{"data":[{"type":"rules","id":"EC2-001","attributes":{"title":"EC2 Security Group Port Range","description":"Ensure no security group opens range of ports","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-002","attributes":{"title":"Unrestricted SSH Access","description":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 22","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-003","attributes":{"title":"Unrestricted RDP Access","description":"Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-004","attributes":{"title":"Unrestricted Oracle Database Access","description":"Ensure no security group allows unrestricted ingress access to port 1521","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-005","attributes":{"title":"Unrestricted MySQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 3306","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-006","attributes":{"title":"Unrestricted PostgreSQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 5432","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-007","attributes":{"title":"Unrestricted DNS Access","description":"Ensure no security group allows unrestricted ingress access to port 53","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-008","attributes":{"title":"Unrestricted MSSQL Database Access","description":"Ensure no security group allows unrestricted ingress access to port 1433","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-016","attributes":{"title":"Default Security Group Unrestricted","description":"Ensure the default security group of every VPC restricts all traffic","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-017","attributes":{"title":"Desired Instance Type(s)","description":"Ensure all EC2 instances are of a given instance type","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","PCI-V4","FEDRAMP","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-021","attributes":{"title":"EC2 Instance Using IAM Roles","description":"Ensure IAM instance roles are used for AWS resource access from instances","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-025","attributes":{"title":"EC2 Instance Tenancy","description":"Ensure EC2 instances have desired tenancy for compliance and regulatory requirements","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-027","attributes":{"title":"Instance In Auto Scaling Group","description":"Ensure every EC2 instance is launched inside an Auto Scaling Group to help improve the availability and scalability of your applications","compliances":["AWAF-2025","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-028","attributes":{"title":"Approved/Golden AMIs","description":"Ensure all EC2 instances are launched from your approved AMIs","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-029","attributes":{"title":"EC2 Instance Generation","description":"Ensure you always use the latest generation of EC2 instances to get better performance with lower cost","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-030","attributes":{"title":"EC2 Instance Termination Protection","description":"Ensure termination protection safety feature is enabled for ec2 instances that aren't part of ASGs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-031","attributes":{"title":"Default Security Groups In Use","description":"Ensure default security groups aren't in use. Instead create unique security groups to better adhere to the principle of least privilege","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-032","attributes":{"title":"SecurityGroup RFC 1918","description":"Ensure no security group contains RFC 1918 CIDRs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-033","attributes":{"title":"Unrestricted Outbound Access","description":"Ensure no security group contains any 0.0.0.0/0 egress rules","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-034","attributes":{"title":"Unrestricted Security Group Ingress on Uncommon Ports","description":"Ensure no security group contains any 0.0.0.0/0 ingress rules","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-035","attributes":{"title":"EC2 Instance Naming Conventions","description":"Follow proper naming conventions for EC2 instances","compliances":["AWAF-2025","CIS-V8","NIST5","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-036","attributes":{"title":"Security Group Naming Conventions","description":"Follow proper naming conventions for security groups","compliances":["AWAF-2025","CIS-V8","NIST5","MAS"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-038","attributes":{"title":"Unrestricted Telnet Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 23 (Telnet)","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-039","attributes":{"title":"Unrestricted SMTP Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 25 (SMTP)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-040","attributes":{"title":"Unrestricted RPC Access","description":"Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-041","attributes":{"title":"Unrestricted NetBIOS Access","description":"Ensure no security group allows unrestricted inbound access to port UDP/137, UDP/138, and TPC/139 (NetBIOS)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-042","attributes":{"title":"Unrestricted FTP Access","description":"Ensure no security group allows unrestricted inbound access to TCP ports 20 and 21 (FTP)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-043","attributes":{"title":"Unrestricted CIFS Access","description":"Ensure no security group allows unrestricted inbound access to UDP port 445 (CIFS)","compliances":["AWAF-2025","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-044","attributes":{"title":"Unrestricted ICMP Access","description":"Ensure no security group allows unrestricted inbound access to ICMP","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-045","attributes":{"title":"Unrestricted MongoDB Access","description":"Ensure no security group allows unrestricted ingress access to port 27017","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-046","attributes":{"title":"Blocklisted AMIs","description":"Ensure no EC2 instance is launched from any blocklisted AMIs","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-053","attributes":{"title":"EC2 Instance Dedicated Tenancy","description":"Ensure dedicated EC2 instances are regularly reviewed","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-058","attributes":{"title":"EC2 Instance Detailed Monitoring","description":"Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-059","attributes":{"title":"Descriptions for Security Group Rules","description":"Ensure AWS EC2 security group rules have descriptive text for organization and documentation","compliances":["AWAF-2025","CIS-V8","NIST5","PCI","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-060","attributes":{"title":"Unused Elastic Network Interfaces","description":"Identify and delete any unused Elastic Network Interfaces","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","AGISM-2024","PCI","PCI-V4","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-061","attributes":{"title":"Security Group Name Prefixed With 'launch-wizard'","description":"Ensure no security group name is prefixed with 'launch-wizard'","compliances":["AWAF-2025","CIS-V8","NIST5","ASAE-3150","MAS","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-063","attributes":{"title":"Unrestricted OpenSearch Access","description":"Ensure no security group allows unrestricted ingress access to port 9200","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-064","attributes":{"title":"Unrestricted HTTP Access","description":"Ensure no security group allows unrestricted ingress access to port 80","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-065","attributes":{"title":"Unrestricted HTTPS Access","description":"Ensure no security group allows unrestricted ingress access to port 443","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-066","attributes":{"title":"EC2 Hibernation","description":"Enable hibernation as an additional stop behavior for your EC2 instances backed by Amazon EBS in order to reduce the time it takes for these instances to return to service at restart","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-069","attributes":{"title":"Web-Tier EC2 Instance Using IAM Roles","description":"Ensure web-tier IAM instance roles are used for AWS resource access from instances","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-070","attributes":{"title":"App-Tier EC2 Instance Using IAM Roles","description":"Ensure that your app-tier EC2 instances are using IAM roles to grant permissions to applications running on these instances","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-071","attributes":{"title":"EC2 Instances with Unapproved Instance Types","description":"Ensure there is no EC2 instance with the instance type blocklisted, available in your AWS account","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-074","attributes":{"title":"Unrestricted Redis Cache Access","description":"Ensure that no security group allows unrestricted inbound access on TCP port 6379 (Redis)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-075","attributes":{"title":"Unrestricted Memcached Access","description":"Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 (Memcached)","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"EC2-077","attributes":{"title":"Require IMDSv2 for EC2 Instances","description":"Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2)","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","NIS-2","ISMS-P"],"provider":"aws","service":"EC2"}},{"type":"rules","id":"ELB-001","attributes":{"title":"Unused Elastic Load Balancers","description":"Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST5","NIST-CSF-2_0","ISO27001","AGISM-2024","PCI","PCI-V4","MAS"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-002","attributes":{"title":"ELB Cross-Zone Load Balancing Enabled","description":"Ensure Cross-Zone Load Balancing is enabled for all load balancers. Also select at least two subnets in different availability zones to provide higher availability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-003","attributes":{"title":"ELB Connection Draining Enabled","description":"Ensure connection draining is enabled for all load balancers","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-004","attributes":{"title":"ELB Security Policy","description":"Ensure ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-005","attributes":{"title":"ELB Insecure SSL Protocols","description":"Ensure ELBs don't use insecure SSL protocols","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-006","attributes":{"title":"ELB Insecure SSL Ciphers","description":"Ensure ELBs don't use insecure SSL ciphers","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-008","attributes":{"title":"ELB Listener Security","description":"Ensure ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-009","attributes":{"title":"ELB Access Log","description":"Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-010","attributes":{"title":"ELB Minimum Number Of EC2 Instances","description":"Ensure there are a minimum of two healthy instances associated each ELB","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-011","attributes":{"title":"Classic Load Balancer","description":"Ensure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-013","attributes":{"title":"Internet Facing ELBs","description":"Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-015","attributes":{"title":"Web-Tier ELB Security Policy","description":"Ensure web-tier ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-016","attributes":{"title":"App-Tier ELB Security Policy","description":"Ensure app-tier ELBs use the latest predefined security policies","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-017","attributes":{"title":"Web-Tier ELB Listener Security","description":"Ensure web-tier ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-018","attributes":{"title":"App-Tier ELB Listener Security","description":"Ensure app-tier ELB listener uses a secure HTTPS or SSL protocol","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-021","attributes":{"title":"Web-Tier ELBs Health Check","description":"Ensure web tier Elastic Load Balancer has application layer health check configured","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"ELB-022","attributes":{"title":"App-Tier ELBs Health Check","description":"Ensure app tier Elastic Load Balancer has application layer health check configured","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELB"}},{"type":"rules","id":"EBS-001","attributes":{"title":"EBS Encrypted","description":"Ensure EBS volumes are encrypted to meet security and encryption compliance requirements. Encryption is a key mechanism for you to ensure that you are in full control over who has access to your data","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-002","attributes":{"title":"EBS Encrypted With KMS Customer Master Keys","description":"Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-003","attributes":{"title":"Unused EBS Volumes","description":"Identify and remove any unused Elastic Block Store volumes to improve cost optimization and security","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","PCI","FEDRAMP","MAS","ISMS-P"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-006","attributes":{"title":"EBS Volume Naming Conventions","description":"Follow proper naming conventions for EBS volumes","compliances":["AWAF-2025","CIS-V8","NIST5","MAS","FISC-V12"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-007","attributes":{"title":"EBS General Purpose SSD","description":"Ensure EC2 instances are using General Purpose SSD (gp2) EBS volumes instead of Provisioned IOPS SSD (io1) volumes to optimize AWS EBS costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","FISC-V12"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-012","attributes":{"title":"Web-Tier EBS Encrypted","description":"Ensure web-tier Amazon Elastic Block Store (EBS) volumes are encrypted","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"EBS-013","attributes":{"title":"App-Tier EBS Encrypted","description":"Ensure app-tier Amazon Elastic Block Store (EBS) volumes are