CloudSploit Security Remediation Guides

CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.

Background

This repository is an extension of CloudSploit's open-source scanning engine. We first released the scanning engine in 2015, and this documentation repository is a natural follow up to that tool. The goal of these guides are to provide detailed steps on remediation common security issues in cloud services.

AWS
- ACM
  - ACM Certificate Validation
- AutoScaling
  - ASG Multiple AZ
- CloudFront
  - CloudFront HTTPS Only
  - CloudFront Logging Enabled
  - Insecure CloudFront Protocols
  - Public S3 CloudFront Origin
  - Secure CloudFront Origin
- CloudTrail
  - CloudTrail Bucket Access Logging
  - CloudTrail Bucket Delete Policy
  - CloudTrail Bucket Private
  - CloudTrail Enabled
  - CloudTrail Encryption
  - CloudTrail File Validation
  - CloudTrail To CloudWatch
- CloudWatchLogs
  - CloudWatch Monitoring Metrics
- ConfigService
  - Config Service Enabled
- EC2
  - Cross VPC Public Private Communication
  - Default Security Group
  - Default VPC In Use
  - Detect EC2 Classic Instances
  - EBS Encrypted Snapshots
  - EBS Encryption Enabled
  - EC2 Instance Key Based Login
  - EC2 Max Instances
  - Elastic IP Limit
  - Encrypted AMI
  - Excessive Security Groups
  - Instance IAM Role
  - Instance Limit
  - NAT Multiple AZ
  - Network Acl Has Tags
  - Open All Ports Protocols
  - Open CIFS
  - Open DNS
  - Open Elasticsearch
  - Open FTP
  - Open MySQL
  - Open NetBIOS
  - Open Oracle
  - Open PostgreSQL
  - Open RDP
  - Open RPC
  - Open SMBoTCP
  - Open SMTP
  - Open SQL Server
  - Open SSH
  - Open Telnet
  - Open VNC Client
  - Open VNC Server
  - Overlapping Security Groups
  - Public AMI
  - Subnet IP Availability
  - VPC Elastic IP Limit
  - VPC Flow Logs Enabled
  - VPC Multiple Subnets
- ELB
  - ELB HTTPS Only
  - ELB Logging Enabled
  - ELB No Instances
  - Insecure Ciphers
- Firehose
  - Firehose Delivery Streams Encrypted
- IAM
  - Access Keys Extra
  - Access Keys Last Used
  - Access Keys Rotated
  - Certificate Expiry
  - Empty Groups
  - IAM User Admins
  - Maximum Password Age
  - Minimum Password Length
  - No User IAM Policies
  - Password Expiration
  - Password Requires Lowercase
  - Password Requires Numbers
  - Password Requires Symbols
  - Password Requires Uppercase
  - Password Reuse Prevention
  - Root Access Keys
  - Root Account In Use
  - Root MFA Enabled
  - SSH Keys Rotated
  - Users MFA Enabled
  - Users Password Last Used
- KMS
  - KMS Default Key Usage
  - KMS Key Policy
  - KMS Key Rotation
  - KMS Scheduled Deletion
- Kinesis
  - Kinesis Streams Encrypted
- Lambda
  - Lambda Old Runtimes
- RDS
  - RDS Automated Backups
  - RDS Encryption Enabled
  - RDS Multiple AZ
  - RDS Publicly Accessible
  - RDS Restorable
- Redshift
  - Redshift Encryption Enabled
  - Redshift Publicly Accessible
- Route53
  - Domain Auto Renew
  - Domain Expiry
  - Domain Transfer Lock
- S3
  - S3 Bucket All Users ACL
  - S3 Bucket All Users Policy
  - S3 Bucket Logging
  - S3 Bucket Versioning
- SES
  - Email DKIM Enabled
- SNS
  - SNS Topic Policies
- SQS
  - SQS Cross Account Access
  - SQS Encrypted
- SSM
  - SSM Encrypted Parameters
- SageMaker
  - Notebook Data Encrypted
  - Notebook Direct Internet Access
Azure
- Active Directory
  - Ensure No Guest User
  - Minimum Password Length
  - No Custom Owner Roles
  - Password Requires Lowercase
  - Password Requires Numbers
  - Password Requires Symbols
  - Password Requires Uppercase
- App Service
  - .NET Framework Version
  - Authentication Enabled
  - Client Certificates Enabled
  - HTTP 2.0 Enabled
  - HTTPS Only Enabled
  - Identity Enabled
  - Java Version
  - PHP Version
  - Python Version
  - TLS Version Check
- Azure Policy
  - Resource Location Matches Resource Group
