Remediable Control List

Here is the list of controls that are available for remediation.

Remediable Controls for AWS

CID	Title	Permissions
41	Ensure no security groups allow ingress from 0.0.0.0/0 to port 22	ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress
42	Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389	ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress
48	Ensure versioning is enabled for S3 buckets	s3:PutBucketVersioning
51	Ensure that Public Accessibility is set to No for Database Instances	rds:ModifyDBInstance
55	Ensure that auto minor version upgrade is enabled for database Instances	rds:ModifyDBInstance
59	Ensure Block new public bucket policies" for a bucket is set to true"	s3:PutBucketPublicAccessBlock
60	Ensure that Block public and cross-account access" if bucket has public policies for bucket is set to true"	s3:PutBucketPublicAccessBlock
61	Ensure that Block new public ACLs and uploading public objects" for a bucket is set to true."	s3:PutBucketPublicAccessBlock
62	Ensure that Remove public access granted through public ACLs" for a bucket is set to true"	s3:PutBucketPublicAccessBlock
63	Ensure "Block new public bucket policies" for an account is set to true	s3:PutAccountPublicAccessBlock
64	Ensure that "Block public and cross-account access" if bucket has public policies for the account is set to true	s3:PutAccountPublicAccessBlock
65	Ensure that "Block new public ACLs and uploading public objects" for the account is set to true	s3:PutAccountPublicAccessBlock
66	Ensure that "Remove public access granted through public ACLs" for the account is enabled	s3:PutAccountPublicAccessBlock
70	Ensure that Deletion Protection is enabled for RDS DB Cluster	rds:ModifyDBCluster
71	Ensure that Deletion Protection is enabled for RDS Database instances	rds:ModifyDBInstance
90	Ensure RDS database Cluster snapshots are not public	rds:ModifyDBClusterSnapshotAttribute
92	Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled	rds:ModifyDBCluster
93	Ensure AWS RDS instances with copy tags to snapshots option is enabled	rds:ModifyDBInstance
110	Ensure AWS Redshift clusters are not publicly accessible	redshift:ModifyCluster
114	Ensure Images (AMIs) owned by an AWS account are not public	ec2:ModifyImageAttribute
135	Ensure deletion protection is enabled for DocumentDB clusters	rds:ModifyDBCluster
143	Ensure deletion protection is enabled for neptune DB	rds:ModifyDBCluster
146	Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public	ec2:ModifySnapshotAttribute

Remediable Controls for Microsoft Azure

CID	Title	Permissions
50002	Ensure no SQL Servers allow ingress from Internet (ANY IP)	Microsoft.Sql/servers/firewallRules/delete
50011	Ensure that Secure transfer required" is set to "Enabled"	Microsoft.Storage/storageAccounts/write
50012	Ensure that Public access level is set to Private for blob containers	Microsoft.Storage/storageAccounts/blobServices/containers/write
50029	Disable RDP access on Network Security Groups from Internet (ANY IP)	Microsoft.Network/networkSecurityGroups/write
50031	Disable SSH access on Network Security Groups from Internet (ANY IP)	Microsoft.Network/networkSecurityGroups/write
50048	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Microsoft.Web/sites/config/Write
50049	Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On'	Microsoft.Web/sites/config/Write
50051	Ensure web app is using the latest version of TLS encryption version	Microsoft.Web/sites/config/Write
50061	Ensure that 'HTTP Version' is latest if used to run the web app	Microsoft.Web/sites/config/Write
50085	Ensure Function app redirects all HTTP traffic to HTTPS	Microsoft.Web/sites/Write
50088	Ensure function app is using the latest version of TLS encryption version	Microsoft.Web/sites/Write

Remediable Controls for GCP

CID	Title	Permissions
52021	Ensure that SSH access is restricted from the internet	compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy
52022	Ensure that RDP access is restricted from the internet	compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy
52026	Ensure Block Project-wide SSH keys" enabled for VM instances"	compute.instances.setMetadata
52030	Ensure that Cloud Storage bucket is not anonymously or publicly accessible	storage.buckets.setIamPolicy
52033	Ensure that Cloud SQL - Mysql database Instances are not open to the world	cloudsql.instances.update
52056	Ensure that Cloud function is not anonymously or publicly accessible	cloudfunctions.functions.setIamPolicy
52059	Ensure log_connections database flag for Cloud SQL PostgreSQL instance is set to on	cloudsql.instances.update
52060	Ensure log_disconnections database flag for Cloud SQL PostgreSQL instance is set to on	cloudsql.instances.update
52064	Ensure log_hostname database flag for Cloud SQL PostgreSQL instance is set to on	cloudsql.instances.update
52066	Ensure that Cloud SQL PostgreSQL database Instances are not open to the world	cloudsql.instances.update
52068	Ensure that Cloud SQL SQL Server database Instances are not open to the world	cloudsql.instances.update
52069	Ensure log_lock_waits database flag for Cloud SQL PostgreSQL instance is set to on	cloudsql.instances.update
52074	Ensure log_checkpoints database flag for Cloud SQL PostgreSQL instance is set to on	cloudsql.instances.update
52075	Ensure skip_show_database database flag for Cloud SQL Mysql instance is set to on	cloudsql.instances.update
52076	Ensure local_infile database flag for Cloud SQL Mysql instance is set to off	cloudsql.instances.update
52077	Ensure external scripts enabled database flag for Cloud SQL SQL Server instance is set to off	cloudsql.instances.update
52078	Ensure cross db ownership chaining database flag for Cloud SQL SQL Server instance is set to off	cloudsql.instances.update
52081	Ensure remote access database flag for Cloud SQL SQL Server instance is set to off	cloudsql.instances.update
52083	Ensure contained database authentication database flag for Cloud SQL SQL Server instance is set to off	cloudsql.instances.update
52065	Ensure that Cloud SQL PostgreSQL database instance requires all incoming connections to use SSL	cloudsql.instances.update
52067	Ensure that Cloud SQL SQL Server database instance requires all incoming connections to use SSL	cloudsql.instances.update
52090	Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible	cloudkms.cryptoKeys.setIamPolicy

Remediable Controls for OCI

CID	Title
40001	Ensure Secure Boot is enabled on Compute Instance
40002	Ensure Compute Instance boot volume has in-transit data encryption is Enabled
40003	Ensure no Object Storage buckets are publicly visible
40004	Ensure Versioning is Enabled for Object Storage Buckets
40005	Ensure Emit Objet Events is Enabled for Object Storage Buckets
40006	Ensure Bucket Pre-Authenticated Request allows Read Only Access
40007	Ensure Bucket does not persists Expired Pre-Authenticated Request
40008	Ensure Object Storage Buckets are encrypted with a Customer Managed Key CMK
40009	Ensure no Object Storage buckets are left Untagged
40010	Ensures password policy requires at least one lowercase letter
40011	Ensures password policy requires at least one uppercase letter
40012	Ensures password policy requires at least one numeric
40013	Ensures password policy requires at least one Special Character
40014	Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
40015	Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
40016	Ensure the default security list of every VCN restricts all traffic except ICMP
40017	Ensure MFA is enabled for all users with a console password
40018	Ensure user API keys rotate within 90 days or less
40019	Ensure user Customer Secret keys rotate within 90 days or less
40020	Ensure user Auth Tokens rotate within 90 days or less
40021	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22
40022	Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389
40023	Ensure API keys are not created for tenancy administrator users