encrypted","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EBS"}},{"type":"rules","id":"VPC-001","attributes":{"title":"VPC Flow Logs Enabled","description":"Ensure VPC flow logging is enabled in all VPCs","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-004","attributes":{"title":"VPC Naming Conventions","description":"Follow proper naming conventions for Virtual Private Clouds","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","MAS"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-005","attributes":{"title":"VPC Endpoint Exposed","description":"Ensure Amazon VPC endpoints aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-006","attributes":{"title":"VPC Endpoint Cross Account Access","description":"Ensure Amazon VPC endpoints don't allow unknown cross account access","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-010","attributes":{"title":"Unrestricted Network ACL Outbound Traffic","description":"Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-011","attributes":{"title":"Unrestricted Network ACL Inbound Traffic","description":"Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-015","attributes":{"title":"Ineffective Network ACL DENY Rules","description":"Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"VPC-017","attributes":{"title":"Unrestricted Inbound Traffic on Remote Server Administration Ports","description":"Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"VPC"}},{"type":"rules","id":"S3-001","attributes":{"title":"S3 Bucket Public 'READ' Access","description":"Ensure S3 buckets don't allow public READ access","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-002","attributes":{"title":"S3 Bucket Public 'READ_ACP' Access","description":"Ensure S3 buckets don't allow public READ_ACP access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-003","attributes":{"title":"S3 Bucket Public 'WRITE' ACL Access","description":"Ensure S3 buckets don't allow public WRITE ACL access","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-004","attributes":{"title":"S3 Bucket Public 'WRITE_ACP' Access","description":"Ensure S3 buckets don't allow public WRITE_ACP access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-005","attributes":{"title":"S3 Bucket Public 'FULL_CONTROL' Access","description":"Ensure S3 buckets don't allow public FULL_CONTROL access","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-006","attributes":{"title":"S3 Bucket Authenticated Users 'READ' Access","description":"Ensure S3 buckets don't allow authenticated users READ access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-007","attributes":{"title":"S3 Bucket Authenticated Users 'READ_ACP' Access","description":"Ensure S3 buckets don't allow authenticated users READ_ACP access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-008","attributes":{"title":"S3 Bucket Authenticated Users 'WRITE' Access","description":"Ensure S3 buckets don't allow authenticated users WRITE access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-009","attributes":{"title":"S3 Bucket Authenticated Users 'WRITE_ACP' Access","description":"Ensure S3 buckets don't allow authenticated users WRITE_ACP access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-010","attributes":{"title":"S3 Bucket Authenticated Users 'FULL_CONTROL' Access","description":"Ensure S3 buckets don't allow authenticated users FULL_CONTROL access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-011","attributes":{"title":"S3 Bucket Logging Enabled","description":"Ensure S3 bucket access logging is enabled for security and access audits","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-012","attributes":{"title":"S3 Bucket Versioning Enabled","description":"Ensure S3 bucket versioning is enabled for additional level of data protection","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-013","attributes":{"title":"S3 Bucket MFA Delete Enabled","description":"Ensure S3 buckets have an MFA-Delete policy to prevent deletion of files without an MFA token","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-015","attributes":{"title":"S3 Cross Account Access","description":"Ensure Amazon S3 buckets don't allow unknown cross account access via bucket policies","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-016","attributes":{"title":"Server Side Encryption","description":"Ensure AWS S3 buckets enforce Server-Side Encryption","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-017","attributes":{"title":"Secure Transport","description":"Ensure AWS S3 buckets enforce SSL to secure data in transit","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-018","attributes":{"title":"DNS Compliant S3 Bucket Names","description":"Ensure that your AWS S3 buckets are using DNS-compliant bucket names","compliances":["AWAF-2025","CIS-V8","NIST5","MAS","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-019","attributes":{"title":"S3 Buckets with Website Hosting Configuration Enabled","description":"Review S3 Buckets with Website Configuration Enabled","compliances":["NIST4","AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-020","attributes":{"title":"S3 Buckets Lifecycle Configuration","description":"Ensure that AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-023","attributes":{"title":"S3 Object Lock","description":"Enable AWS S3 Object Lock","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-024","attributes":{"title":"S3 Transfer Acceleration","description":"Enable AWS S3 Transfer Acceleration","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","AGISM-2024","HITRUST","PCI-V4","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-026","attributes":{"title":"Enable S3 Block Public Access for S3 Buckets","description":"Ensure that Amazon S3 Block Public Access feature is enabled for your S3 buckets to restrict public access to all objects available within these buckets","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"S3"}},{"type":"rules","id":"S3-028","attributes":{"title":"Enable S3 Bucket Keys","description":"Ensure that Amazon S3 buckets are using S3 bucket keys to optimize service costs","compliances":["AWAF-2025","AWAF-AI-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","HITRUST","PCI-V4","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"S3"}},{"type":"rules","id":"CT-007","attributes":{"title":"CloudTrail Log File Integrity Validation","description":"Ensure CloudTrail log file validation is enabled","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-008","attributes":{"title":"CloudTrail Logs Encrypted","description":"Ensure CloudTrail logs are encrypted at rest using KMS CMKs","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-009","attributes":{"title":"CloudTrail Integrated With CloudWatch","description":"Ensure CloudTrail trails are integrated with CloudWatch Logs","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-010","attributes":{"title":"CloudTrail Management Events","description":"Ensure management events are included into AWS CloudTrail trails configuration","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-012","attributes":{"title":"CloudTrail Data Events","description":"Ensure CloudTrail trails are configured to log Data events","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"CT-014","attributes":{"title":"CloudTrail S3 Bucket","description":"Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"CloudTrail"}},{"type":"rules","id":"RDS-002","attributes":{"title":"RDS Automated Backups Enabled","description":"Ensure automated backups are enabled for RDS instances. This feature of Amazon RDS enables point-in-time recovery of your database instance","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-003","attributes":{"title":"RDS Sufficient Backup Retention Period","description":"Ensure RDS instances have sufficient backup retention period for compliance purposes","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-004","attributes":{"title":"RDS Encryption Enabled","description":"Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-005","attributes":{"title":"RDS Encrypted With KMS Customer Master Keys","description":"Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-006","attributes":{"title":"RDS Auto Minor Version Upgrade","description":"Ensure Auto Minor Version Upgrade is enabled for RDS to automatically receive minor engine upgrades during the maintenance window","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-007","attributes":{"title":"RDS Multi-AZ","description":"Ensure RDS instances are launched into Multi-AZ","compliances":["AWAF-2025","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-008","attributes":{"title":"RDS Publicly Accessible","description":"Ensure RDS instances aren't public facing to minimise security risks","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-009","attributes":{"title":"DB Instance Generation","description":"Ensure you always use the latest generation of DB instances to get better performance with lower cost","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-010","attributes":{"title":"RDS General Purpose SSD","description":"Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-011","attributes":{"title":"RDS Default Port","description":"Ensure Amazon RDS database instances aren't using the default ports","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-012","attributes":{"title":"RDS Master Username","description":"Ensure AWS RDS instances are using secure and unique master usernames for their databases","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-025","attributes":{"title":"RDS Desired Instance Type","description":"Ensure that all your AWS RDS database instances are of given instance types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-026","attributes":{"title":"RDS Copy Tags to Snapshots","description":"Enable RDS Copy Tags to Snapshots","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-030","attributes":{"title":"IAM Database Authentication","description":"Enable IAM Database Authentication","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-031","attributes":{"title":"Instance Deletion Protection","description":"Enable AWS RDS Instance Deletion Protection","compliances":["AWAF-2025","CIS-V8","NIST5","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","APRA","MAS","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-032","attributes":{"title":"Performance Insights","description":"Enable AWS RDS Performance Insights","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-033","attributes":{"title":"Log Exports","description":"Enable AWS RDS Log Exports","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-034","attributes":{"title":"Backtrack","description":"Enable Amazon Aurora Backtrack","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-035","attributes":{"title":"Cluster Deletion Protection","description":"Enable AWS RDS Cluster Deletion Protection","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-041","attributes":{"title":"Enable Instance Storage AutoScaling","description":"Ensure that RDS Storage AutoScaling feature is enabled to support unpredictable database workload","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"RDS-042","attributes":{"title":"Enable Aurora Cluster Copy Tags to Snapshots","description":"Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"RDS"}},{"type":"rules","id":"IAM-004","attributes":{"title":"Unnecessary Access Keys","description":"Ensure there is a maximum of one active access keys for any single user","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-005","attributes":{"title":"Password Policy Minimum Length","description":"Ensure IAM password policy requires minimum length of 14 or greater","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-006","attributes":{"title":"Password Policy Present","description":"Ensure account password policy is present. Strong password policy is vital to uphold security","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-007","attributes":{"title":"Password Policy Lowercase","description":"Ensure IAM password policy require at least one lowercase letter","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-008","attributes":{"title":"Password Policy Uppercase","description":"Ensure IAM password policy requires at least one uppercase letter","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-009","attributes":{"title":"Password Policy Number","description":"Ensure IAM password policy require at least one number","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-010","attributes":{"title":"Password Policy Symbol","description":"Ensure IAM password policy require at least one symbol","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-011","attributes":{"title":"Password Policy Expiration","description":"Ensure IAM password policy expires passwords within 90 days or less","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-012","attributes":{"title":"Password Policy Reuse Prevention","description":"Ensure IAM password policy prevents password reuse","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-016","attributes":{"title":"IAM User Policies","description":"Ensure IAM policies are attached only to groups or roles","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-017","attributes":{"title":"Unused IAM Group","description":"Ensure all IAM groups have at least one user","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-022","attributes":{"title":"IAM Group With Inline Policies","description":"Ensure IAM groups don't have inline policies attached","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-024","attributes":{"title":"IAM User With Password And Access Keys","description":"Ensure IAM users have either API access or console access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-025","attributes":{"title":"Unnecessary SSH Public Keys","description":"Ensure there is a maximum of one active SSH public keys for any single user","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-029","attributes":{"title":"Unused IAM User","description":"Ensure there are no users that have never been logged in","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-034","attributes":{"title":"Valid IAM Identity Providers","description":"Ensure valid IAM Identity Providers are used within your AWS account for secure user authentication and