AWS AppSync’s logging is disabled

Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Prisma
Prisma Cloud
Prisma Cloud Code Security Policy Reference
AWS Policies
AWS General Policies
AWS AppSync’s logging is disabled

Last Updated:

Fri May 26 18:12:21 UTC 2023

Current Version:

Prisma Cloud Enterprise Edition

Version Prisma Cloud Enterprise Edition

Table of Contents

Filter

Prisma Cloud Code Security Policy Reference

Alibaba Policies

Alibaba General Policies

Alibaba Cloud database instance accessible to public

Alibaba Cloud Disk is not encrypted with Customer Master Key

Alibaba Cloud disk encryption is disabled

Alibaba Cloud KMS Key Rotation is disabled

Alibaba Cloud MongoDB does not have transparent data encryption enabled

Alibaba Cloud OSS bucket has transfer Acceleration disabled

Alibaba Cloud OSS bucket has versioning disabled

Alibaba Cloud OSS bucket is not encrypted with Customer Master Key

Alibaba Cloud OSS bucket accessible to public

Alibaba Cloud RDS instance has log_disconnections disabled

Alibaba Cloud KMS Key is disabled

Alibaba Cloud RDS instance does not have log_duration enabled

Alibaba Cloud RDS instance is not set to perform auto upgrades for minor versions

Alibaba Cloud RDS log audit is disabled

Alibaba RDS instance has log_connections disabled

Alibaba IAM Policies

Alibaba Cloud RAM password policy maximal login attempts is more than 4

Alibaba Cloud RAM does not enforce MFA

Alibaba Cloud RAM password policy does not expire in 90 days

Alibaba Cloud RAM password policy does not prevent password reuse

Alibaba Cloud RAM password policy does not have a lowercase character

Alibaba Cloud RAM password policy does not have a number

Alibaba Cloud RAM password policy does not have a symbol

Alibaba Cloud RAM password policy does not have an uppercase character

Alibaba Cloud RAM password policy does not have a minimum of 14 characters

Alibaba Kubernetes Policies

Alibaba Cloud Kubernetes does not install plugin Terway or Flannel to support standard policies

Alibaba Cloud Kubernetes node pools are not set to auto repair

Alibaba Logging Policies

Alibaba Cloud Action Trail Logging is not enabled for all events

Alibaba Cloud Action Trail Logging is not enabled for all regions

Alibaba Cloud OSS bucket has access logging enabled

Alibaba Cloud RDS Instance SQL Collector Retention Period is less than 180

Alibaba Cloud Transparent Data Encryption is disabled on instance

Alibaba Networking Policies

Alibaba cloud ALB ACL does not restrict public access

Alibaba Cloud API Gateway API Protocol does not use HTTPS

Alibaba Cloud Cypher Policy is not secured

Alibaba Cloud MongoDB instance is public

Alibaba Cloud Mongodb instance does not use SSL

Alibaba Cloud MongoDB is not deployed inside a VPC

Alibaba Cloud RDS instance does not use SSL

Alibaba Cloud Security group allow internet traffic to SSH port (22)

Alibaba Cloud Security group allow internet traffic to RDP port (3389)

API Policies

OpenAPI Policies

OpenAPI If the security scheme is not of type 'oauth2', the array value must be empty

OpenAPI Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error

OpenAPI Security requirement not defined in the security definitions

Cleartext credentials over unencrypted channel should not be accepted for the operation

OpenAPI Security Definitions Object should be set and not empty

OpenAPI Security object needs to have defined rules in its array and rules should be defined in the securityScheme

AWS Policies

AWS General Policies

Autoscaling groups did not supply tags to launch configurations

AWS Image Builder component not encrypted using Customer Managed Key

AWS fx ontap file system not encrypted using Customer Managed Key

AWS MQBroker audit logging is disabled

AWS S3 Object Copy not encrypted using Customer Managed Key

AWS Doc DB not encrypted using Customer Managed Key

AWS EBS Snapshot Copy not encrypted using Customer Managed Key

AWS Elastic File System (EFS) is not encrypted using Customer Managed Key

AWS Kinesis streams encryption is using default KMS keys instead of Customer’s Managed Master Keys

