Skip to content

Policies

Brian Roe edited this page Dec 6, 2019 · 135 revisions

PacBot Policies

  1. Security Groups should not have an inbound rule allowing 0.0.0.0/0 for non DMZ resources.

  2. RDS snapshots should not be publicly accessible.

  3. EC2 instances should not have any publicly accessible ports.

  4. EC2 instances should not have GuardDuty findings.

  5. Security Groups with RDP port 3389 should not be publicly accessible.

  6. Amazon EBS volumes should not be underutilized.

  7. EBS snapshots should not be publicly accessible.

  8. RDS snapshots should not be publicly accessible.

  9. Amazon Redshift clusters should not be underutilized.

  10. ElasticIPs should not be in unused state.

  11. Amazon RDS DB instances should not be idle.

  12. Application ELB should not be in unused state.

  13. RDS database endpoints should not be publicly accessible.

  14. All AWS accounts should follow the IAM password policy.

  15. AWS GuardDuty service should be enabled on all regions of all AWS accounts.

  16. Security Groups should not be in unused state.

  17. EBS volumes should not be in unused state.

  18. Load balancer should not be idle.

  19. Classic ELB should not be in unused state.

  20. EC2 instances should not be in stopped state for more than 60 days.

  21. VPC flow logs should be enabled for all VPCs.

  22. Deprecated EC2 instances types should not be used to launch instances.

  23. Amazon EC2 instances should not have low utilization.

  24. CORP ADFS integrated AWS accounts should not have IAM account for individuals.

  25. Non Admin IAM roles should not have full IAM access.

  26. Lambda function invocations count should not exceed the threshold.

  27. All MongoDB instances should be protected with access control mechanism.

  28. IAM access key must be rotated every 90 days.

  29. All publicly accessible API behind API gateway should be protected with at least one custom authorizer.

  30. IAM users should not be inactive for more than 90 days.

  31. AWS service limits should be upgraded to match growing needs.

PacBot Policies from Release 1.1

  1. Application ELB should be tagged with mandatory tags.

  2. Auto scaling groups should be tagged with mandatory tags.

  3. Classic ELB should be tagged with mandatory tags.

  4. Cloudfront should be tagged with mandatory tags.

  5. Dynamo db should be tagged with mandatory tags.

  6. EC2 instances should be tagged with mandatory tags.

  7. EFS should be tagged with mandatory tags.

  8. Elasticache should be tagged with mandatory tags.

  9. AWS EMR should be tagged with mandatory tags.

  10. AWS KMS should be tagged with mandatory tags.

  11. Lambda functions should be tagged with mandatory tags.

  12. RDS database should be tagged with mandatory tags.

  13. Redshift should be tagged with mandatory tags.

  14. S3 should be tagged with mandatory tags

  15. Security Groups should be tagged with mandatory tags.

  16. EBS volumes should be tagged with mandatory tags

  17. Cloud formation stacks should be tagged with mandatory tags.

  18. Subnets should be tagged with mandatory tags.

  19. EBS volumes should be tagged with mandatory tags.

  20. VPCs should be tagged with mandatory tags.

  21. Elasticsearch resources should be tagged with mandatory tags.

  22. API resource should have a standard region.

  23. App ELB resource should have a standard region.

  24. Dynamo DB should have a standard region.

  25. EFS resource should have a standard region.

  26. Elasticache resource should have a standard region.

  27. ElasticIP resource should have a standard region.

  28. Elasticsearch resource should have a standard region.

  29. EMR resource should have a standard region.

  30. ENI resource should have a standard region.

  31. KMS resource should have a standard region.

  32. RDS DB resource should have a standard region.

  33. Redshift resource should have a standard region.

  34. VPC resource should have a standard region.

  35. ASG should have a standard region.

  36. Classic ELB should have a standard region.

  37. Lambda should have a standard region.

  38. LaunchConfig should have a standard region.

  39. RDS Snapshot should have a standard region.

  40. EC2 instance should have a standard region.

  41. S3 should have a standard region.

  42. Security Group should have a standard region.

  43. Snapshot should have a standard region.

  44. Stack should have a standard region.

  45. Subnet should have a standard region.

  46. EBS Volume should have a standard region.

  47. SNS Topic should have a standard region.

  48. EC2 instances should not be publicly accessible on port 80.

  49. Elasticsearch endpoint should not be publicly accessible.

  50. Application ELB should not be publicly accessible.

  51. Classic ELB should not be publicly accessible.

  52. Redshift-attached Security Group should not be publicly accessible.

  53. Non-whitelisted S3 buckets should not be publicly accessible.

  54. Unapproved Security Groups should not have inbound rule allowing 0.0.0.0/0 for any port.

  55. Security Group with SSH port 22 should not be publicly accessible.

  56. Non-Whitelisted SQS resources should not be publicly accessible.

  57. EBS volumes should not be in unused or untagged state.

PacBot Policies from Release 1.2

  1. Non-Whitelisted IAM users should not have core networking privileges.

  2. Non-whitelisted IAM Roles should not have core networking privileges.

  3. Non-Whitelisted IAM Role should not have EC2 RunInstance privilege.

  4. Non-whitelisted IAM Role should not have Lambda privilege.

PacBot Policies from Release 1.3

  1. Service Account should not have listed privileges.

  2. EC2 instances should not be publicly accessible on port 8080.