authorization","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-045","attributes":{"title":"IAM Policies With Full Administrative Privileges","description":"Ensure IAM policies that allow full '*:*' administrative privileges aren't created","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-049","attributes":{"title":"IAM Role Policy Too Permissive","description":"Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-050","attributes":{"title":"Cross-Account Access Lacks External ID and MFA","description":"Ensure cross-account access roles are using Multi-Factor Authentication (MFA) or External IDs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-057","attributes":{"title":"Check for Untrusted Cross-Account IAM Roles","description":"Ensure that AWS IAM roles cannot be used by untrusted accounts via cross-account access feature","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-058","attributes":{"title":"Check that only safelisted IAM Users exist","description":"Ensure that only safelisted IAM Users exist within your AWS account","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-059","attributes":{"title":"Server Certificate Signature Algorithm","description":"Ensure that your SSL/TLS certificates are using a secure signature algorithm","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-062","attributes":{"title":"AWS IAM Server Certificate Size","description":"Ensure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-069","attributes":{"title":"Check for Overly Permissive IAM Group Policies","description":"Ensure that Amazon IAM policies attached to IAM groups aren't too permissive","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-071","attributes":{"title":"Receive Permissions via IAM Groups Only","description":"Ensure that IAM users receive permissions only through IAM groups","compliances":["AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-072","attributes":{"title":"IAM Roles Should Not be Assumed by Multiple Services","description":"Ensure that Amazon IAM roles can only be assumed by a single, trusted service","compliances":["AWAF-2025","AWAF-AI-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"IAM-073","attributes":{"title":"Check for IAM Users with Compromised Credentials","description":"Check for Amazon IAM users with the \"AWSCompromisedKeyQuarantine\", \"AWSCompromisedKeyQuarantineV2\", and/or \"AWSCompromisedKeyQuarantineV3\" managed policies in order to identify IAM users with compromised or exposed credentials","compliances":["FISC-V12"],"provider":"aws","service":"IAM"}},{"type":"rules","id":"KMS-002","attributes":{"title":"Key Rotation Enabled","description":"Ensure rotation for customer created CMKs is enabled","compliances":["AWAF-2025","AWAF-ML-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-003","attributes":{"title":"Unused Customer Master Key","description":"Identify unused customer master keys, and delete them to help lower the cost of your monthly AWS bill","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF-2_0","ISO27001","AGISM-2024","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-004","attributes":{"title":"KMS Customer Master Key Pending Deletion","description":"Ensure KMS Customer Master Keys aren't scheduled for deletion","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-005","attributes":{"title":"Key Exposed","description":"Ensure Amazon KMS master keys aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"KMS-006","attributes":{"title":"KMS Cross Account Access","description":"Ensure Amazon KMS master keys don't allow unknown cross account access","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"KMS"}},{"type":"rules","id":"SNS-001","attributes":{"title":"SNS Topic Exposed","description":"Ensure SNS topics aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-002","attributes":{"title":"SNS Cross Account Access","description":"Ensure Amazon SNS topics don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-003","attributes":{"title":"AWS SNS Appropriate Subscribers","description":"Ensure appropriate subscribers to each SNS topic","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-004","attributes":{"title":"SNS Topic Accessible For Publishing","description":"Ensure SNS topics don't allow 'Everyone' to publish","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-005","attributes":{"title":"SNS Topic Accessible For Subscription","description":"Ensure SNS topics don't allow 'Everyone' to subscribe","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-006","attributes":{"title":"SNS Topic Encrypted","description":"Enable Server-Side Encryption for AWS SNS Topics","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SNS-007","attributes":{"title":"SNS Topic Encrypted With KMS Customer Master Keys","description":"Ensure that Amazon SNS topics are encrypted with KMS Customer Master Keys","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SNS"}},{"type":"rules","id":"SQS-001","attributes":{"title":"SQS Queue Exposed","description":"Ensure SQS queues aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-002","attributes":{"title":"SQS Cross Account Access","description":"Ensure SQS queues don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-003","attributes":{"title":"Queue Unprocessed Messages","description":"Ensure SQS queues aren't holding a high number of unprocessed messages due to unresponsive or incapacitated consumers","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-004","attributes":{"title":"Queue Server Side Encryption","description":"Ensure Amazon SQS queues enforce Server-Side Encryption","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-005","attributes":{"title":"SQS Encrypted With KMS Customer Master Keys","description":"Ensure SQS queues are encrypted with KMS CMKs to gain full control over data encryption and decryption","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"SQS-006","attributes":{"title":"SQS Dead Letter Queue","description":"Ensure Dead Letter Queue (DLQ) is configured for SQS queue","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"SQS"}},{"type":"rules","id":"CFM-001","attributes":{"title":"CloudFormation Stack Notification","description":"Ensure CloudFormation stacks are integrated with SNS to receive notifications about stack events","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudFormation"}},{"type":"rules","id":"CFM-002","attributes":{"title":"CloudFormation Stack Policy","description":"Ensure CloudFormation stack policies are set to prevent accidental updates to stack resources","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"CloudFormation"}},{"type":"rules","id":"ASG-001","attributes":{"title":"Auto Scaling Group Health Check","description":"Ensure ELB health check is enabled if Elastic Load Balancing is being used for an Auto Scaling group. Ensure EC2 health check is enabled if Elastic Load Balancing isn't being used for an Auto Scaling group","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-002","attributes":{"title":"Empty Auto Scaling Group","description":"Identify empty auto scaling groups, and delete them","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-005","attributes":{"title":"Auto Scaling Group Notifications","description":"Ensure notifications are enabled for ASGs to receive additional information about scaling operations","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-007","attributes":{"title":"Auto Scaling Group Referencing Missing ELB","description":"Ensure Amazon Auto Scaling Groups are utilizing active Elastic Load Balancers","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-009","attributes":{"title":"Auto Scaling Group Cooldown Period","description":"Ensure Amazon Auto Scaling Groups are utilizing cooldown periods","compliances":["AWAF-2025","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-010","attributes":{"title":"Multi-AZ Auto Scaling Groups","description":"Ensure AWS Auto Scaling Groups utilize multiple Availability Zones to improve environment reliability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-011","attributes":{"title":"Suspended Auto Scaling Groups","description":"Ensure there are no suspended Auto Scaling Groups in your AWS account","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-012","attributes":{"title":"Auto Scaling Group associated ELB","description":"Ensure that each Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-013","attributes":{"title":"Web-Tier Auto Scaling Group associated ELB","description":"Ensure that each web-tier Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"ASG-014","attributes":{"title":"App-Tier Auto Scaling Group associated ELB","description":"Ensure that each app-tier Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"AutoScaling"}},{"type":"rules","id":"RS-001","attributes":{"title":"Redshift Cluster Publicly Accessible","description":"Ensure Redshift clusters aren't publicly accessible to minimise security risks","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-002","attributes":{"title":"Redshift Cluster Encrypted","description":"Ensure encryption is setup for Redshift clusters to fulfill compliance requirements for data-at-rest encryption","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-003","attributes":{"title":"Redshift Cluster Encrypted With KMS Customer Master Keys","description":"Ensure Redshift clusters are encrypted with CMKs to have full control over encrypting and decrypting data","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-004","attributes":{"title":"Redshift Cluster In VPC","description":"Ensure Redshift clusters are launched in VPC","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-005","attributes":{"title":"Redshift Cluster Allow Version Upgrade","description":"Ensure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-006","attributes":{"title":"Redshift Cluster Audit Logging Enabled","description":"Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-007","attributes":{"title":"Redshift Parameter Group Require SSL","description":"Ensure that all the parameter groups associated with your Amazon Redshift clusters have the require_ssl parameter enabled","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-008","attributes":{"title":"Redshift Instance Generation","description":"Ensure Redshift clusters are using the latest generation of nodes for cost and performance improvements","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-017","attributes":{"title":"Redshift Cluster Default Port","description":"Ensure Amazon Redshift clusters aren't using port 5439 (default port) for database access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-018","attributes":{"title":"Redshift Cluster Default Master Username","description":"Ensure AWS Redshift database clusters aren't using 'awsuser' (default master username) for database access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-019","attributes":{"title":"Redshift Automated Snapshot Retention Period","description":"Ensure that retention period is enabled for Amazon Redshift automated snapshots","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-022","attributes":{"title":"Redshift Desired Node Type","description":"Ensure that your AWS Redshift cluster nodes are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RS-023","attributes":{"title":"Enable Redshift User Activity Logging","description":"Ensure that user activity logging is enabled for Redshift clusters","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Redshift"}},{"type":"rules","id":"RG-001","attributes":{"title":"Tags","description":"Use tags metadata for identifying and organizing your AWS resources by purpose, owner, environment, or other criteria","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"ResourceGroup"}},{"type":"rules","id":"DynamoDB-003","attributes":{"title":"DynamoDB Continuous Backups","description":"Enable DynamoDB Continuous Backups","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"DynamoDB-004","attributes":{"title":"Enable Encryption at Rest with Amazon KMS Keys","description":"Use KMS keys for encryption at rest in Amazon DynamoDB","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"DynamoDB"}},{"type":"rules","id":"EC-001","attributes":{"title":"ElastiCache Instance Generation","description":"Ensure ElastiCache clusters are using the latest generation of nodes for cost and performance improvements","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","ISMS-P"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-003","attributes":{"title":"ElastiCache Cluster In VPC","description":"Ensure Amazon ElastiCache clusters are deployed into a Virtual Private Cloud","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-011","attributes":{"title":"ElastiCache Desired Node Type","description":"Ensure that all your Amazon ElastiCache cluster cache nodes are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-012","attributes":{"title":"ElastiCache Cluster Default Port","description":"Ensure that AWS ElastiCache clusters aren't using their default endpoint ports","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"EC-013","attributes":{"title":"ElastiCache Engine Version","description":"Ensure that your Amazon ElastiCache clusters are using the stable latest version of Redis/Memcached/Valkey cache engine","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ElastiCache"}},{"type":"rules","id":"ES-001","attributes":{"title":"OpenSearch General Purpose SSD","description":"Ensure OpenSearch nodes are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the service costs","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","MAS","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-002","attributes":{"title":"OpenSearch Zone Awareness Enabled","description":"Ensure high availability for your Amazon OpenSearch clusters by enabling the Zone Awareness feature","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-003","attributes":{"title":"OpenSearch Domain Exposed","description":"Ensure Amazon OpenSearch domains aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-004","attributes":{"title":"OpenSearch Dedicated Master Enabled","description":"Ensure Amazon OpenSearch clusters are using dedicated master nodes to increase the production environment stability","compliances":["AWAF-2025","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-005","attributes":{"title":"OpenSearch