AWS S3 bucket Object not encrypted using Customer Managed Key

AWS Sagemaker domain not encrypted using Customer Managed Key

AWS EBS Volume not encrypted using Customer Managed Key

AWS lustre file system not configured with CMK key

AWS Elasticache replication group not configured with CMK key

AWS Kinesis streaming data unencrypted

AWS Amazon Kinesis Data Firehose (DAX) not encrypted at rest

ECR image tags are not immutable

AWS resources that support tags do not have Tags

AWS CloudFront web distribution with AWS Web Application Firewall (AWS WAF) service disabled

DocumentDB is not encrypted at rest

Athena Database is not encrypted at rest

CodeBuild project encryption is disabled

AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)

MSK cluster encryption at rest and in transit is not enabled

Athena workgroup does not prevent disabling encryption

Glue Data Catalog encryption is not enabled

Not all data stored in Aurora is securely encrypted at rest

EFS volumes in ECS task definitions do not have encryption in transit enabled

AWS SageMaker endpoint not configured with data encryption at rest using KMS key

AWS Glue security configuration encryption is not enabled

Neptune cluster instance is publicly available

AWS Load Balancer is not using TLS 1.2

AWS Kinesis Video Stream not encrypted using Customer Managed Key

AWS FSX Windows filesystem not encrypted using Customer Managed Key

Postgres RDS does not have Query Logging enabled

Deletion protection disabled for load balancer

AWS QLDB ledger has deletion protection is disabled

AWS API Gateway caching is disabled

AWS ACM certificates does not have logging preference

AWS all data stored in the Elasticsearch domain is not encrypted using a Customer Managed Key (CMK)

AWS AMI copying does not use a Customer Managed Key (CMK)

AWS AMI launch permissions are not limited

AWS AMIs are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)

AWS API deployments do not enable Create before Destroy

AWS API Gateway caching is disabled

AWS API Gateway Domain does not use a modern security policy

Ensure AWS API gateway enables Create before Destroy

AWS API Gateway method settings do not enable caching

AWS App Flow connector profile does not use Customer Managed Keys (CMKs)

AWS App Flow flow does not use Customer Managed Keys (CMKs)

AWS Appsync API Cache is not encrypted at rest

AWS Appsync API Cache is not encrypted in transit

AWS AppSync has field-level logs disabled

AWS AppSync is not protected by WAF

AWS AppSync’s logging is disabled

AWS Lambda function URL AuthType set to NONE

AWS Batch Job is defined as a privileged container

AWS MQBroker audit logging is disabled

AWS Cloudfront distribution is disabled

AWS CloudFront response header policy does not enforce Strict Transport Security

AWS Cloudsearch does not use HTTPs

AWS Cloudsearch does not use the latest (Transport Layer Security) TLS

AWS CloudTrail does not define an SNS Topic

AWS CloudTrail logging is disabled

AWS cluster logging is not encrypted using a Customer Managed Key (CMK)

AWS Code Artifact Domain is not encrypted by KMS using a Customer Managed Key (CMK)

AWS Codecommit branch changes has less than 2 approvals

AWS Codecommit is not associated with an approval rule

AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS Config must record all possible resources

AWS Config Recording is disabled

AWS copied AMIs are not encrypted

AWS DAX cluster endpoint does not use TLS (Transport Layer Security)

AWS DB instance does not get all minor upgrades automatically

AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)

AWS DLM cross-region events are not encrypted

AWS DLM cross-region schedules are not encrypted using a Customer Managed Key (CMK)

AWS DLM-cross region schedules are not encrypted

AWS DMS instance does not receive all minor updates automatically

AWS EBS Volume is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS ECS Cluster does not enable logging of ECS Exec

AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to disabled

AWS Elasticsearch domain does not use an updated TLS policy

AWS FSX openzfs is not encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS Glue component is not associated with a security configuration

AWS GuardDuty detector is enabled

AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)

AWS Kendra index Server side encryption does not use Customer Managed Keys (CMKs)

AWS HTTP and HTTPS target groups do not define health check

AWS Key Management Service (KMS) key is disabled

AWS Keyspace Table does not use Customer Managed Keys (CMKs)