  3. EC2 instances should not be publicly accessible on port 138.

  4. EC2 instances should not be publicly accessible on default MySQL port 3306.

  5. CloudFront should not have unauthorized HTML content.

PacBot Policies from Release 1.4

  1. S3 bucket should not have hosting website or redirecting requests.

  2. Unauthorized Cloudfront content distribution.

  3. EC2 instances should not be publicly accessible on default SQL Browser port 1434.

  4. EC2 instances should not be publicly accessible on default POSTGRESQL port 5432.

  5. EC2 instances should not be publicly accessible on port 3389.

  6. MFA should be enabled for Root User.

  7. CloudTrail should be enabled in multi region.

  8. ACM Certificate should not expire in a configurable number of days from the current date.

  9. IAM certificate should not expire in mentioned days from current date.

  10. Access log should be enabled to ELB and attached to mentioned bucket.

  11. Access log should be enabled to CloudFront and attached to mentioned bucket.

PacBot Policies from Release 1.5

  1. Private S3 buckets should be enabled with access logs.

  2. All CloudWatch events from all accounts should be sent to dedicated account default event bus.

  3. Low Utilization Amazon EC2 Instances Rule.

PacBot Policies from Release 1.6

  1. An EC2 instance should not have an S3, S4 or S5 vulnerability.

  2. EC2 Public Access Port With S5 vulnerability.

  3. Every EC2 instance should be scanned by the Qualys vulnerability assessment tool at least once a month.

PacBot Policies from Release 2.0 (Azure Policies)

  1. Install a monitoring agent on your machines.

  2. Apply a Just-In-Time network access control.

  3. Remediate vulnerabilities by a vulnerability Assessment solution.

  4. Enable adaptive application controls.

  5. Resolve monitoring agent health issues on your machines.

  6. Close management ports on your Virtual Machines.

  7. Enable Network Security Groups on Virtual Machines.

  8. Install a vulnerability assessment solution on your Virtual Machines.

  9. Harden Network Security Group rules of publicly accessible Virtual Machines.

  10. Blob Container should be tagged with mandatory tags.

  11. Disk should be tagged with mandatory tags.

  12. Storage Account should be tagged with mandatory tags.

  13. Resource Group should be tagged with mandatory tags.

  14. Security Center should be tagged with mandatory tags.

  15. Network Interface should be tagged with mandatory tags.

  16. NSG should be tagged with mandatory tags.

  17. VNet should be tagged with mandatory tags.

  18. Virtual Machine should be tagged with mandatory tags.

  19. SQL Database should be tagged with mandatory tags.

  20. Databricks should be tagged with mandatory tags.

  21. Sql Server should be tagged with mandatory tags.

  22. Load Balancer should be tagged with mandatory tags.

  23. MySQL Server should be tagged with mandatory tags.

Non-whitelisted S3 buckets should not be publicly accessible.

Prerequisite: S3 inventory

Description

Unprotected S3 buckets are one of the major causes of data theft and intrusions. With the exception of S3 buckets used for hosting public websites, no S3 buckets should be publicly accessible for unauthenticated users or for 'Any AWS Authenticated Users'.

AWS S3 buckets cannot be publicly accessible for READ/WRITE actions in order to protect S3 data from unauthorized users. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to everyone (i.e. anonymous users) can provide attackers the capability to add, delete and replace objects within the bucket, which can lead to data loss, unintended changes to applications using the S3 bucket, a big bill or all three.

Resolution

To remediate this issue:

  1. S3 buckets should be protected by using the bucket ACL and bucket policies.
  2. If you want to share data via S3 buckets to other users.
  3. you could create pre-signed URLs which will be valid only for short duration.
  4. For example, the following command will generate a pre-signed URL for the file 'samplefile.zip': aws s3 presign --expires-in 36000 s3://sharedfolder/samplefile.zip
  5. This command will generate pre-signed URLS for every object in a S3 bucket.
aws s3 ls --recursive s3://sharedfolder | awk '{print $4}' | while read line; do aws s3 presign --expires-in 36000 s3://sharedfolder/$line; done
  1. For all automation-related work, use the bucket policy and grant access to the required roles.

Security Groups should not have inbound rule allowing 0.0.0.0/0 for non-DMZ resources.

Prerequisite: Security Groups inventory

Description

It is best practice to allow required IP ranges and specific port in the security groups that will be used for securing EC2 instances in private subnets.

Resolution

To remediate this issue:

  1. Edit the Security Groups and allow only specific IP ranges and ports.

RDS snapshots should not be publicly accessible.

Prerequisite: RDS Snapshot inventory

Description

An RDS snapshot may contain sensitive or customer information. No RDS snapshot should be made public, although there may be some rare cases where this is required. Such cases have to go through the exception process.

Resolution

To remediate this issue:

  1. Make the snapshot private.

EC2 instances should not have any publicly accessible ports.

Prerequisite: EC2 inventory

Description

EC2 instances should not be publicly accessible from internet (Except for the servers in DMZ zone). Ideally these instances should be behind a firewall (AWS WAF or any other firewall).

Resolution

To remediate this issue:

  1. Do not allow public access to well known ports of an EC2 instance directly.

EC2 instance should not have GuardDuty findings.