Cross Account Access","description":"Ensure Amazon OpenSearch clusters don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-006","attributes":{"title":"OpenSearch Accessible Only From Safelisted IP Addresses","description":"Ensure only safelisted IP addresses can access your Amazon OpenSearch domains","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-007","attributes":{"title":"OpenSearch Version","description":"Ensure that you always use the latest version of OpenSearch engine for your AWS OpenSearch domains","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-009","attributes":{"title":"OpenSearch Desired Instance Type(s)","description":"Ensure that Amazon OpenSearch cluster instances are of given instance type","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-010","attributes":{"title":"OpenSearch Domain In VPC","description":"Ensure that your Amazon OpenSearch domains are accessible only from AWS VPCs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-011","attributes":{"title":"AWS OpenSearch Slow Logs","description":"Ensure that your AWS OpenSearch domains publish slow logs to AWS CloudWatch Logs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-012","attributes":{"title":"Encryption At Rest","description":"Ensure that your Amazon OpenSearch domains are encrypted in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-013","attributes":{"title":"OpenSearch Domains Encrypted with KMS CMKs","description":"Ensure that OpenSearch domains are encrypted with KMS Customer Master Keys (CMKs)","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"ES-015","attributes":{"title":"OpenSearch Node To Node Encryption","description":"Ensure that your Amazon OpenSearch clusters are using node to node encryption in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Elasticsearch"}},{"type":"rules","id":"WS-004","attributes":{"title":"WorkSpaces Desired Bundle Type","description":"Ensure that all your Amazon WorkSpaces bundles are of given types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS","FISC-V12"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"WS-005","attributes":{"title":"WorkSpaces Storage Encryption","description":"Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirement","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"WorkSpaces"}},{"type":"rules","id":"EMR-001","attributes":{"title":"AWS EMR Instance Type Generation","description":"Ensure AWS EMR clusters are using the latest generation of instances for performance and cost optimization","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","HITRUST","ASAE-3150","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-002","attributes":{"title":"EMR Cluster Logging","description":"Ensure AWS Elastic MapReduce clusters capture detailed log data to Amazon S3","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-004","attributes":{"title":"EMR Desired Instance Type","description":"Ensure that all your Amazon EMR cluster instances are of given instance types","compliances":["AWAF-2025","NIST5","NIST-CSF-2_0","HITRUST","MAS"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-005","attributes":{"title":"Cluster In VPC","description":"Ensure that your Amazon Elastic MapReduce clusters are provisioned using the AWS EC2-VPC platform instead of EC2-Classic platform","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"EMR-006","attributes":{"title":"EMR In-Transit and At-Rest Encryption","description":"Ensure that your AWS Elastic MapReduce clusters are encrypted in order to meet security and compliance requirements","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EMR"}},{"type":"rules","id":"Lambda-001","attributes":{"title":"Lambda Using Latest Runtime Environment","description":"Ensure that the latest version of the runtime environment is used for your AWS Lambda functions","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-002","attributes":{"title":"Lambda Cross Account Access","description":"Ensure AWS Lambda functions don't allow unknown cross account access via permission policies","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-003","attributes":{"title":"Tracing Enabled","description":"Ensure that tracing (Lambda support for Amazon X-Ray service) is enabled for your AWS Lambda functions","compliances":["AWAF-2025","AWAF-AI-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-004","attributes":{"title":"Function Exposed","description":"Ensure that your Amazon Lambda functions aren't exposed to everyone","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-007","attributes":{"title":"VPC Access for AWS Lambda Functions","description":"Ensure that your Amazon Lambda functions have access to VPC-only resources","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-009","attributes":{"title":"Enable Encryption at Rest for Environment Variables using Customer Master Keys","description":"Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-010","attributes":{"title":"Enable IAM Authentication for Lambda Function URLs","description":"Ensure that IAM authorization is enabled for your Lambda function URLs","compliances":["AWAF-2025","AWAF-ML-2025","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-011","attributes":{"title":"Check Lambda Function URL Not in Use","description":"Check your Amazon Lambda functions are not using function URLs","compliances":["NIST-CSF-2_0","AGISM-2024","NIS-2","FISC-V12"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Lambda-012","attributes":{"title":"Lambda Using Supported Runtime Environment","description":"Ensure that the version of the runtime environment used by AWS Lambda functions is currently supported","compliances":["AWAF-2025","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Lambda"}},{"type":"rules","id":"Kinesis-001","attributes":{"title":"Kinesis Server Side Encryption","description":"Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE)","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Kinesis"}},{"type":"rules","id":"Kinesis-002","attributes":{"title":"Kinesis Stream Encrypted With CMK","description":"Ensure AWS Kinesis streams are encrypted with KMS Customer Master Keys for complete control over data encryption and decryption","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"Kinesis"}},{"type":"rules","id":"Kinesis-003","attributes":{"title":"Kinesis Stream Shard Level Metrics","description":"Ensure enhanced monitoring is enabled for your AWS Kinesis streams using shard-level metrics","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"Kinesis"}},{"type":"rules","id":"EFS-001","attributes":{"title":"EFS Encryption Enabled","description":"Ensure encryption is enabled for AWS EFS file systems to protect your data at rest","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EFS"}},{"type":"rules","id":"EFS-002","attributes":{"title":"AWS KMS Customer Master Keys for EFS Encryption","description":"Ensure EFS file systems are encrypted with KMS Customer Master Keys (CMKs) in order to have full control over data encryption and decryption","compliances":["GDPR","AWAF-2025","CISAWSF-3_0","CISAWSF-4_0_1","CISAWSF-5_0","CISAWSF-6_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"EFS"}},{"type":"rules","id":"ELBv2-001","attributes":{"title":"ELBv2 Elastic Load Balancing Deletion Protection","description":"Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-002","attributes":{"title":"ELBv2 Access Log","description":"Ensure that Amazon ALBs have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-003","attributes":{"title":"ELBv2 ALB Security Policy","description":"Ensure that Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-005","attributes":{"title":"ELBv2 ALB Listener Security","description":"Ensure ELBv2 ALBs are using a secure protocol","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-006","attributes":{"title":"ELBv2 ALB Security Group","description":"Ensure ELBv2 load balancers have secure and valid security groups","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-007","attributes":{"title":"Internet Facing ELBv2 Load Balancers","description":"Ensure Amazon internet-facing ELBv2 Load Balancers are regularly reviewed for security purposes","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-009","attributes":{"title":"Network Load Balancer Security Policy","description":"Ensure Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-010","attributes":{"title":"ELBv2 NLB Listener Security","description":"Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"ELBv2-011","attributes":{"title":"Enable HTTP to HTTPS Redirect for Application Load Balancers","description":"Ensure that your Application Load Balancers have a rule that redirects HTTP traffic to HTTPS","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ELBv2"}},{"type":"rules","id":"AG-001","attributes":{"title":"APIs CloudWatch Logs","description":"Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-002","attributes":{"title":"APIs Detailed CloudWatch Metrics","description":"Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-003","attributes":{"title":"Tracing Enabled","description":"Ensure that tracing is enabled for all stages in all APIs created with AWS API Gateway service in order to analyze latencies in APIs and their backend services","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-004","attributes":{"title":"Content Encoding","description":"Ensure Content Encoding is enabled for your APIs","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-005","attributes":{"title":"Private Endpoint","description":"Ensure Amazon API Gateway APIs are only accessible through private API endpoints","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-006","attributes":{"title":"Client Certificate","description":"Enable SSL Client Certificate","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-007","attributes":{"title":"API Gateway Integrated With AWS WAF","description":"Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"AG-008","attributes":{"title":"Rotate Expiring SSL Client Certificates","description":"Ensure that SSL client certificates associated with API Gateway APIs are rotated every 365 days","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"APIGateway"}},{"type":"rules","id":"SageMaker-001","attributes":{"title":"Amazon SageMaker Notebook Instance In VPC","description":"Ensure SageMaker notebook instances are deployed into a VPC","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-002","attributes":{"title":"Notebook Data Encrypted With KMS Customer Managed Keys","description":"Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Master Keys (CMKs)","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","ASAE-3150","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-004","attributes":{"title":"Disable Direct Internet Access for Notebook Instances","description":"Ensure Notebook instance isn't publicly available","compliances":["GDPR","AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-005","attributes":{"title":"Enable VPC Only for SageMaker Domains","description":"Configure your SageMaker domains using the \"VPC Only\" network access type to enable fine-grained control on the network access to Amazon SageMaker Studio","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-007","attributes":{"title":"Disable Root Access for SageMaker Notebook Instances","description":"Ensure users do not have root access to SageMaker Notebooks","compliances":["AWAF-ML-2025","FISC-V12"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-010","attributes":{"title":"Enable Data Capture for SageMaker Endpoints","description":"Ensure that the Data Capture feature is enabled for your SageMaker endpoints in order to allow Amazon SageMaker to store prediction request and response data from your endpoints at a designated location.","compliances":["AWAF-AI-2025","AWAF-ML-2025"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-012","attributes":{"title":"Enable Network Isolation for SageMaker Models","description":"Ensure that network isolation is enabled for your SageMaker models to prevent unauthorized access.","compliances":["AWAF-AI-2025","AWAF-ML-2025"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"SageMaker-014","attributes":{"title":"Endpoints Encrypted With KMS Customer Managed Keys","description":"Ensure that the Amazon ECR images associated with your SageMaker endpoints are encrypted with KMS Customer Managed Keys (CMKs)","compliances":["AWAF-ML-2025"],"provider":"aws","service":"SageMaker"}},{"type":"rules","id":"ECR-001","attributes":{"title":"ECR Repository Exposed","description":"Ensure that Amazon Elastic Container Registry (ECR) repositories aren't exposed to everyone","compliances":["GDPR","AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P","LGPD"],"provider":"aws","service":"ECR"}},{"type":"rules","id":"ECR-002","attributes":{"title":"Repository Cross Account Access","description":"Ensure that Amazon ECR repositories don't allow unknown cross account access","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ECR"}},{"type":"rules","id":"ECR-003","attributes":{"title":"Enable Automated Scanning for Amazon ECR Container Images","description":"Ensure that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository","compliances":["AWAF-2025","AWAF-ML-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12","ISMS-P"],"provider":"aws","service":"ECR"}},{"type":"rules","id":"ECR-004","attributes":{"title":"Lifecycle Policy in Use","description":"Ensure there is a lifecycle policy defined for each Amazon ECR image repository in order to automatically remove untagged and old container images","compliances":["AWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HIPAA","PCI","FEDRAMP","MAS","NIS-2"],"provider":"aws","service":"ECR"}},{"type":"rules","id":"Bedrock-001","attributes":{"title":"Use Customer-Managed Keys to Encrypt Agent Sessions","description":"Ensure that your Amazon Bedrock agent session data is encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys","compliances":["AWAF-2025","AWAF-ML-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-002","attributes":{"title":"Use Guardrails to Protect Agent Sessions","description":"Ensure that Bedrock agent sessions are associated with guardrails for protection","compliances":["AWAF-2025","AWAF-AI-2025","AWAF-ML-2025","FISC-V12"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-003","attributes":{"title":"Use