'On' |
| lacework-global-538 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP) |
| lacework-global-539 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Configure Azure Active Directory Admin for SQL Servers |
| lacework-global-540 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Set 'Data encryption' to 'On' on a SQL Database |
| lacework-global-542 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Set Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server |
| lacework-global-544 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Set Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server |
| lacework-global-545 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'log_connections' to 'ON' for PostgreSQL Database Server |
| lacework-global-546 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server |
| lacework-global-547 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server |
| lacework-global-549 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Disable 'Allow access to Azure services' for PostgreSQL Database Server |
| lacework-global-551 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Set 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server |
| lacework-global-552 | Ensure 'TLS Version' is set to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server | Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server |
| lacework-global-553 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Enable Azure Monitor Resource Logging for All Services that Support it |
| lacework-global-568 | Ensure that RDP access from the Internet is evaluated and restricted | Evaluate and restrict Remote Desktop Protocol (RDP) access from the Internet |
| lacework-global-570 | Ensure that UDP access from the Internet is evaluated and restricted | Evaluate and restrict User Datagram Protocol (UDP) access from the Internet |
| lacework-global-571 | Ensure that HTTP(S) access from the Internet is evaluated and restricted | Evaluate and restrict HTTP(S) access from the Internet |
| lacework-global-572 | Ensure that Public IP addresses are Evaluated on a Periodic Basis | Evaluate Public IP addresses on a Periodic Basis |
| lacework-global-574 | Ensure that Only Approved Extensions Are Installed | Install Only Approved Extensions |
| lacework-global-581 | Ensure Web App is using the latest version of TLS encryption | Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption |
| lacework-global-582 | Ensure that Register with Azure Active Directory is enabled on App Service | Enable Register with Azure Active Directory on App Service |
| lacework-global-587 | Ensure FTP deployments are Disabled | Disable File Transfer Protocol (FTP) deployments |
| lacework-global-588 | Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | Set Up Access Review for External Users in Azure AD Privileged Identity Management |
| lacework-global-589 | Ensure That 'Users Can Consent to Apps Accessing Company Data on Their Behalf' Is Set To 'Allow for Verified Publishers' | Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers' |
| lacework-global-590 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users" |
| lacework-global-591 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes' |
| lacework-global-592 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No' |
| lacework-global-593 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Set 'Owners can manage group membership requests in the Access Panel' to 'No' |
| lacework-global-594 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' |
| lacework-global-595 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Assign Permissions for Administering Resource Locks to a Custom Role |
| lacework-global-596 | Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' | Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One' |
| lacework-global-598 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Set Microsoft Defender for Servers to 'On' |
| lacework-global-599 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Set Microsoft Defender for App Services To 'On' |
| lacework-global-600 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Set Microsoft Defender for Databases To 'On' |
| lacework-global-601 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Set Microsoft Defender for Azure SQL Databases To 'On' |
| lacework-global-602 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Set Microsoft Defender for SQL Servers on Machines To 'On' |
| lacework-global-603 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | Set Microsoft Defender for Open-Source Relational Databases To 'On' |
| lacework-global-604 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Set Microsoft Defender for Storage To 'On' |
| lacework-global-605 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Set Microsoft Defender for Containers To 'On' |
| lacework-global-606 | Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | Set Microsoft Defender for Cosmos DB To 'On' |
| lacework-global-607 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Set Microsoft Defender for Key Vault To 'On' |
| lacework-global-608 | Ensure That Microsoft Defender for DNS Is Set To 'On' | Set Microsoft Defender for Domain Name System (DNS) To 'On' |
| lacework-global-609 | Ensure That Microsoft Defender for IoT Is Set To 'On' | Set Microsoft Defender for IoT To 'On' |
| lacework-global-610 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | Set Microsoft Defender for Resource Manager To 'On' |
| lacework-global-611 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' |
| lacework-global-612 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' |
| lacework-global-613 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Select Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud |
| lacework-global-614 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud |
| lacework-global-615 | Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' |
| lacework-global-616 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests |
| lacework-global-617 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Enable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access |
| lacework-global-618 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Encrypt Storage for Critical Data with Customer Managed Keys |
| lacework-global-619 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests |
| lacework-global-620 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests |
| lacework-global-621 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Encrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key |
| lacework-global-623 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Enable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account |
| lacework-global-624 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Set Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server |
| lacework-global-625 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server |
| lacework-global-626 | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | Set server parameter 'audit_log_enabled' to 'ON' for MySQL Database Server |
| lacework-global-628 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks |
| lacework-global-629 | Ensure That Private Endpoints Are Used Where Possible | Use Private Endpoints Where Possible |
| lacework-global-630 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Encrypt the storage account containing the container with activity logs with Customer Managed Key |
| lacework-global-631 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Capture Network Security Group (NSG) Flow logs and send to Log Analytics |
| lacework-global-632 | Ensure that logging for Azure AppService 'HTTP logs' is enabled | Enable logging for Azure AppService 'HTTP logs' |
| lacework-global-633 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days' |
| lacework-global-635 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Encrypt 'OS and Data' disks with Customer Managed Key (CMK) |
| lacework-global-636 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Encrypt 'Unattached disks' with Customer Managed Key (CMK) |
| lacework-global-637 | Ensure that Endpoint Protection for all Virtual Machines is installed | Install Endpoint Protection for all Virtual Machines |
| lacework-global-638 | (Legacy) Ensure that VHDs are Encrypted | (Legacy) Encrypt Virtual Hard Disks (VHD) |
| lacework-global-641 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services |
| lacework-global-642 | Ensure App Service Authentication is set up for apps in Azure App Service | Set up App Service Authentication for apps in Azure App Service |
| lacework-global-644 | Ensure Azure Key Vaults are Used to Store Secrets | Use Azure Key Vaults to Store Secrets |
| lacework-global-645 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | Set Resource Locks for Mission-Critical Azure Resources |
| lacework-global-669 | Ensure permissions on all resources are given only to the tenancy administrator group | Give permissions on all resources only to the tenancy administrator group |
| lacework-global-674 | Ensure MFA is enabled for all users with console password capability | Enable Multi-Factor Authentication (MFA) for all users with console password capability |
| lacework-global-690 | Ensure audit log retention period is set to 365 days | Set audit log retention period to 365 days |
| lacework-global-709 | Ensure Versioning is Enabled for Object Storage Buckets | Enable Versioning for Object Storage Buckets |
| lacework-global-715 | AWS ElastiCache Replication Group encryption-at-rest should be enabled | Enable encryption-at-rest on AWS ElastiCache Replication Groups |
| lacework-global-716 | AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key | AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key |