Prerequisite: EC2 inventory

Description

Amazon GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, CloudTrail event logs and DNS logs for malicious or unauthorized behavior. When GuardDuty detects a suspicious or unexpected behavior in your AWS account, it generates a finding. A finding is a notification that contains information about a potential security threat identified by the GuardDuty service. The finding details includes data about the finding actor, the AWS resource(s) involved in the suspicious activity, the time when the activity occurred and so on.

Resolution

To remediate this issue:

  1. Follow the step by step guide line provided for each finding from the GuardDuty console.

Security Group with RDP port 3389 should not be publicly accessible.

Prerequisite: Security Group inventory

Description

Global permission to access the well known services like RDP on port 3389 (Windows RDP) should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow public access to well known ports of an EC2 instance directly (except for 80 and 443).

Amazon EBS volumes should not be underutilized.

Prerequisite: EBS Volume inventory

Description

Charges begin when a volume is created. If a volume remains unattached or has very low write activity (excluding boot volumes) for a period of time, the volume is probably not being used.

Resolution

To remediate this issue:

  1. Consider creating a snapshot and deleting the volume to reduce costs.

Alert Criteria

Yellow: A volume is unattached or had less than 1 IOPS per day for the past 7 days.

EBS snapshots should not be publicly accessible.

Prerequisite: EBS Snapshot inventory

Description

Depending on the purpose for which the EBS was used, the snapshot might carry sensitive information about its cloud ecosystem, customer PII, customer CPNI or other sensitive data. The cases where a publicly accessible snapshot is very rare; such cases have to go through an exception process.

Resolution

To remediate this issue:

  1. Make the snapshot private.

RDS snapshot should not be publicly accessible.

Prerequisite: Snapshot inventory

Description

An RDS snapshot may contain sensitive or customer information. No RDS snapshot should be made public from our accounts. There are very rare cases where this might be required. Those cases have to go through an exception process.

Resolution

To remediate this issue:

  1. Make the snapshot private.

Amazon Redshift clusters should not be underutilized.

Prerequisite: Redshift inventory

Description

If an Amazon Redshift cluster has not had a connection for a prolonged period of time or is using a low amount of CPU, we can use lower-cost options such as downsizing the cluster or shutting down the cluster and taking a final snapshot.

Alert Criteria

Yellow: A running cluster has not had a connection in the last 7 days. Yellow: A running cluster had less than 5% cluster-wide average CPU utilization for 99% of the last 7 days.

Resolution

To remediate this issue:

  1. Consider shutting down the cluster and taking a final snapshot, or
  2. Downsize the cluster.

ElasticIP should not be in unused state.

Prerequisite: ElasticIP inventory

Description

EIPs are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, EIPs can mask the failure of an instance or Availability Zone by remapping a public IP address to another instance in your account. A nominal charge is imposed for an EIP that is not associated with a running instance.

Resolution

To remediate this issue:

  1. Associate the EIP with a running active instance, or
  2. Release the unassociated EIP.

Amazon RDS DB instances should not be idle.

Prerequisite: RDS DB inventory

Description

If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them.

Resolution

To remediate this issue:

  1. Consider taking a snapshot of the idle DB instance and then deleting it.

Application ELB should not be in unused state.

Prerequisite: App ELB inventory

Description

Un-used assets should be terminated promptly for obvious cost saving reasons

Resolution

To remediate this issue:

  1. Terminate the ELB if it is no longer required

RDS database endpoints should not be publicly accessible.

Prerequisite: RDS DB inventory

Description

A publicly accessible database end-point would be vulnerable to brute force login attempts and subsequent data leak /loss. Unauthorized access attempts should be restricted to minimize security risks.

Resolution

To remediate this issue:

  1. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC Security Group associated with the instance.

All AWS accounts should follow the IAM password policy.

Prerequisite: Account inventory

Description

Enforce a strong password policy on IAM console authentications. By default AWS does not configure the maximal strength password complexity policy on your behalf.

Resolution

To remediate this issue:

  1. Log into your AWS console.
  2. Go to the IAM service.
  3. On the left menu select Password Policy which should be the bottom option.
  4. Set the Minimum Password Length form field to XX (or higher) and Select each of the checkboxes so that all four required complexity options are selected.

AWS GuardDuty service should be enabled on all regions of all AWS accounts.

Prerequisite: Account inventory

Description

All the AWS accounts should have GuardDuty enabled. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers

Resolution

To remediate this issue:

  1. Enable GuardDuty for all regions.

Security Groups should not be in unused state.

Prerequisite: SG inventory

Description

Cleaning up un-used Security Groups is best practice to keep the Security Groups up to date and relevant.

Resolution

To remediate this issue:

  1. Delete the unused Security Groups.

EBS volumes should not be in unused state.

Prerequisite: Volume inventory

Description

Un-used assets should be terminated promptly for obvious cost saving reasons

Resolution

To remediate this issue:

  1. Delete the volume if it is no longer required

Load balancer should not be idle.

Prerequisite: Classic ELB inventory

Description

Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively.

Resolution

To remediate this issue:

  1. If your load balancer has no active back-end instance then consider registering instances or deleting your load balancer

Classic ELB should not be in unused state.