Customer-Managed Keys to Encrypt Amazon Bedrock Guardrails","description":"Ensure that your Amazon Bedrock guardrails are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys","compliances":["AWAF-2025","AWAF-ML-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-004","attributes":{"title":"Use Customer-Managed Keys to Encrypt Custom Models","description":"Ensure that your Amazon Bedrock custom models are encrypted with Amazon KMS Customer-Managed Keys (CMKs) instead of AWS-managed keys","compliances":["AWAF-2025","AWAF-ML-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-005","attributes":{"title":"Use Customer-Managed Keys to Encrypt Knowledge Base Transient Data","description":"Ensure that your Amazon Bedrock knowledge base transient data is encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys","compliances":["AWAF-2025","FISC-V12","ISMS-P"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-007","attributes":{"title":"Configure Sensitive Information Filters for Amazon Bedrock Guardrails","description":"Ensure that Bedrock Guardrails are configured to mask or block Personally Identifiable Information (PII)","compliances":["AWAF-AI-2025","AWAF-ML-2025","FISC-V12"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-010","attributes":{"title":"Configure Prompt Attack Strength for Amazon Bedrock Guardrails","description":"Ensure that prompt attack strength is set to HIGH for your Amazon Bedrock guardrails","compliances":["AWAF-AI-2025"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-011","attributes":{"title":"Enable Model Invocation Logging","description":"Ensure that model invocation logging is enabled in the Amazon Bedrock account level settings","compliances":["AWAF-ML-2025"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-012","attributes":{"title":"Configure Permissions Boundaries for IAM Identities used by Amazon Bedrock","description":"For enhanced security, ensure that permissions boundaries are set for IAM identities used by Amazon Bedrock","compliances":["AWAF-ML-2025"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"Bedrock-013","attributes":{"title":"Check for Missing Model Customization Job Security Groups","description":"Ensure that Bedrock model customization jobs are referencing active (available) VPC security groups","compliances":["AWAF-AI-2025","AWAF-ML-2025"],"provider":"aws","service":"Bedrock"}},{"type":"rules","id":"StorageAccounts-001","attributes":{"title":"Enable Secure Transfer in Azure Storage","description":"Ensure that Secure transfer required is set to Enabled","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-006","attributes":{"title":"Disable Anonymous Access to Blob Containers","description":"Ensure that anonymous access to blob containers is disabled within your Azure Storage account","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-007","attributes":{"title":"Restrict Default Network Access for Storage Accounts","description":"Ensure that the default network access rule is set to 'Deny' within your Azure Storage account","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-008","attributes":{"title":"Enable Trusted Microsoft Services for Storage Account Access","description":"Allow Trusted Microsoft Services to access your Azure Storage account resources","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-009","attributes":{"title":"Use BYOK for Storage Account Encryption","description":"Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-010","attributes":{"title":"Enable Soft Delete for Azure Blob Storage","description":"Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-011","attributes":{"title":"Enable Blob Storage Lifecycle Management","description":"Ensure there is a lifecycle management policy configured for your Microsoft Azure Blob Storage data","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HIPAA","PCI","PCI-V4","FEDRAMP","MAS"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-012","attributes":{"title":"Enable Immutable Blob Storage","description":"Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-013","attributes":{"title":"Check for Sufficient Soft Deleted Data Retention Period","description":"Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-014","attributes":{"title":"Limit Storage Account Access by IP Address","description":"Ensure that the access to your Microsoft Azure Storage blobs, files, tables and queues is limited only to specific (trusted) public IP address and/or IP address range","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-016","attributes":{"title":"Check for Publicly Accessible Web Containers","description":"Ensure that Azure Storage containers created to host static websites aren't publicly accessible","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-017","attributes":{"title":"Review Storage Accounts with Static Website Configuration","description":"Ensure that Azure Storage Accounts with static website configuration are regularly reviewed","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-018","attributes":{"title":"Storage Account Encryption using Customer Managed Keys","description":"Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-021","attributes":{"title":"Configure Minimum TLS Version","description":"Ensure that the \"Minimum TLS version\" setting is set to \"Version 1.2\" for all Azure Storage accounts","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-022","attributes":{"title":"Disable Anonymous Access to Storage Accounts with Blob Containers","description":"Ensure that blob anonymous access is disabled at the storage account level to override any ACL configurations allowing public access","compliances":["AZUREWAF-2025","NIST-CSF-2_0","AGISM-2024","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-023","attributes":{"title":"Private Endpoint in Use","description":"Ensure that private endpoints are used to access Microsoft Azure Storage accounts","compliances":["CISAZUREF","AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-024","attributes":{"title":"Enable Infrastructure Encryption","description":"Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts","compliances":["AZUREWAF-2025","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"StorageAccounts-025","attributes":{"title":"Disable Cross-Tenant Object Replication","description":"Ensure that cross-tenant object replication is disabled for your Azure Storage accounts","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","FISC-V12"],"provider":"azure","service":"StorageAccounts"}},{"type":"rules","id":"SecurityCenter-020","attributes":{"title":"Microsoft Defender for Cloud Recommendations","description":"Ensure that Microsoft Defender for Cloud recommendations are examined and resolved","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"SecurityCenter"}},{"type":"rules","id":"SecurityCenter-042","attributes":{"title":"Enable Defender for APIs","description":"Ensure that Defender for APIs is enabled for Azure API Management services","compliances":["FISC-V12"],"provider":"azure","service":"SecurityCenter"}},{"type":"rules","id":"PostgreSQL-013","attributes":{"title":"Enable 'log_checkpoints' Parameter for PostgreSQL Flexible Servers","description":"Enable 'log_checkpoints' parameter for your Microsoft Azure PostgreSQL flexible database servers","compliances":["CISAZUREF-3_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"PostgreSQL"}},{"type":"rules","id":"PostgreSQL-015","attributes":{"title":"Enable Transport Encryption for PostgreSQL Flexible Servers","description":"Ensure that the databases managed with Azure Database for PostgreSQL have the Transport Encryption feature enabled","compliances":["AZUREWAF-2025","CISAZUREF-3_0"],"provider":"azure","service":"PostgreSQL"}},{"type":"rules","id":"PostgreSQL-016","attributes":{"title":"Enable Connection Throttling for PostgreSQL Flexible Servers","description":"Ensure that connection throttling is enabled for your Azure Database for PostgreSQL flexible servers","compliances":["CISAZUREF-3_0"],"provider":"azure","service":"PostgreSQL"}},{"type":"rules","id":"PostgreSQL-017","attributes":{"title":"Check Log Files Retention Period for PostgreSQL Flexible Servers","description":"Ensure there is a sufficient log retention period configured for your Azure PostgreSQL flexible servers","compliances":["CISAZUREF-3_0"],"provider":"azure","service":"PostgreSQL"}},{"type":"rules","id":"Sql-007","attributes":{"title":"Enable All Types of Threat Detection on SQL Servers","description":"Enable all types of threat detection for your Microsoft Azure SQL Database Servers","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Sql"}},{"type":"rules","id":"Sql-010","attributes":{"title":"Check for Unrestricted SQL Database Access","description":"Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address)","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Sql"}},{"type":"rules","id":"Sql-013","attributes":{"title":"Check for Publicly Accessible SQL Servers","description":"Ensure that Azure SQL database servers are accessible via private endpoints only","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Sql"}},{"type":"rules","id":"AppService-001","attributes":{"title":"Check for Latest Version of Python","description":"Ensure that Azure App Service web applications are using the latest version of Python","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-002","attributes":{"title":"Check for Latest Version of PHP","description":"Ensure that Azure App Service web applications are using the latest version of PHP","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-003","attributes":{"title":"Check for Latest Version of .NET Framework","description":"Ensure that Azure App Service web applications are using the latest version of .NET Framework","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-004","attributes":{"title":"Check for Latest Version of Java","description":"Ensure that Azure App Service web applications are using the latest version of Java","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-005","attributes":{"title":"Check that Azure App is using the latest version of HTTP","description":"Ensure that Azure App Service web applications are using the latest version of HTTP","compliances":["CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-006","attributes":{"title":"Enable HTTPS-Only Traffic","description":"Ensure that Azure App Service web applications only allows HTTPS connections","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-007","attributes":{"title":"Check for TLS Protocol Latest Version","description":"Ensure that your Azure App Service web applications is using the latest TLS version","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-008","attributes":{"title":"Check that the Azure App requests incoming client certificates","description":"Ensure that your Azure App Service web applications requests a client certificate from incoming requests","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-009","attributes":{"title":"Enable Registration with Microsoft Entra ID","description":"Ensure that registration with Microsoft Entra ID is enabled for Azure App Service applications","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-010","attributes":{"title":"Enable App Service Authentication","description":"Ensure that App Service Authentication is enabled within your Microsoft Azure account","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-011","attributes":{"title":"Disable Remote Debugging","description":"Disable Remote Debugging feature for your Microsoft Azure App Services web applications","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-012","attributes":{"title":"Enable FTPS-Only Access","description":"Enable FTPS-only access for your Microsoft Azure App Services web applications","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-013","attributes":{"title":"Enable Automated Backups","description":"Ensure that all your Azure App Services applications are using the Backup and Restore feature","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-014","attributes":{"title":"Check for Sufficient Backup Retention Period","description":"Ensure there is a sufficient backup retention period configured for Azure App Services applications","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-015","attributes":{"title":"Enable Always On","description":"Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"AppService-017","attributes":{"title":"Disable Plain FTP Deployment","description":"Ensure that FTP access is disabled for your Azure App Services web applications","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"AppService"}},{"type":"rules","id":"Network-001","attributes":{"title":"Check for Unrestricted RDP Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol - RDP)","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-002","attributes":{"title":"Check for Unrestricted SSH Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH)","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-004","attributes":{"title":"Check for NSG Flow Log Retention Period","description":"Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-005","attributes":{"title":"Check for Unrestricted FTP Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-006","attributes":{"title":"Check for Unrestricted MySQL Database Access","description":"Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-007","attributes":{"title":"Check for Unrestricted PostgreSQL Database Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-008","attributes":{"title":"Check for Unrestricted MS SQL Server Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-009","attributes":{"title":"Check for Unrestricted Oracle Database Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-010","attributes":{"title":"Check for Unrestricted RPC Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-011","attributes":{"title":"Check for Network Security Groups with Port Ranges","description":"Ensure there are no network security groups with range of ports opened to allow incoming traffic","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-012","attributes":{"title":"Enable DDoS Standard Protection for Virtual Networks","description":"Ensure that DDoS standard protection is enabled