AWS Kinesis Firehose Delivery Streams are not encrypted with CMK

AWS Kinesis Firehose’s delivery stream is not encrypted

AWS MemoryDB data is not encrypted in transit

AWS MemoryDB is not encrypted at rest by AWS' Key Management Service KMS using CMKs

AWS MQBroker is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS MQBroker version is not up to date

AWS MQBroker’s minor version updates are disabled

AWS MWAA environment has scheduler logs disabled

AWS MWAA environment has webserver logs disabled

AWS MWAA environment has worker logs disabled

AWS RDS Cluster activity streams are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)

AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)

AWS RDS PostgreSQL exposed to local file read vulnerability

AWS RDS does not use a modern CaCert

AWS replicated backups are not encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)

AWS SSM Parameter is not encrypted

AWS Terraform sends SSM secrets to untrusted domains over HTTP

Backup Vault is not encrypted at rest using KMS CMK

DocDB does not have audit logs enabled

Dynamodb point in time recovery is not enabled for global tables

AWS EBS volume region with encryption is disabled

AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Glacier Vault access policy is public and not restricted to specific services or principals

AWS Glue component is not associated with a security configuration

GuardDuty is not enabled to specific org/region

AWS Postgres RDS have Query Logging disabled

AWS provisioned resources are manually modified

QLDB ledger permissions mode is not set to STANDARD

AWS Redshift does not have require_ssl configured

Route53 A Record does not have Attached Resource

Session Manager data is not encrypted in transit

Deletion protection disabled for load balancer

SNS topic policy is public and access is not restricted to specific services or principals

SQS queue policy is public and access is not restricted to specific services or principals

Amazon ElastiCache Redis clusters do not have automatic backup turned on

Athena Workgroup is not encrypted

DynamoDB Tables do not have Auto Scaling enabled

AWS Lambda function is not configured for a DLQ

AWS Lambda function is not configured for function-level concurrent execution Limit

AWS Lambda Function is not assigned to access within VPC

AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK

CodeBuild projects are not encrypted

Unencrypted DynamoDB Tables

EBS does not have an AWS Backup backup plan

EC2 EBS is not optimized

Unencrypted ECR repositories

Amazon EFS does not have an AWS Backup backup plan

Elastic load balancers do not use SSL Certificates provided by AWS Certificate Manager

AWS EMR cluster is not configured with Kerberos Authentication

Not only encrypted EBS volumes are attached to EC2 instances

AWS RDS cluster delete protection is disabled

RDS clusters do not have an AWS Backup backup plan

AWS RDS DB snapshot is not encrypted

Unencrypted RDS global clusters

AWS RDS instance without Automatic Backup setting

AWS Redshift Cluster not encrypted using Customer Managed Key

Redshift clusters version upgrade is not default

S3 bucket cross-region replication disabled

S3 bucket lock configuration disabled

S3 buckets are not encrypted with KMS

AWS Secrets Manager secret is not encrypted using KMS CMK

AWS Secrets Manager secret is not encrypted using KMS CMK

Timestream database is not encrypted with KMS CMK

Workspace root volumes are not encrypted

Workspace user volumes are not encrypted

AWS ElastiCache Redis cluster with in-transit encryption disabled (Replication group)

AWS ElastiCache Redis cluster with Redis AUTH feature disabled

EBS volumes do not have encrypted launch configurations

AWS SageMaker notebook instance not configured with data encryption at rest using KMS key