Prerequisite: Classic ELB inventory

Description

Un-used assets should be terminated promptly for obvious cost saving reasons

Resolution

To remediate this issue:

  1. Terminate the ELB if it is no longer required

EC2 instances should not be in stopped state for more than 60 days.

Prerequisite: EC2 inventory

Description

Stopped EC2 instances still incur cost for the volumes, ElasticIP associated with it, potential AWS marketplace license costs as well.

Resolution

To remediate this issue:

  1. Terminate the EC2 instance if it is no longer required.

VPC flow logs should be enabled for all VPCs.

Prerequisite: VPC inventory

Description

VPC flow logs provide vital information for debugging and forensic exercise in case of any incidents. These should be always enabled

Resolution

To remediate this issue:

  1. Enable VPC flow logs

Deprecated EC2 instances types should not be used to launch instances.

Prerequisite: EC2 inventory

Description

Deprecated EC2 instance types (Old generation instance types) should not be used. Using old generation instance types have cost implication, they are not covered in our RI purchase as well

Resolution

To remediate this issue:

  1. Stop the instance and change the instance type to a newer generation one and start it

Amazon EC2 instances should not have low utilization.

Prerequisite: EC2 inventory

Description

Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts yu if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days.

Resolution

To remediate this issue:

  1. Consider stopping or terminating instances that have low utilization.

AWS Accounts should have one corp AD identity provider configured.

Prerequisite: IAM User inventory

Description

Every AWS account should be configured with corp AD as IAM Identity provider. This identity provider is required for logging into AWS with our corp AD account

Resolution

To remediate this issue:

  1. Add the corp AD identity provider configuration back to the AWS account.

Non Admin IAM roles should not have full IAM access

Prerequisite: IAM Role inventory

Description

Only the role named 'Admin' should have full access to IAM. No other AWS role is supposed have IAM full access.

Resolution

To remediate this issue:

  1. Remove the IAM privileges from that role.

Lambda function invocations count should not exceed the threshold.

Prerequisite: Lambda inventory

Description

AWS Lambda is cheap but is pay per use. An errant lambda function calling itself, cyclic lambda function calls between functions can result is huge bills. Any lambda functions that is going to exceed 1 million executions a day should be reviewed.

Resolution

To remediate this issue:

  1. Review the code and design and inspect if there is any problem with the logic. If it known and expected behavior please request for an exception.

All MongoDB instances should be protected with access control mechanism.

Prerequisite: EC2 inventory

Description

To prevent data theft and data loss all, MongoDB servers should be protected with access control mechanism.

Resolution

To remediate this issue:

  1. Disable anonymous access to MongoDB

IAM access key must be rotated every 90 days.

Prerequisite: IAM User inventory

Description

Access keys of IAM accounts should be rotated every 90 days in order to decrease the likelihood of accidental exposures and protect AWS resources against unauthorized access

Resolution

To remediate this issue:

  1. Rotate the access keys every 90 days

All publicly accessible API behind API gateway should be protected with at least one custom authorizer.

Prerequisite: API inventory

Description

AWS API gateway resources are by default publicly accessible, all of the API resources should be protected by a Authorizer or a API key. Unprotected API's can lead to data leaks and security breaches.

Resolution

To remediate this issue:

  1. Protect the API gateway with an API key OR Use a custom authorizers at the gateway level

IAM users should not be inactive for more than 90 days.

Prerequisite: IAM User inventory

Description

IAM users who have not logged into AWS and have no API activity for 90 days will be considered inactive IAM users and their accounts will be terminated.

Resolution

To remediate this issue:

  1. Resolution may depend on specific IAM policies.

AWS service limits should be upgraded to match growing needs.

Prerequisite: Account inventory

Description

All AWS service limits should be extended from time to time based on the growing needs. CloudFormation execution, Autoscaling or A/B deployment for production workloads may fail if the service limit is reached causing downtime. Proactively service limits should be extended when limit thresholds reach 75% or above

Resolution

To remediate this issue:

  1. Open a case with AWS and increase the service limits

AWS Resources should be tagged with mandatory tags.

Description

All AWS assets should be tagged with following mandatory tags. Application, XXX, YYY and ZZZ. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Note

This policy can applied for all AWS resources types which can be taggable. example(EC2/S3/Lambda/RDS.....).

AWS Resources should have a standard region.

Description

All AWS assets in T-Mobile using some standard region (us-est/west). As part of this rule if the resource finds non-standard region it should report as violation.

Resolution

To remediate this issue:

EC2 instances should not be publicly accessible on port 80.

Prerequisite: EC2 inventory

Description

Global permission to access the well known services like HTTP on port 80 should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

Elasticsearch endpoint should not be publicly accessible.

Prerequisite: Elasticsearch inventory

Description

AWS Elasticsearch should not be publicly accessible from internet to protect data from unauthorized user access, data loss and possible leakage of sensitive data. As a general rule, if you need to make anything publicly accessible it has to go through security review and approval from DSO.

Resolution

To remediate this issue:

  1. Make necessary changes to the access control policy and Security Groups to make the ES endpoint private.
  2. Allow only a specific list of IP addresses
  3. Once the Elasticsearch endpoint is not publicly accessible PacBot will automatically close the issue.
  4. You can also request exception from the policy violation details page.
  5. SecOps will review and involve DSO if required and grant exception and PacBot will automatically ignore this resource till the expiry of exception.