for production Azure virtual networks","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-013","attributes":{"title":"Review Network Interfaces with IP Forwarding Enabled","description":"Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-015","attributes":{"title":"Check for Unrestricted UDP Access","description":"Ensure that no network security groups allow unrestricted inbound access on UDP ports","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-016","attributes":{"title":"Check for Unrestricted CIFS Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS)","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-017","attributes":{"title":"Check for Unrestricted HTTP Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 80","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-018","attributes":{"title":"Check for Unrestricted SMTP Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 25","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-019","attributes":{"title":"Check for Unrestricted Telnet Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 23","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-020","attributes":{"title":"Check for Unrestricted ICMP Access","description":"Ensure that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP)","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-021","attributes":{"title":"Check for Unrestricted MongoDB Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-022","attributes":{"title":"Check for Unrestricted HTTPS Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 443","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-023","attributes":{"title":"Check for Unrestricted DNS Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP and UDP port 53","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-024","attributes":{"title":"Check for Unrestricted NetBIOS Access","description":"Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS)","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"Network-025","attributes":{"title":"Check for Unrestricted Inbound TCP or UDP Access on Selected Ports","description":"Ensure that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"Network"}},{"type":"rules","id":"VirtualMachines-001","attributes":{"title":"Azure Disk Encryption for Boot Disk Volumes","description":"Ensure that encryption is enabled for Azure virtual machine boot volumes to protect data at rest","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-002","attributes":{"title":"Azure Disk Encryption for Non-Boot Disk Volumes","description":"Ensure that encryption at rest is enabled for Microsoft Azure virtual machine non-boot volumes","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-004","attributes":{"title":"Install Approved Extensions Only","description":"Ensure that only approved extensions are installed on your Microsoft Azure virtual machines","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-007","attributes":{"title":"Check for SSH Authentication Type","description":"Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-008","attributes":{"title":"Use BYOK for Disk Volumes Encryption","description":"Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-009","attributes":{"title":"Use Managed Disk Volumes for Virtual Machines","description":"Ensure that your Microsoft Azure virtual machines are using managed disk volumes","compliances":["CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-010","attributes":{"title":"Disable Premium SSD","description":"Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs","compliances":["NIST5","NIST-CSF-2_0","MAS","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-011","attributes":{"title":"Remove Unattached Virtual Machine Disk Volumes","description":"Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","PCI","PCI-V4","APRA","FEDRAMP","MAS","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-013","attributes":{"title":"Enable Backups for Azure Virtual Machines","description":"Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs)","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-014","attributes":{"title":"Enable Virtual Machine Boot Diagnostics","description":"Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-015","attributes":{"title":"Enable System-Assigned Managed Identities","description":"Ensure that Azure virtual machines are configured to use system-assigned managed identities","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-017","attributes":{"title":"Enable Auto-Shutdown","description":"Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis","compliances":["AZUREWAF-2025","CIS-V8","NIST5","NIST-CSF-2_0","ISO27001","MAS","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-018","attributes":{"title":"Enable Guest-Level Diagnostics for Virtual Machines","description":"Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-019","attributes":{"title":"Check for Sufficient Daily Backup Retention Period","description":"Ensure there is a sufficient daily backup retention period configured for Azure virtual machines","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-020","attributes":{"title":"Check for Sufficient Instant Restore Retention Period","description":"Ensure there is a sufficient instant restore retention period configured for Azure virtual machines","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-022","attributes":{"title":"Enable Automatic OS Upgrades","description":"Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-025","attributes":{"title":"Check for Empty Virtual Machine Scale Sets","description":"Identify and remove empty virtual machine scale sets from your Azure cloud account","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-026","attributes":{"title":"Enable Automatic Instance Repairs","description":"Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-027","attributes":{"title":"Check for Zone-Redundant Virtual Machine Scale Sets","description":"Ensure that Azure virtual machine scale sets are configured for zone redundancy","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-028","attributes":{"title":"Check for Associated Load Balancers","description":"Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-029","attributes":{"title":"Check for Desired VM SKU Size(s)","description":"Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2)","compliances":["CIS-V8","NIST4","NIST5","NIST-CSF","NIST-CSF-2_0","ISO27001-2022","PCI-V4","FEDRAMP","MAS","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-031","attributes":{"title":"Approved Azure Machine Image in Use","description":"Ensure that all your Azure virtual machine instances are launched from approved machine images only","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-032","attributes":{"title":"Enable Instance Termination Notifications for Virtual Machine Scale Sets","description":"Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets","compliances":["CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-033","attributes":{"title":"Enable and Configure Health Monitoring","description":"Ensure that the health of your Microsoft Azure scale set instances is being monitored","compliances":["AZUREWAF-2025","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-036","attributes":{"title":"Use Customer Managed Keys for Virtual Hard Disk Encryption","description":"Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-037","attributes":{"title":"Server Side Encryption for Unattached Disk using CMK","description":"Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs)","compliances":["AZUREWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-038","attributes":{"title":"Server Side Encryption for Non-Boot Disk using CMK","description":"Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs)","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-039","attributes":{"title":"Server Side Encryption for Boot Disk using CMK","description":"Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs)","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-040","attributes":{"title":"Enable Trusted Launch for Virtual Machines","description":"Ensure that Microsoft Azure virtual machines are configured to use the Trusted Launch feature","compliances":["AZUREWAF-2025","CISAZUREF-3_0","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-043","attributes":{"title":"Disable Public Network Access to Virtual Machine Disks","description":"Ensure that public network access (i.e., all network access) to Azure virtual machine (VM) disks is disabled in order to enhance security by preventing unauthorized access","compliances":["AZUREWAF-2025","CISAZUREF-3_0","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"VirtualMachines-044","attributes":{"title":"Enable Confidential Computing for Azure Virtual Machines","description":"Ensure that Azure virtual machines (VMs) have Confidential Computing enabled to protect data in use with hardware-based trusted execution environments (TEEs)","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"VirtualMachines"}},{"type":"rules","id":"AKS-003","attributes":{"title":"Secure Access to Kubernetes API Server Using Authorized IP Address Ranges","description":"Ensure that public access to Kubernetes API server is restricted","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"AKS"}},{"type":"rules","id":"AKS-004","attributes":{"title":"Private Kubernetes Clusters","description":"Ensure that your Azure Kubernetes Service (AKS) clusters are private","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"AKS"}},{"type":"rules","id":"AKS-005","attributes":{"title":"Kubernetes Clusters with Private Nodes","description":"Ensure that your Azure Kubernetes Service (AKS) clusters are deployed with private nodes in order to enhance your Kubernetes workload's security and isolation","compliances":["AZUREWAF-2025"],"provider":"azure","service":"AKS"}},{"type":"rules","id":"AKS-010","attributes":{"title":"Use Microsoft Entra ID Integration with Kubernetes RBAC","description":"Ensure that your Azure Kubernetes Service (AKS) clusters are configured to use Microsoft Entra ID for authentication and Kubernetes Role-Based Access Control (Kubernetes native RBAC) for authorization.","compliances":["AZUREWAF-2025"],"provider":"azure","service":"AKS"}},{"type":"rules","id":"KeyVault-001","attributes":{"title":"Enable Key Vault Recoverability","description":"Ensure that your Microsoft Azure Key Vault instances are recoverable","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-004","attributes":{"title":"Enable AuditEvent Logging for Azure Key Vaults","description":"Ensure that logging for Azure KeyVault is 'Enabled'","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-005","attributes":{"title":"Check for Key Vault Full Administrator Permissions","description":"Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-007","attributes":{"title":"Restrict Default Network Access for Azure Key Vaults","description":"Ensure that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks","compliances":["AZUREWAF-2025","CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-015","attributes":{"title":"Check for Azure Key Vault Secrets Expiration Date","description":"Ensure that your Azure Key Vault secrets are renewed prior to their expiration date","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-016","attributes":{"title":"Check for Azure Key Vault Keys Expiration Date","description":"Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-017","attributes":{"title":"Enable Role-Based Access Control (RBAC) Authorization","description":"Ensure that RBAC authorization is enabled for Azure Key Vaults","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"KeyVault-018","attributes":{"title":"Use Private Endpoints for Key Vaults","description":"Ensure that network access to Azure Key Vaults is allowed via private endpoints only.","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"KeyVault"}},{"type":"rules","id":"AccessControl-001","attributes":{"title":"Remove Custom Owner Roles","description":"Ensure there are no custom owner roles within your Microsoft Azure account","compliances":["CISAZUREF-3_0","CISAZUREF-4_0","CIS-V8","NIST4","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","MAS","NIS-2"],"provider":"azure","service":"AccessControl"}},{"type":"rules","id":"AccessControl-003","attributes":{"title":"Subscription Administrator Custom Role","description":"Ensure there are no custom subscription administrator roles within your Microsoft Azure cloud account","compliances":["NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12"],"provider":"azure","service":"AccessControl"}},{"type":"rules","id":"CosmosDB-004","attributes":{"title":"Disable Key-Based Authentication for Azure Cosmos DB Accounts","description":"Ensure that key-based authentication is disabled for your Azure Cosmos DB accounts. This security best practice enforces the use of Microsoft Entra authentication, enhancing access security.","compliances":["AZUREWAF-2025"],"provider":"azure","service":"CosmosDB"}},{"type":"rules","id":"CosmosDB-008","attributes":{"title":"Use Private Endpoints for Azure Cosmos DB Accounts","description":"Ensure that private endpoints are configured for Microsoft Azure Cosmos DB accounts in order to allow clients and services to securely access data located over a network via an encrypted Azure Private Link connection.","compliances":["AZUREWAF-2025"],"provider":"azure","service":"CosmosDB"}},{"type":"rules","id":"CosmosDB-010","attributes":{"title":"Azure Cosmos DB Accounts Encrypted with Customer-Managed Keys","description":"Ensure that your Azure Cosmos DB accounts are encrypted using Customer-Managed Keys (CMKs) instead of Microsoft-managed keys (i.e. default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your data encryption and decryption process.","compliances":["AZUREWAF-2025"],"provider":"azure","service":"CosmosDB"}},{"type":"rules","id":"DNS-001","attributes":{"title":"Enable DNSSEC for Azure DNS Zones","description":"Ensure that your Microsoft Azure DNS zones are using Domain Name System Security Extensions (DNSSEC) to protect against DNS spoofing and cache poisoning attacks","compliances":["AZUREWAF-2025"],"provider":"azure","service":"DNS"}},{"type":"rules","id":"DNS-002","attributes":{"title":"Check for Network Isolation with Virtual Network Links","description":"Ensure