AWS SNS topic has SSE disabled

AWS SQS Queue not configured with server side encryption

AWS Elastic File System (EFS) with encryption for data at rest is disabled

Neptune storage is not securely encrypted

AWS Redshift instances are not encrypted

AWS EBS volumes are not encrypted

AWS RDS DB cluster encryption is disabled

DynamoDB PITR is disabled

Not all data stored in the EBS snapshot is securely encrypted

RDS instances do not have Multi-AZ enabled

ECR image scan on push is not enabled

AWS ElastiCache Redis cluster with encryption for data at rest disabled

AWS provisioned resources are manually modified

Elasticsearch Policies

AWS Elasticsearch domain encryption for data at rest disabled

AWS Elasticsearch does not have node-to-node encryption enabled

AWS Elasticsearch domain is not configured with HTTPS

AWS Elasticsearch domain logging not enabled

AWS IAM Policies

AWS IAM policy documents do not allow * (asterisk) as a statement’s action

AWS IAM role allows all services or principals to be assumed

AWS IAM policy does allow assume role permission across all services

AWS SQS queue access policy is overly permissive

AWS EC2 Instance IAM Role not enabled

IAM User has access to the console

AWS Cloudfront Distribution with S3 have Origin Access set to disabled

Credentials exposure actions return credentials in an API response

Data exfiltration allowed without resource constraints

Resource exposure allows modification of policies and exposes resources

Write access allowed without constraint

IAM policies allow privilege escalation

AWS KMS Key policy overly permissive

AWS RDS cluster not configured with IAM authentication

RDS database does not have IAM authentication enabled

AWS S3 buckets are accessible to any authenticated user

Not all IAM users are members of at least one IAM group

IAM authentication for Amazon RDS clusters is disabled

IAM groups do not include at least one IAM user

Respective logs of Amazon RDS are disabled

AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions

AWS IAM password policy does allow password reuse

AWS IAM password policy does not expire in 90 days

AWS IAM policy attached to users

AWS IAM policies that allow full administrative privileges are created

AWS IAM policy documents allow * (asterisk) as a statement’s action

AWS IAM password policy does not have an uppercase character

AWS IAM password policy does not have a lowercase character

AWS IAM password policy does not have a symbol

AWS IAM password policy does not have a number

AWS IAM password policy does not have a minimum of 14 characters

AWS Kubernetes Policies

AWS EKS cluster security group is overly permissive to all traffic

AWS EKS cluster endpoint access publicly enabled

AWS EKS cluster does not have secrets encryption enabled

AWS EKS control plane logging disabled

AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

AWS Logging Policies

Amazon MQ Broker logging is not enabled

AWS ECS cluster with container insights feature disabled

AWS Redshift database does not have audit logging enabled

AWS Elastic Load Balancer v2 (ELBv2) with access log disabled

AWS Elastic Load Balancer (Classic) with access log disabled

Neptune logging is not enabled

AWS WAF Web Access Control Lists logging is disabled

AWS WAF2 does not have a Logging Configuration

API Gateway stage does not have logging level defined appropriately

CloudTrail trail is not integrated with CloudWatch Log

AWS Postgres RDS have Query Logging disabled

AWS CloudFormation stack configured without SNS topic

AWS EC2 instance detailed monitoring disabled

AWS Amazon RDS instances Enhanced Monitoring is disabled

AWS CloudTrail is not enabled with multi trail and not capturing all management events

AWS CloudWatch Log groups not configured with definite retention days

API Gateway does not have X-Ray tracing enabled

Global Accelerator does not have Flow logs enabled

API Gateway does not have access logging enabled

Amazon MSK cluster logging is not enabled

AWS DocumentDB logging is not enabled

AWS CloudTrail log validation is not enabled in all regions

AWS CloudFront distribution with access logging disabled

AWS config is not enabled in all regions

AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs)

AWS Customer Master Key (CMK) rotation is not enabled

AWS VPC Flow Logs not enabled

AWS Networking Policies

DocDB TLS is disabled

AWS CloudFront web distribution using insecure TLS version

AWS WAF does not have associated rules

AWS CloudFront distribution does not have a strict security headers policy attached

AWS ACM certificate does not enable Create before Destroy

AWS CloudFront web distribution with default SSL certificate

AWS Database Migration Service endpoint do not have SSL configured

AWS Elasticache security groups are not defined

AWS Elasticsearch uses the default security group

AWS ELB Policy uses some unsecure protocols

AWS NACL allows ingress from 0.0.0.0/0 to port 20

AWS NACL allows ingress from 0.0.0.0/0 to port 21

AWS NACL allows ingress from 0.0.0.0/0 to port 22

AWS NACL allows ingress from 0.0.0.0/0 to port 3389

AWS NAT Gateways are not utilized for the default route

AWS RDS security groups are not defined

AWS route table with VPC peering overly permissive to all traffic

AWS Security Group allows all traffic on all ports

AWS security groups allow ingress from 0.0.0.0/0 to port 80

Default VPC is planned to be provisioned

Public API gateway not configured with AWS Web Application Firewall v2 (AWS WAFv2)