ELB should not be publicly accessible.

Prerequisite: App ELB/Classic ELB inventory

Description

All publicly accessible ELB's will be marked as a policy violation. You would need to request an exception by providing a cloud application name. What component of the application is made public? Why it has to be public? What data will be exposed via the publicly accessible system?

The reason why all internet-facing are marked as violation is, the number of cases where we need to have internet-facing load balancers is small and these legitimate cases will be reviewed and granted exception. Developer often associate internet-facing load balancers for internal applications and end up exposing sensitive data.

Resolution

To remediate this issue:

  1. Request for an exception legitimate internet-facing ELB.

Redshift attached Security Group should not be publicly accessible.

Prerequisite: Redshift inventory

Description

A Redshift snapshot may contain sensitive or customer information. No RDS snapshot should be made public from our accounts. There are very rare cases where this might be required. Those cases have to go through an exception process.

Resolution

To remediate this issue:

  1. Make the snapshot private

Unapproved Security Groups should not have publicly accessible port.

Prerequisite: SG inventory

Description

It is a best practice to allow only required ip ranges and specific port in the Security Groups. There are cases where security group should allow access to everyone, for those cases request for an exception.

Resolution

To remediate this issue:

  1. Edit the security groups and allow only specific IP ranges and ports

Non-Whitelisted SQS resources should not be publicly accessible.

Prerequisite: SQS inventory

Description

Resolution

To remediate this issue:

EBS volumes should not be in unused or untagged state.

Prerequisite: Volume inventory

Description

AWS Volume resource should not be untagged or unused to avoid the cost.

Resolution

To remediate this issue:

Non-Whitelisted IAM users should not have core networking privileges.

Prerequisite: IAM User inventory

Description

Anyone other than administrators should not have these permissions. List of privileges it’s checking right now are

     "ec2:AssociateDhcpOptions","ec2:AssociateRouteTable","ec2:AssociateSubnetCidrBlock","ec2:AssociateVpcCidrBlock","ec2:AttachInternetGateway","ec2:AttachVpnGateway","ec2:CreateCustomerGateway","ec2:CreateDefaultSubnet","ec2:CreateDefaultVpc","ec2:CreateEgressOnlyInternetGateway","ec2:CreateInternetGateway","ec2:CreateNatGateway","ec2:CreateNetworkAcl","ec2:CreateNetworkAclEntry","ec2:CreateRoute","ec2:CreateRouteTable","ec2:CreateSubnet","ec2:CreateVpc","ec2:CreateVpcPeeringConnection","ec2:CreateVpnConnection","ec2:CreateVpnConnectionRoute","ec2:CreateVpnGateway","ec2:DeleteCustomerGateway","ec2:DeleteDhcpOptions","ec2:DeleteNatGateway","ec2:DeleteNetworkAcl","ec2:DeleteNetworkAclEntry","ec2:DeleteRouteTable","ec2:DeleteSubnet","ec2:DeleteVpc","ec2:DeleteVpcEndpointServiceConfigurations","ec2:DeleteVpcPeeringConnection","ec2:DeleteVpnConnection","ec2:DeleteVpnConnectionRoute","ec2:DeleteVpnGateway","ec2:DetachInternetGateway","ec2:DetachVpnGateway","ec2:DisableVgwRoutePropagation","ec2:DisassociateRouteTable","ec2:DisassociateSubnetCidrBlock","ec2:DisassociateVpcCidrBlock","ec2:ModifyVpcAttribute","ec2:ModifyVpcTenancy","ec2:ReplaceNetworkAclAssociation","ec2:ReplaceNetworkAclEntry","ec2:ReplaceRoute","ec2:ReplaceRouteTableAssociation","iam:AddUserToGroup","iam:AttachGroupPolicy","iam:AttachRolePolicy","iam:AttachUserPolicy","iam:CreateAccessKey","iam:CreatePolicy","iam:CreatePolicyVersion","iam:CreateRole","iam:CreateSAMLProvider","iam:CreateUser","iam:DeleteAccessKey","iam:DeleteAccountPasswordPolicy","iam:DeleteGroup","iam:DeleteGroupPolicy","iam:DeletePolicy","iam:DeletePolicyVersion","iam:DeleteSAMLProvider""ec2:CreateDhcpOptions","iam:DeleteServerCertificate","iam:DetachGroupPolicy","iam:DetachUserPolicy","iam:PutGroupPolicy","iam:PutRolePolicy""iam:PutUserPolicy","iam:RemoveUserFromGroup","iam:UpdateGroup","iam:UpdateSAMLProvider","iam:UpdateServerCertificate"

Resolution

To remediate this issue:

  1. Attach deny policy / remove elevated permissions
  2. If you want exception you may please request exception for this rule through PacBot.

Non-Whitelisted IAM Roles should not have core networking privileges.