that your private Azure DNS zones are configured with virtual network (VNet) links to enable name resolution for resources within a specific virtual network","compliances":[],"provider":"azure","service":"DNS"}},{"type":"rules","id":"FrontDoor-001","attributes":{"title":"Use Managed Identities for Azure Front Door Profiles","description":"Ensure that your Microsoft Azure Front Door (AFD) profiles are using system-assigned and/or user-assigned managed identities in order to allow secure application access to other Microsoft Azure cloud resources such as Azure Storage accounts and Key Vaults","compliances":["AZUREWAF-2025"],"provider":"azure","service":"FrontDoor"}},{"type":"rules","id":"FrontDoor-002","attributes":{"title":"Minimum TLS Version","description":"Ensure that your Azure Front Door custom domains are using the latest supported version of the TLS protocol (i.e. TLS 1.2) in order to enhance security by providing stronger encryption, protecting data integrity, reducing vulnerabilities to cyber attacks, and maintaining compatibility with modern browsers","compliances":["AZUREWAF-2025"],"provider":"azure","service":"FrontDoor"}},{"type":"rules","id":"FrontDoor-003","attributes":{"title":"Enable Web Application Firewall for Front Door Profiles","description":"Ensure that Web Application Firewall (WAF) security policies are enabled for your Microsoft Azure Front Door profiles","compliances":["AZUREWAF-2025"],"provider":"azure","service":"FrontDoor"}},{"type":"rules","id":"FrontDoor-004","attributes":{"title":"Azure Front Door Origin Security and Access Restriction","description":"Ensure that Microsoft Azure Front Door (AFD) profiles are configured with Azure Private Link to securely connect to your AFD origin","compliances":["AZUREWAF-2025"],"provider":"azure","service":"FrontDoor"}},{"type":"rules","id":"APIManagement-001","attributes":{"title":"Enable Built-In Response Caching","description":"Ensure that Azure API Management APIs are configured to enforce built-in response caching","compliances":["AZUREWAF-2025"],"provider":"azure","service":"APIManagement"}},{"type":"rules","id":"APIManagement-002","attributes":{"title":"Enforce HTTPS","description":"Ensure that your Azure API Management APIs are configured to enforce HTTPS","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"APIManagement"}},{"type":"rules","id":"APIManagement-003","attributes":{"title":"Enable Integration with Application Insights","description":"Ensure that your Azure API Management APIs are configured to use Application Insights","compliances":["AZUREWAF-2025"],"provider":"azure","service":"APIManagement"}},{"type":"rules","id":"APIManagement-009","attributes":{"title":"Unrestricted API Access","description":"Ensure that your Azure API Management APIs are configured to allow calls from specific IP addresses or IP address ranges only","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"APIManagement"}},{"type":"rules","id":"MachineLearning-001","attributes":{"title":"Enable High Business Impact for Machine Learning Workspaces","description":"Enable High Business Impact feature for your Azure Machine Learning workspaces","compliances":["FISC-V12"],"provider":"azure","service":"MachineLearning"}},{"type":"rules","id":"MachineLearning-002","attributes":{"title":"Enable Diagnostic Logs for Machine Learning Workspaces","description":"Ensure that Diagnostic Logs are enabled for your Azure Machine Learning workspaces","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"MachineLearning"}},{"type":"rules","id":"MachineLearning-003","attributes":{"title":"Use System-Assigned Managed Identities for Azure Machine Learning Workspaces","description":"Ensure that Azure Machine Learning workspaces are using system-assigned managed identities","compliances":["AZUREWAF-2025"],"provider":"azure","service":"MachineLearning"}},{"type":"rules","id":"MachineLearning-004","attributes":{"title":"Machine Learning Workspace Encryption using Customer-Managed Keys","description":"Use Customer Managed Keys (CMKs) to encrypt Azure Machine Learning workspaces","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"MachineLearning"}},{"type":"rules","id":"MachineLearning-005","attributes":{"title":"Enable Managed Virtual Network Isolation with Internet Outbound Access","description":"Ensure that managed VNet isolation with Internet outbound access is enabled","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"MachineLearning"}},{"type":"rules","id":"AIServices-001","attributes":{"title":"Use Private Endpoints for OpenAI Service Instances","description":"Ensure that network access to OpenAI service instances is allowed via private endpoints only","compliances":["AZUREWAF-2025"],"provider":"azure","service":"AIServices"}},{"type":"rules","id":"AIServices-002","attributes":{"title":"Disable Public Network Access to OpenAI Service Instances","description":"Ensure that public network access to OpenAI service instances is disabled","compliances":["AZUREWAF-2025"],"provider":"azure","service":"AIServices"}},{"type":"rules","id":"AIServices-003","attributes":{"title":"Enable Diagnostic Logs for OpenAI Service Instances","description":"Ensure that Diagnostic Logs are enabled for your Azure OpenAI service instances","compliances":["FISC-V12"],"provider":"azure","service":"AIServices"}},{"type":"rules","id":"AIServices-004","attributes":{"title":"Use Managed Identities for OpenAI Service Instances","description":"Ensure that Azure OpenAI service instances are using managed identities","compliances":["AZUREWAF-2025"],"provider":"azure","service":"AIServices"}},{"type":"rules","id":"AIServices-005","attributes":{"title":"OpenAI Encryption using Customer-Managed Keys","description":"Use Customer Managed Keys (CMKs) to encrypt Azure OpenAI service instances","compliances":["AZUREWAF-2025","FISC-V12"],"provider":"azure","service":"AIServices"}},{"type":"rules","id":"ArtifactRegistry-001","attributes":{"title":"Enable Artifact Registry Vulnerability Scanning","description":"Ensure that vulnerability scanning for Artifact Registry repositories is enabled to enhance security and mitigate potential risks","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"ArtifactRegistry"}},{"type":"rules","id":"ArtifactRegistry-002","attributes":{"title":"Check for Publicly Accessible Artifact Registry Repositories","description":"Ensure there are no publicly accessible Artifact Registry repositories available in your cloud account","compliances":["FISC-V12"],"provider":"gcp","service":"ArtifactRegistry"}},{"type":"rules","id":"ArtifactRegistry-003","attributes":{"title":"Use Customer-Managed Encryption Keys for Repositories Encryption","description":"Ensure that all the artifacts stored within your Artifact Registry repositories are encrypted with Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys","compliances":["GCPWAF-2025"],"provider":"gcp","service":"ArtifactRegistry"}},{"type":"rules","id":"CloudIAM-004","attributes":{"title":"Delete User-Managed Service Account Keys","description":"Ensure there are no user-managed keys associated with your GCP service accounts","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudIAM"}},{"type":"rules","id":"CloudIAM-012","attributes":{"title":"Enable Access Approval","description":"Ensure that Access Approval is enabled for your Google Cloud account","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudIAM"}},{"type":"rules","id":"CloudKMS-001","attributes":{"title":"Check for Publicly Accessible Cloud KMS Keys","description":"Ensure there are no publicly accessible KMS cryptographic keys available within your Google Cloud account","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudKMS"}},{"type":"rules","id":"CloudKMS-002","attributes":{"title":"Rotate Google Cloud KMS Keys","description":"Ensure that all KMS cryptographic keys available within your Google Cloud account are regularly rotated","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudKMS"}},{"type":"rules","id":"CloudVPC-001","attributes":{"title":"Check for Unrestricted RDP Access","description":"Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP)","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudVPC"}},{"type":"rules","id":"CloudVPC-002","attributes":{"title":"Check for Unrestricted SSH Access","description":"Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH)","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudVPC"}},{"type":"rules","id":"CloudVPC-003","attributes":{"title":"Enable VPC Flow Logs for VPC Subnets","description":"Ensure that VPC Flow Logs feature is enabled for all VPC network subnets","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudVPC"}},{"type":"rules","id":"CloudStorage-001","attributes":{"title":"Check for Publicly Accessible Cloud Storage Buckets","description":"Ensure there are no publicly accessible Cloud Storage buckets available within your Google Cloud Platform (GCP) account","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-002","attributes":{"title":"Enable Uniform Bucket-Level Access for Cloud Storage Buckets","description":"Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-005","attributes":{"title":"Define index page suffix and error page for the bucket website configuration","description":"Ensure that bucket website configuration includes main page suffix and error page","compliances":["NIST5","NIST-CSF-2_0","AGISM-2024","NIS-2"],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-007","attributes":{"title":"Enable Object Versioning for Cloud Storage Buckets","description":"Ensure that your Cloud Storage buckets are configured with object versioning in order to protect your object data from being overwritten or accidentally deleted.","compliances":[],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-008","attributes":{"title":"Enable Lifecycle Management for Cloud Storage Objects","description":"Ensure that your Google Cloud Storage buckets are using lifecycle management rules to manage objects during their lifetime.","compliances":[],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-009","attributes":{"title":"Enable Usage and Storage Logs","description":"Ensure that usage and storage logs are enabled for your Google Cloud Storage buckets in order to collect valuable insights into buckets activity, helping monitor access patterns, track costs, detect suspicious behavior, and ensure compliance with security and audit requirements.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"CloudStorage-012","attributes":{"title":"Bucket Policies with Administrative Permissions","description":"Ensure that the IAM policy associated with your Google Cloud Storage buckets does not have privileged, administrative permissions in order to promote the Principle of Least Privilege (POLP) and provide the principals the minimal amount of access required to perform their tasks.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"CloudStorage"}},{"type":"rules","id":"ComputeEngine-001","attributes":{"title":"Check for Virtual Machine Instances with Public IP Addresses","description":"Ensure that Google Cloud VM instances aren't using public IP addresses","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-003","attributes":{"title":"Disable Interactive Serial Console Support","description":"Ensure that interactive serial console support isn't enabled for your Google Cloud instances","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-004","attributes":{"title":"Disable IP Forwarding for Virtual Machine Instances","description":"Ensure that IP Forwarding isn't enabled for your Google Cloud virtual machine (VM) instances","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-005","attributes":{"title":"Enable \"Shielded VM\" Security Feature","description":"Ensure that Shielded VM feature is enabled for your virtual machine (VM) instances","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-006","attributes":{"title":"Check for Instances Associated with Default Service Accounts","description":"Ensure that your VM instances are not associated with the default GCP service account","compliances":["CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-007","attributes":{"title":"Enable VM Disk Encryption with Customer-Supplied Encryption Keys","description":"Ensure that your virtual machine (VM) instance disks are encrypted with CSEKs","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-008","attributes":{"title":"Check for Instance-Associated Service Accounts with Full API Access","description":"Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-009","attributes":{"title":"Enable \"Block Project-Wide SSH Keys\" Security Feature","description":"Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"ComputeEngine-011","attributes":{"title":"Enable Confidential Computing for Virtual Machine Instances","description":"Ensure that Confidential Computing is enabled for virtual machine (VM) instances","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"ComputeEngine"}},{"type":"rules","id":"CloudSQL-001","attributes":{"title":"Check for Cloud SQL Database Instances with Public IPs","description":"Ensure that Cloud SQL database instances don't have public IP addresses assigned","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-002","attributes":{"title":"Enable Automated Backups for Cloud SQL Database Instances","description":"Ensure that Cloud SQL database instances are configured with automated backups","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-003","attributes":{"title":"Enable High Availability for Cloud SQL Database Instances","description":"Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region","compliances":["GCPWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-004","attributes":{"title":"Enable SSL/TLS for Cloud SQL Incoming Connections","description":"Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-005","attributes":{"title":"Disable 'Cross DB Ownership Chaining' Flag for SQL Server Database Instances","description":"Ensure that SQL Server database instances have 'cross db ownership chaining' flag set to Off","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-006","attributes":{"title":"Disable 'Contained Database Authentication' Flag for SQL Server Database Instances","description":"Ensure that SQL Server database instances have 'contained database authentication' flag set to