  - Resources Allowed Locations
- Blob Service
  - Blob Container Private Access
  - Blob Service Immutable
- CDN Profiles
  - Detect Insecure Custom Origin
  - Endpoint Logging Enabled
- Container Registry
  - ACR Admin User
- File Service
  - File Service All Access ACL
- Key Vaults
  - Key Expiration Enabled
  - Key Vault Recovery Enabled
  - Secret Expiration Enabled
- Kubernetes Service
  - Kubernetes Latest Version
  - Kubernetes RBAC Enabled
- Load Balancer
  - LB HTTPS Only
  - LB No Instances
- Log Alerts
  - Network Security Groups Logging Enabled
  - Network Security Groups Rule Logging Enabled
  - Policy Assignment Alerts Enabled
  - SQL Server Firewall Rule Alerts Monitor
  - Security Policy Alerts Enabled
  - Security Solution Logging
  - Virtual Network Alerts Monitor
- Monitor
  - Key Vault Log Analytics Enabled
  - Load Balancer Log Analytics Enabled
  - Log Profile Archive Data
  - Log Profile Retention Policy
  - NSG Log Analytics Enabled
- MySQL Server
  - Enforce MySQL SSL Connection
- Network Security Groups
  - Default Security Group
  - Excessive Security Groups
  - Network Watcher Enabled
  - Open All Ports
  - Open CIFS
  - Open DNS
  - Open FTP
  - Open Hadoop HDFS NameNode Metadata Service
  - Open Hadoop HDFS NameNode WebUI
  - Open Kibana
  - Open MySQL
  - Open NetBIOS
  - Open Oracle
  - Open Oracle Auto Data Warehouse
  - Open PostgreSQL
  - Open RDP
  - Open RPC
  - Open SMBoTCP
  - Open SMTP
  - Open SQLServer
  - Open SSH
  - Open Telnet
  - Open VNC Client
  - Open VNC Server
- PostgreSQL Server
  - Connection Throttling Enabled
  - Enforce PostgreSQL SSL Connection
  - Log Checkpoints Enabled
  - Log Connections Enabled
  - Log Disconnections Enabled
  - Log Duration Enabled
  - Log Retention Period
- Queue Service
  - Queue Service All Access ACL
- Resources
  - Management Lock Enabled
  - Resources Usage Limits
- SQL Databases
  - DB Restorable
  - Database Auditing Enabled
  - SQL DB Multiple AZ
- SQL Server
  - Advanced Data Security Enabled
  - Audit Action Groups Enabled
  - Audit Retention Policy
  - Azure Active Directory Admin Enabled
  - Email Account Admins Enabled
  - SQL Server Public Access
  - Send Alerts Enabled
  - Server Auditing Enabled
  - TDE Protector Encrypted
- Security Center
  - Admin Security Alerts Enabled
  - Application Whitelisting Enabled
  - Auto Provisioning Enabled
  - High Severity Alerts Enabled
  - Monitor Blob Encryption
  - Monitor Disk Encryption
  - Monitor Endpoint Protection
  - Monitor JIT Network Access
  - Monitor NSG Enabled
  - Monitor SQL Auditing
  - Monitor SQL Encryption
  - Monitor System Updates
  - Monitor VM Vulnerability
  - Security Configuration Monitoring
  - Security Contacts Enabled
  - Standard Pricing Enabled
- Storage Accounts
  - Blob Service Encryption
  - File Service Encryption
  - Log Container Public Access
  - Log Storage Encryption
  - Network Access Default Action
  - Storage Accounts AAD Enabled
  - Storage Accounts Encryption
  - Storage Accounts HTTPS
  - Trusted MS Access Enabled
- Table Service
  - Table Service All Access ACL
- Virtual Machines
  - Classic Instances
  - Scale Set Multi Az
  - Scale Sets Autoscale Enabled
  - VM Agent Enabled
  - VM Auto Update Enabled
  - VM Availability Set Enabled
  - VM Availability Set Limit
  - VM Data Disk Encryption
  - VM Endpoint Protection
  - VM Instance Limit
  - VM OS Disk Encryption
- Virtual Networks
  - Multiple Subnets
Google
GitHub
- Orgs
- Repos
  - Repo Deploy Keys Rotated
  - Repo Outside Collaborators
- Users
Oracle

Contributing

Please see the contributor's guide.

About

Security Remediation Guides

cloud cloud-security aws azure

aquasecurity / cloud-security-remediation-guides

CloudSploit Security Remediation Guides

Background

Table of Contents

Contributing

About