Prerequisite: IAM Role inventory

Description

None of the roles supposed to have these permissions List of privileges it’s checking right now are

     "ec2:AssociateDhcpOptions","ec2:AssociateRouteTable","ec2:AssociateSubnetCidrBlock","ec2:AssociateVpcCidrBlock","ec2:AttachInternetGateway","ec2:AttachVpnGateway","ec2:CreateCustomerGateway","ec2:CreateDefaultSubnet","ec2:CreateDefaultVpc","ec2:CreateEgressOnlyInternetGateway","ec2:CreateInternetGateway","ec2:CreateNatGateway","ec2:CreateNetworkAcl","ec2:CreateNetworkAclEntry","ec2:CreateRoute","ec2:CreateRouteTable","ec2:CreateSubnet","ec2:CreateVpc","ec2:CreateVpcPeeringConnection","ec2:CreateVpnConnection","ec2:CreateVpnConnectionRoute","ec2:CreateVpnGateway","ec2:DeleteCustomerGateway","ec2:DeleteDhcpOptions","ec2:DeleteNatGateway","ec2:DeleteNetworkAcl","ec2:DeleteNetworkAclEntry","ec2:DeleteRouteTable","ec2:DeleteSubnet","ec2:DeleteVpc","ec2:DeleteVpcEndpointServiceConfigurations","ec2:DeleteVpcPeeringConnection","ec2:DeleteVpnConnection","ec2:DeleteVpnConnectionRoute","ec2:DeleteVpnGateway","ec2:DetachInternetGateway","ec2:DetachVpnGateway","ec2:DisableVgwRoutePropagation","ec2:DisassociateRouteTable","ec2:DisassociateSubnetCidrBlock","ec2:DisassociateVpcCidrBlock","ec2:ModifyVpcAttribute","ec2:ModifyVpcTenancy","ec2:ReplaceNetworkAclAssociation","ec2:ReplaceNetworkAclEntry","ec2:ReplaceRoute","ec2:ReplaceRouteTableAssociation","iam:AddUserToGroup","iam:AttachGroupPolicy","iam:AttachRolePolicy","iam:AttachUserPolicy","iam:CreateAccessKey","iam:CreatePolicy","iam:CreatePolicyVersion","iam:CreateRole","iam:CreateSAMLProvider","iam:CreateUser","iam:DeleteAccessKey","iam:DeleteAccountPasswordPolicy","iam:DeleteGroup","iam:DeleteGroupPolicy","iam:DeletePolicy","iam:DeletePolicyVersion","iam:DeleteSAMLProvider""ec2:CreateDhcpOptions","iam:DeleteServerCertificate","iam:DetachGroupPolicy","iam:DetachUserPolicy","iam:PutGroupPolicy","iam:PutRolePolicy""iam:PutUserPolicy","iam:RemoveUserFromGroup","iam:UpdateGroup","iam:UpdateSAMLProvider","iam:UpdateServerCertificate"

Resolution

To remediate this issue:

  1. Attach deny policy / remove elevated permissions
  2. If you want exception you may please request exception for this rule through PacBot.

Non-Whitelisted IAM Role should not have EC2 RunInstance privilege.

Prerequisite: IAM Role inventory

Description

IAM roles do not have the permission to launch instances List of privileges it’s checking right now

    ec2:*,*,ec2:RunInstances

Resolution

To remediate this issue:

  1. Remove run instance permission from the role or if you want exception you may please request exception for this rule through PacBot.

Non-whitelisted IAM Role Should not have Lambda privilege.

Prerequisite: IAM Role inventory

Description

IAM roles not supposed to have lambda function creation permissions. List of privileges it’s checking right now are

    lambda:CreateFunction,lambda:Create*,*,lambda:*

Resolution

To remediate this issue:

  1. Remove lambda create permission from role or if you want exception you may please request exception for this rule through PacBot.

Service Account should not have listed privileges.

Prerequisite: IAM User inventory

Description

Service account should only has the read permission List of privileges it’s checking right now

ec2:TerminateInstances,ec2:RunInstances,s3:DeleteBucket,s3:PutBucketPolicy,ec2:ModifyInstanceAttribute,s3:DeleteObject,ec2:*,*,s3:*,s3:Put*,cloudtrail:*,cloudtrail:DeleteTrail,config:*,config:DeleteConfigRule

Resolution

To remediate this issue:

  1. Remove write permissions from service accounts.

EC2 instances should not be publicly accessible on port 8080.

Prerequisite: EC2 inventory

Description

This rule creates an issue, if the port 8080 is publicly accessible.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

EC2 instances should not be publicly accessible on port 138.

Prerequisite: EC2 inventory

Description

Global permission to access the well known services like TCP on port 138 should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

EC2 instances should not be publicly accessible on default MySQL port 3306

Prerequisite: EC2 inventory

Description

Global permission to access the well known services like TCP on port 3306 (MySQL) should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

CloudFront should not have unauthorized HTML content.

Prerequisite: CloudFront inventory

Description

This rule checks if the CloudFront has unauthorized HTML content, if so then it creates a violation.

Resolution

Note

This policy can be applied for all AWS resources types which has regions. example (EC2/S3/Lambda/RDS etc.)

S3 bucket should not have hosting website or redirecting requests.

Prerequisite: S3 inventory

Description

This rule checks for S3 bucket containing website configuration.If its true then its an issue.

Resolution

Unauthorized CloudFront Content Distribution.

Prerequisite: CloudFront inventory

Description

This policy checks for unauthorized CloudFront distribution.

Resolution

EC2 instances should not be publicly accessible on default SQL Browser port 1434.