Off","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-007","attributes":{"title":"Disable 'log_min_duration_statement' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have 'log_min_duration_statement' flag set to -1 (Off)","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-008","attributes":{"title":"Enable 'log_connections' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have the 'log_connections' configuration flag set to On","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-009","attributes":{"title":"Enable 'log_disconnections' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have the 'log_disconnections' flag set to On (enabled)","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-010","attributes":{"title":"Enable 'log_checkpoints' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have 'log_checkpoints' flag set to On","compliances":["GCPWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-011","attributes":{"title":"Enable 'log_lock_waits' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have the 'log_lock_waits' flag set to On","compliances":["GCPWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-012","attributes":{"title":"Enable 'log_temp_files' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have the 'log_temp_files' flag set to 0 (On)","compliances":["GCPWAF-2025","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-013","attributes":{"title":"Configure 'log_min_error_statement' Flag for PostgreSQL Database Instances","description":"Ensure that 'log_min_error_statement' database flag configured for your Google Cloud PostgreSQL database instances has the appropriate level of severity in accordance with your organization's logging policy","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-014","attributes":{"title":"Disable \"local_infile\" Flag for MySQL Database Instances","description":"Ensure that MySQL database instances have the \"local_infile\" flag set to Off","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-015","attributes":{"title":"Check for Publicly Accessible Cloud SQL Database Instances","description":"Ensure that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-017","attributes":{"title":"Disable 'remote access' Flag for SQL Server Database Instances","description":"Ensure that the 'remote access' SQL Server flag is set to 'off'","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-018","attributes":{"title":"Disable 'log_statement_stats' Flag for PostgreSQL Database Instances","description":"Ensure that the 'log_statement_stats' PostgreSQL database flag is set to Off","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-019","attributes":{"title":"Disable 'external scripts enabled' Flag for SQL Server Database Instances","description":"Ensure that the 'external scripts enabled' SQL Server flag is set to 'Off'","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-020","attributes":{"title":"Configure 'user connections' Flag for SQL Server Database Instances","description":"Ensure that SQL Server database instances have the appropriate configuration set for the 'user connections' flag","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-021","attributes":{"title":"Disable 'user options' Flag for SQL Server Instances","description":"Ensure that the 'user options' SQL Server flag is not configured","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-022","attributes":{"title":"Disable 'log_planner_stats' Flag for PostgreSQL Database Instances","description":"Ensure that the 'log_planner_stats' PostgreSQL database flag is set to 'Off'","compliances":["NIST5","NIST-CSF","NIST-CSF-2_0","HITRUST","PCI-V4","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-023","attributes":{"title":"Enable 'log_hostname' Flag for PostgreSQL Database Instances","description":"Ensure that the \"log_hostname\" PostgreSQL database flag is set to \"On\"","compliances":["CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-024","attributes":{"title":"Enable \"skip_show_database\" Flag for MySQL Database Instances","description":"Ensure that the \"skip_show_database\" MySQL database flag is set to \"On\"","compliances":["CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-025","attributes":{"title":"Disable 'log_parser_stats' Flag for PostgreSQL Database Instances","description":"Ensure that the \"log_parser_stats\" PostgreSQL database flag is set to \"Off\"","compliances":["CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-026","attributes":{"title":"Disable 'log_executor_stats' Flag for PostgreSQL Database Instances","description":"Ensure that the \"log_executor_stats\" PostgreSQL database flag is set to \"off\"","compliances":["CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-027","attributes":{"title":"Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances","description":"Ensure that the \"cloudsql.enable_pgaudit\" PostgreSQL database flag is set to \"on\"","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-028","attributes":{"title":"Disable '3625' Trace Flag for SQL Server Database Instances","description":"Ensure that the \"3625\" trace flag for SQL database servers is set to \"off\"","compliances":["CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-030","attributes":{"title":"Configure 'log_min_messages' Flag for PostgreSQL Instances","description":"Ensure that PostgreSQL database instances have the appropriate configuration set for the \"log_min_messages\" flag","compliances":["CISGCPF-3_0","CISGCPF-4_0","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-031","attributes":{"title":"Configure 'log_error_verbosity' Flag for PostgreSQL Instances","description":"Ensure that PostgreSQL database instances have the appropriate configuration set for the \"log_error_verbosity\" flag","compliances":["CISGCPF-3_0","CISGCPF-4_0","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-032","attributes":{"title":"Configure 'log_statement' Flag for PostgreSQL Database Instances","description":"Ensure that PostgreSQL database instances have the appropriate configuration set for the 'log_statement' flag","compliances":["FISC-V12"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"CloudSQL-039","attributes":{"title":"Enable Automatic Storage Increase","description":"Ensure that Automatic Storage Increase feature is enabled for your production Google Cloud SQL database instances. The feature prevents your Cloud SQL database servers from running out of storage space and become read-only, disrupting the usual database operations.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"CloudSQL"}},{"type":"rules","id":"BigQuery-001","attributes":{"title":"Check for Publicly Accessible BigQuery Datasets","description":"Ensure that Google Cloud BigQuery datasets aren't publicly accessible","compliances":["GCPWAF-2025","CISGCPF-3_0","CISGCPF-4_0","CIS-V8","NIST5","SOC2","NIST-CSF","NIST-CSF-2_0","ISO27001","ISO27001-2022","AGISM-2024","HIPAA","HITRUST","PCI","PCI-V4","APRA","FEDRAMP","NIS-2","FISC-V12"],"provider":"gcp","service":"BigQuery"}},{"type":"rules","id":"CloudLoadBalancing-004","attributes":{"title":"Enable Logging for HTTP(S) Load Balancers","description":"Ensure that logging is enabled for your Google Cloud HTTP(S) load balancers","compliances":["GCPWAF-2025","CISGCPF-4_0","NIST-CSF-2_0","AGISM-2024","HITRUST","NIS-2","FISC-V12"],"provider":"gcp","service":"CloudLoadBalancing"}},{"type":"rules","id":"CloudLoadBalancing-005","attributes":{"title":"Configure Cloud CDN origins backend buckets","description":"Ensure that the Cloud CDN origin associated with your Google Cloud load balancer points to a backend bucket instead of backend service in order to provide enhanced performance, cost savings, simplified management, and the ability to customize caching rules. This includes the load balancer's default service as well as any backend services defined in path matchers and path rules within the URL map configuration.","compliances":[],"provider":"gcp","service":"CloudLoadBalancing"}},{"type":"rules","id":"CloudLogging-011","attributes":{"title":"Check for Sufficient Log Data Retention Period","description":"Ensure that your Cloud Logging buckets are configured with a data retention period of 365 days or more","compliances":["GCPWAF-2025"],"provider":"gcp","service":"CloudLogging"}},{"type":"rules","id":"Dataproc-002","attributes":{"title":"Publicly Accessible Dataproc Clusters","description":"Ensure that your Google Cloud Dataproc cluster instances are not accessible from the Internet","compliances":[],"provider":"gcp","service":"Dataproc"}},{"type":"rules","id":"Filestore-001","attributes":{"title":"Use Customer-Managed Encryption Keys for Filestore Data Encryption","description":"Ensure that data stored on your Google Cloud Filestore instances is encrypted at rest with Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"Filestore"}},{"type":"rules","id":"Filestore-002","attributes":{"title":"Restrict Client Access by IP Address or IP Range","description":"Ensure that client access to your Google Cloud Filestore instances is limited to specific (trusted) IP addresses or IP address ranges in order to protect your data against unauthorized access.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"Filestore"}},{"type":"rules","id":"Filestore-003","attributes":{"title":"Enable Deletion Protection for Filestore Instances","description":"Ensure that your Google Cloud Filestore instances have Deletion Protection feature enabled in order to protect them from being accidentally deleted.","compliances":[],"provider":"gcp","service":"Filestore"}},{"type":"rules","id":"SecretManager-001","attributes":{"title":"Implement Least Privilege Access for Secret Manager Secrets using Cloud IAM","description":"Ensure that IAM roles with administrative permissions are not assigned to IAM identities (users, groups, and service accounts) managing Secret Manager secrets. This helps enforce the Principle of Least Privilege (POLP) by granting members (principals) only the minimum access necessary to complete their tasks.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"SecretManager"}},{"type":"rules","id":"SecretManager-002","attributes":{"title":"Enable Destruction Delay for Secret Versions","description":"Ensure that a delayed destruction policy is configured for your Google Cloud Secret Manager secrets.","compliances":[],"provider":"gcp","service":"SecretManager"}},{"type":"rules","id":"SecretManager-003","attributes":{"title":"Enable Rotation Schedules for Secret Manager Secrets","description":"To minimize the risk of unauthorized access or misuse of secrets, configure a rotation period (or rotation schedule) for your Secret Manager secrets. Setting this schedule will automatically send rotation notifications to the associated Pub/Sub topics.","compliances":[],"provider":"gcp","service":"SecretManager"}},{"type":"rules","id":"SecretManager-004","attributes":{"title":"Use Customer-Managed Encryption Keys for Secret Manager Secret Encryption","description":"Ensure that your Google Cloud Secret Manager secrets are encrypted using Cloud KMS Customer-Managed Encryption Keys (CMEKs) in order to have a more granular control over your secret data encryption process and meet compliance requirements.","compliances":["GCPWAF-2025"],"provider":"gcp","service":"SecretManager"}},{"type":"rules","id":"VertexAI-002","attributes":{"title":"Disable Root Access for Workbench Instances","description":"Ensure root access is disabled for your Vertex AI workbench instances","compliances":["FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-003","attributes":{"title":"Enable Secure Boot for Workbench Instances","description":"Ensure that Secure Boot is enabled for your Vertex AI workbench instances","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-004","attributes":{"title":"Enable Virtual Trusted Platform Module (vTPM) for Workbench Instances","description":"Ensure that vTPM feature is enabled for your Vertex AI workbench instances","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-005","attributes":{"title":"Enable Automatic Upgrades for Workbench Instances","description":"Ensure that automatic upgrades for Vertex AI workbench instances are enabled","compliances":["FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-006","attributes":{"title":"Workbench Instance Encryption with Customer-Managed Encryption Keys","description":"Ensure that your Google Cloud Vertex AI workbench instances are encrypted using Customer-Managed Encryption Keys (CMEKs)","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-007","attributes":{"title":"Enable Integrity Monitoring for Workbench Instances","description":"Ensure that the Integrity Monitoring feature is enabled for your Vertex AI workbench instances","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-008","attributes":{"title":"Enable Idle Shutdown for Workbench Instances","description":"Ensure that the Idle Shutdown feature is enabled for your Vertex AI workbench instances","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-009","attributes":{"title":"Enable Cloud Monitoring for Workbench Instances","description":"Ensure that Cloud Monitoring feature is enabled for your Vertex AI workbench instances","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-010","attributes":{"title":"Default VPC Network in use","description":"Ensure that your Google Cloud Vertex AI workbench instances are not created within the default Virtual Private Cloud (VPC) network","compliances":["FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"VertexAI-011","attributes":{"title":"Prevent Assigning External IPs to Workbench Instances","description":"Ensure that external IP addresses are not assigned to Vertex AI workbench instances","compliances":["FISC-V12"],"provider":"gcp","service":"VertexAI"}},{"type":"rules","id":"CloudFunction-001","attributes":{"title":"GCP Function Runtime Version","description":"Ensure that your GCP functions are using the latest language runtime version available","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"CloudFunction"}},{"type":"rules","id":"CloudFunction-002","attributes":{"title":"GCP Execution Runtime Environment Version","description":"Ensure that your Google Cloud functions are using the latest execution runtime environment","compliances":["GCPWAF-2025","FISC-V12"],"provider":"gcp","service":"CloudFunction"}}]}