AWS Application Load Balancer (ALB) not configured with AWS Web Application Firewall v2 (AWS WAFv2)

Redshift is deployed outside of a VPC

ALB does not drop HTTP headers

ALB does not redirect HTTP requests into HTTPS ones

Not all EIP addresses allocated to a VPC are attached to EC2 instances

Not all NACL are attached to subnets

Amazon EMR clusters' security groups are open to the world

AWS Redshift cluster is publicly accessible

Auto scaling groups associated with a load balancer do not use elastic load balancing health checks

AWS SageMaker notebook instance configured with direct internet access feature

AWS Elasticsearch is not configured inside a VPC

AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled

Load Balancer (Network/Gateway) does not have cross-zone load balancing enabled

Security Groups are not attached to EC2 instances or ENIs

VPC endpoint service is not configured for manual acceptance

Ensure Transfer Server is exposed publicly.

AWS VPC subnets should not allow automatic public IP assignment

WAF enables message lookup in Log4j2

AWS Security Group allows all traffic on SSH port (22)

AWS Security Group allows all traffic on RDP port (3389)

AWS Elastic Load Balancer v2 (ELBv2) listener that allow connection requests over HTTP

Not every Security Group rule has a description

CloudFront distribution ViewerProtocolPolicy is not set to HTTPS

AWS Default Security Group does not restrict all traffic

S3 Bucket does not have public access blocks

Public Policies

AWS Private ECR repository policy is overly permissive

AWS MQ is publicly accessible

AWS EC2 instances with public IP and associated with security groups have Internet access

DMS replication instance should be publicly accessible

AWS RDS database instance is publicly accessible

AWS API gateway methods are publicly accessible

AWS Redshift clusters should not be publicly accessible

S3 Policies

AWS S3 Buckets has block public access setting disabled

AWS S3 Bucket BlockPublicPolicy is not set to True

AWS S3 bucket IgnorePublicAcls is not set to True

AWS S3 bucket RestrictPublicBucket is not set to True

AWS S3 bucket policy overly permissive to any principal

AWS S3 bucket is not configured with MFA Delete

AWS S3 bucket ACL grants READ permission to everyone

AWS Access logging not enabled on S3 buckets

AWS S3 buckets do not have server side encryption

AWS S3 Object Versioning is disabled

AWS S3 Bucket has an ACL defined which allows public WRITE access

Secrets Policies

EC2 user data exposes secrets

Lambda function’s environment variables expose secrets

AWS access keys and secrets are hard coded in infrastructure

AWS Serverless Policies

AWS Lambda functions with tracing not enabled

AWS Lambda encryption settings environmental variable is not set properly

Azure Policies

Azure General Policies

Azure VM data disk is not encrypted with ADE/CMK

Azure Linux scale set does not use an SSH key

Virtual Machine extensions are installed

Azure App Service Web app authentication is off

Azure Microsoft Defender for Cloud security contact phone

Azure Microsoft Defender for Cloud email notification for subscription owner is not set

Azure SQL Server threat detection alerts are not enabled for all threat types

Azure SQL server send alerts to field value is not set

Azure SQL Databases with disabled Email service and co-administrators for Threat Detection