Prerequisite: EC2 inventory

Description

Global permission to access the well known services like TCP on port 1434 (SQL Browser) should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

EC2 instances should not be publicly accessible on default This is an Azure security rule. port 5432.

Prerequisite: EC2 inventory

Description

Global permission to access the well known services like TCP on port 5432 (This is an Azure security rule.) should not be allowed.

Resolution

To remediate this issue:

  1. Do not allow global access to well known ports of an EC2 instance directly (except for 80 and 443).

EC2 instances should not be publicly accessible on port 3389.

Prerequisite: EC2 inventory

Description

RDP port 3389 should not be accessible from internet. Port 3389 should be open only to the internal 10...* network. Further reducing the permitted IP addresses or ranges allowed to communicate to destination hosts on RDP port 3389 is recommended. An exposed RDP port 3389 pose a great security risk.

Resolution

To remediate this issue:

  1. Remove the rule from the security groups that allows inbound access from 0.0.0.0/0.

MFA should be enabled for Root User.

Prerequisite: Account inventory

Description

MFA should be enabled for Root User, if not its an issue.

Resolution

To remediate this issue:

  1. Enable the MFA for root user

CloudTrail should be enabled in multiple regions.

Prerequisite: Account inventory

Description

CloudTrail should be enabled in multiple regions, if not its an issue.

Resolution

To remediate this issue:

  1. Enable the CloudTrail in multiple regions.

ACM certificate should not expire in mentioned days from current date.

Prerequisite: ACM Certificate inventory

Description

ACM certificate should not expire in mentioned days from current date.

Resolution

To remediate this issue:

  1. Rotate the keys before the expiry

IAM certificate should not expire in mentioned days from current date.

Prerequisite: IAM Certificate inventory.

Description

IAM certificate should not expire in mentioned days from current date.

Resolution

To remediate this issue:

  1. Rotate the keys before the expiry

Access log should be enabled to ELB and attached to mentioned bucket.

Prerequisite: App ELB/Classic ELB inventory

Description

Access log should be enabled to App ELB/Classic ELB and attached to mentioned bucket.

Resolution

To remediate this issue:

  1. Access log should be enabled to ELB and attached to mentioned bucket.

Access log should be enabled to CloudFront and attached to mentioned bucket.

Prerequisite: CloudFront inventory

Description

Access log should be enabled to CloudFront and attached to mentioned bucket.

Resolution

To remediate this issue:

  1. Access log should be enabled to CloudFront and attached to mentioned bucket.

Private s3 buckets should be enabled with access logs.

Prerequisite: S3 inventory

Description

Protected S3 buckets should be server access logs enabled.

Resolution

To remediate this issue:

  1. Protected S3 buckets should be server access logs enabled.

All Cloud watch events from all accounts should be sent to Dedicated Account default event bus.

Prerequisite: Account inventory

Description

Events from all AWS account should be routed to a central event bus so that the events and be processed and analyzed centrally.

Resolution

To remediate this issue:

  1. Events from all AWS account should be routed to a central event.

Low Utilization Amazon EC2 Instances Rule.

Prerequisite: Account inventory

Description

Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days. Running instances generate hourly usage charges. Although some scenarios can result in low utilization by design, you can often lower your costs by managing the number and size of your instances. An instance had 10% or less daily average CPU utilization and 5 MB or less network I/O on at least 4 of the previous 14 days.

Resolution

To remediate this issue:

  1. Consider stopping or terminating instances that have low utilization, or scale the number of instances by using Auto Scaling.

Any EC2 instance should not have an S3, S4, or S5 vulnerability.

Prerequisite: EC2 inventory

Description

If an EC2 Instance having an S5, S4 and S3 vulnerability report it as an issue with severity high, medium and low respectively.

Resolution

EC2 Public Access Port With S5 vulnerability.

Prerequisite: EC2 inventory

Description

An EC2 instance with remotely exploitable vulnerability (S5) should not be publicly accessible, this instance can be easily compromised from a remote location.

Resolution

To remediate this issue:

  1. Immediately remove the internet access
  2. Apply the vulnerability fix.

Every EC2 instance should be scanned by Qualys vulnerability assessment tool at least once a month.

Prerequisite: EC2 inventory

Description

All assets in Cloud should be scanned by Qualys vulnerability assessment tool at least once a month. It would be ideal to have the Qualys Cloud Agent installed on all the assets. This would eliminate the need to have manual external scans.

Resolution

To remediate this issue:

  1. Install Qualys Cloud Agent on the server or get the asset scanned manually by VMAS team every month.

Install monitoring agent on your machines.

Prerequisite: Virtual Machine inventory

Description

All assets in Cloud should be scanned by the Qualys vulnerability assessment tool at least once a month. It would be ideal to have the Qualys Cloud Agent installed on all the assets. This would eliminate the need to have manual external scansSecurity Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machines. To make sure your virtual machines are successfully monitored, you need to enable data collection in Security Center and make sure the MMA agent is both installed on the virtual machines and properly collects security events to the configured workspace. Enabling data collection in Security Center enables you to benefit from multiple agent-based features, including OS baselines rules assessments, monitoring for missing system updates, endpoint protection issues and advanced threat detection capabilities.

Resolution

To remediate this issue:

  1. Installation of the monitoring agent and enabling data collection in Security Center can be done in several ways: Using Security Center’s automatic provisioning on your subscription(s). This will automatically provision the monitoring agent on current and future-created virtual machines on your subscription(s). You can enable automatic provisioning on multiple subscriptions by clicking on the Getting started menu item, and select 'Install agents'. You can also enable it for specific subscriptions and customize additional settings by clicking on the 'Security policy' menu item, select 'Edit settings' on a subscription and enable auto provisioning in the 'data collection' menu item. Install the Microsoft Monitoring agent on your Virtual machines as a VM extension or directly, by following these instructions. Provision the Microsoft Monitoring agent with Azure Policies.

Apply a Just In Time network access control.

Prerequisite: Virtual Machine inventory

Description

Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Resolution

To remediate this issue:

  1. Open the Security Center dashboard.
  2. In the left pane, select Just-in-time VM access.
  3. The Just-in-time VM access window opens.
  4. Select the Recommended tab.
  5. Under VIRTUAL MACHINE, click the VMs that you want to enable. This puts a checkmark next to a VM.

Remediate vulnerabilities by installing a Vulnerability Assessment solution.

Prerequisite: Virtual Machine inventory

Description

This is an Azure security rule.

Resolution

To remediate this issue: 1)

Enable Adaptive Application Controls.

Prerequisite: Virtual Machine inventory

Description

Application control helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your VMs and Computers.

Resolution

To remediate this issue:

  1. Open the Security Center dashboard.
  2. In the left pane select Adaptive application controls located under Advanced Cloud Defense and follow the guidelines.

Resolve monitoring agent health issues on your machines.

Prerequisite: Virtual Machine inventory

Description

This is an Azure security rule.

Resolution

To remediate this issue: 1)

Close management ports on your Virtual Machines.

Prerequisite: Virtual Machine inventory

Description

This is an Azure security rule.

Resolution

To remediate this issue: 1)

Enable Network Security Groups on virtual machines.

Prerequisite: Virtual Machine inventory

Description

This is an Azure security rule.

Resolution

Install a vulnerability assessment solution on your virtual machines.

Prerequisite: Virtual Machine inventory

Description

The vulnerability assessment in Azure Security Center is part of the Security Center virtual machine (VM) recommendations. If Security Center doesn't find a vulnerability assessment solution installed on your VM, it recommends that you install one. A partner agent, after being deployed, starts reporting vulnerability data to the partner’s management platform. In turn, the partners management platform provides vulnerability and health monitoring data back to Security Center. You can quickly identify vulnerable VMs on the Security Center dashboard. Switch to the partner management console directly from Security Center for additional reports and information.

Resolution

Harden Network Security Group rules of publicly accessible Virtual Machines.

Prerequisite: Virtual Machine inventory

Description

This is an Azure security rule.

Resolution

Blobcontainer should be tagged with mandatory tags.

Prerequisite: Blobcontainer inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Disk should be tagged with mandatory tags

Prerequisite: Disk inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (Refer to naming conventions).

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Storage Account should be tagged with mandatory tags.

Prerequisite: Storage Account inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Resource Group should be tagged with mandatory tags.

Prerequisite: Resource Group inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Security Center should be tagged with mandatory tags.

Prerequisite: Security Center inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Security Center should be tagged with mandatory tags.

Prerequisite: Security Center inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Network Interface should be tagged with mandatory tags.

Prerequisite: Network Interface inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

NSG should be tagged with mandatory tags.

Prerequisite: NSG inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

VNet should be tagged with mandatory tags.

Prerequisite: VNet Inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Virtual Machine should be tagged with mandatory tags.

Prerequisite: Virtual Machine inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

SQL Database should be tagged with mandatory tags.

Prerequisite: SQL Database inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Databricks should be tagged with mandatory tags.

Prerequisite: Databricks inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Databricks should be tagged with mandatory tags.

Prerequisite: Databricks inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

SQL Server should be tagged with mandatory tags.

Prerequisite: SQL Server inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

Load Balancer should be tagged with mandatory tags.

Prerequisite: Load Balancer inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.

MySQL Server should be tagged with mandatory tags.

Prerequisite: MySQL Server inventory

Description

All cloud assets should be tagged with following mandatory tags. Application, Environment, Role and Stack. Assets without these mandatory tags will be marked as non-complaint. Below is an example for the tag value pairs.

Tag name: Application Example value: Rebellion

Notes This value for the application tag should be the approved application name give for the project during the cloud on-boarding process. Unknown applications will be marked for review and possible termination.

Tag name: Environment Example value: Production or Non Production or Non Production::qat1 or Non Production::dit1 (refer to your naming conventions)

Notes The value for environment should distinguish the asset as a Production or Non Production class. You can further qualify Non Production assets using the :: separator. Look at the examples 3 and 4.

Tag name: Stack Example Value: Apache Httpd

Tag name: Role Example value: Webserver

Each asset should at least have these 4 mandatory tags. You can have additional tags as well.

Resolution

To remediate this issue:

  1. Add the mandatory tags to the assets
  2. Follow the Cloud Asset Tagging guidelines.
     We are working to make all of the policies available in the open source version. 
     This is not the exhaustive list.
Clone this wiki locally