Azure PostgreSQL Database Server 'Allow access to Azure services' enabled

Azure Built-in logging for Azure function app is disabled

Azure Client Certificates are not enforced for API management

Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption

Azure Data exfiltration protection for Azure Synapse workspace is disabled

Azure Machine Learning Compute Cluster Minimum Nodes is not set to 0

Azure PostgreSQL Flexible Server does not enable geo-redundant backups

Azure resources that support tags do not have tags

Azure SQL Server does not have default auditing policy configured

Azure Virtual machine enables password authentication

Storage Account name does not follow naming rules

Azure App Services FTP deployment is All allowed

MSSQL is not using the latest version of TLS encryption

MySQL is not using the latest version of TLS encryption

Azure Microsoft Defender for Cloud Defender plans is set to Off

Storage for critical data are not encrypted with Customer Managed Key

Active Directory is not used for authentication for Service Fabric

App services do not use Azure files

Automatic OS image patching is disabled for Virtual Machine scale sets

Azure Automation account variables are not encrypted

Azure SQL servers which doesn’t have Azure Active Directory admin configured

Azure Batch account does not use key vault to encrypt data

Azure Data Explorer encryption at rest does not use a customer-managed key

Azure Data Explorer does not use disk encryption

Azure Data Explorer does not use double encryption

Azure data factories are not encrypted with a customer-managed key

Azure Data Factory does not use Git repository for source control

Azure Microsoft Defender for Cloud is set to Off for App Service

Azure Microsoft Defender for Cloud is set to Off for Azure SQL Databases

Azure Microsoft Defender for Cloud is set to Off for Container Registries

Azure Microsoft Defender for Cloud is set to Off for Key Vault

Azure Security Center Defender set to Off for Kubernetes

Azure Microsoft Defender for Cloud is set to Off for Servers

Azure Microsoft Defender for Cloud is set to Off for SQL servers on machines

Azure Microsoft Defender for Cloud is set to Off for Storage

CORS allows resource to access app services

CORS allows resources to access function apps

Cosmos DB Accounts do not have CMKs encrypting data at rest

Unencrypted Data Lake Store accounts

Azure Function App authentication is off

Azure Function App doesn’t use HTTP 2.0

Azure App Service Web app does not use latest Java version

Azure Key Vault Purge protection is not enabled

Key vault does not enable soft-delete

Key vault key is not backed by HSM

Key vault secrets do not have content_type set

Managed disks do not use a specific set of disk encryption sets for customer-managed key encryption

Azure App Service Web app does not have a Managed Service Identity

MariaDB server does not enable geo-redundant backups

Microsoft Antimalware is not configured to automatically update Virtual Machines

My SQL server disables geo-redundant backups

My SQL server does not enable Threat Detection policy

MySQL server does not enable customer-managed key for encryption

Azure App Service Web app doesn’t use latest .Net framework version

Azure App Service Web app does not use latest PHP version

PostgreSQL server does not enable customer-managed key for encryption

PostgreSQL server enables geo-redundant backups

MySQL server disables infrastructure encryption

PostgreSQL server does not enable infrastructure encryption

PostgreSQL server does not enable Threat Detection policy

Azure App Service Web app does not use latest Python version

Azure App Services Remote debugging is enabled

Azure Microsoft Defender for Cloud security alert email notifications is not set

Service Fabric does not use three levels of protection available

Azure SQL server Defender setting is set to Off

Azure Storage account Encryption CMKs Disabled

Unattached disks are not encrypted

Azure SQL Server ADS Vulnerability Assessment (VA) 'Also send email notifications to admins and subscription owners' is disabled

Azure SQL Server ADS Vulnerability Assessment (VA) Periodic recurring scans is disabled

Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured

Virtual machine scale sets do not have encryption at host enabled

Virtual Machines are not backed up using Azure Backup

Azure Linux and Windows Virtual Machines does not utilize Managed Disks

Azure SQL Server ADS Vulnerability Assessment (VA) is disabled

Azure Key Vault is not recoverable

Azure Virtual Machines does not utilise Managed Disks

Azure Virtual Machines does not utilise Managed Disks

Azure IAM Policies

App Service is not registered with an Azure Active Directory account

Azure subscriptions with custom roles does not have minimum permissions

Azure CosmosDB does not have Local Authentication disabled

Azure ACR enables anonymous image pulling

Azure CosmosDB does not have Local Authentication disabled

Azure Kubernetes Service (AKS) local admin account is enabled

Azure Machine Learning Compute Cluster Local Authentication is enabled

Azure Windows VM does not enable encryption

Azure Kubernetes Policies

Azure AKS cluster monitoring not enabled

Azure AKS enable role-based access control (RBAC) not enforced

AKS API server does not define authorized IP ranges

Azure AKS cluster network policies are not enforced

Kubernetes dashboard is not disabled

AKS is not enabled for private clusters

AKS does not use Azure policies add-on

AKS does not use disk encryption set

Azure Logging Policies

Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days

Azure SQL Server auditing policy is disabled

zure SQL Server audit log retention is not greater than 90 days

Azure storage account logging for queues is disabled

Azure Monitor log profile does not capture all activities