Remediable Control List

Here is the list of controls that are available for remediation. 

AWS | Microsoft Azure | GCP | OCI

Remediable Controls for AWS

CID

Title

Permissions

41

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress

42

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress

48

Ensure versioning is enabled for S3 buckets

s3:PutBucketVersioning

51

Ensure that Public Accessibility is set to No for Database Instances

rds:ModifyDBInstance

55

Ensure that auto minor version upgrade is enabled for database Instances

rds:ModifyDBInstance

59

Ensure Block new public bucket policies" for a bucket is set to true"

s3:PutBucketPublicAccessBlock

60

Ensure that Block public and cross-account access" if bucket has public policies for bucket is set to true"

s3:PutBucketPublicAccessBlock

61

Ensure that Block new public ACLs and uploading public objects" for a bucket is set to true."

s3:PutBucketPublicAccessBlock

62

Ensure that Remove public access granted through public ACLs" for a bucket is set to true"

s3:PutBucketPublicAccessBlock

63

Ensure "Block new public bucket policies" for an account is set to true

s3:PutAccountPublicAccessBlock

64

Ensure that "Block public and cross-account access" if bucket has public policies for the account is set to true

s3:PutAccountPublicAccessBlock

65

Ensure that "Block new public ACLs and uploading public objects" for the account is set to true

s3:PutAccountPublicAccessBlock

66

Ensure that "Remove public access granted through public ACLs" for the account is enabled

s3:PutAccountPublicAccessBlock

70

Ensure that Deletion Protection is enabled for RDS DB Cluster

rds:ModifyDBCluster

71

Ensure that Deletion Protection is enabled for RDS Database instances

rds:ModifyDBInstance

90

Ensure RDS database Cluster snapshots are not public

rds:ModifyDBClusterSnapshotAttribute

92

Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled

rds:ModifyDBCluster

93

Ensure AWS RDS instances with copy tags to snapshots option is enabled

rds:ModifyDBInstance

110

Ensure AWS Redshift clusters are not publicly accessible

redshift:ModifyCluster

114

Ensure Images (AMIs) owned by an AWS account are not public

ec2:ModifyImageAttribute

135

Ensure deletion protection is enabled for DocumentDB clusters

rds:ModifyDBCluster

143

Ensure deletion protection is enabled for neptune DB

rds:ModifyDBCluster

146

Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public

ec2:ModifySnapshotAttribute

Remediable Controls for Microsoft Azure

CID

Title

Permissions

50002

Ensure no SQL Servers allow ingress from Internet (ANY IP)

Microsoft.Sql/servers/firewallRules/delete

50011

Ensure that Secure transfer required" is set to "Enabled"

Microsoft.Storage/storageAccounts/write

50012

Ensure that Public access level is set to Private for blob containers

Microsoft.Storage/storageAccounts/blobServices/containers/write

50029

Disable RDP access on Network Security Groups from Internet (ANY IP)

Microsoft.Network/networkSecurityGroups/write

50031

Disable SSH access on Network Security Groups from Internet (ANY IP)

Microsoft.Network/networkSecurityGroups/write

50048

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

Microsoft.Web/sites/config/Write

50049

Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft.Web/sites/config/Write

50051

Ensure web app is using the latest version of TLS encryption version

Microsoft.Web/sites/config/Write

50061

Ensure that 'HTTP Version' is latest if used to run the web app

Microsoft.Web/sites/config/Write

50085

Ensure Function app redirects all HTTP traffic to HTTPS

Microsoft.Web/sites/Write

50088

Ensure function app is using the latest version of TLS encryption version

Microsoft.Web/sites/Write

Remediable Controls for GCP

CID

Title

Permissions

52021

Ensure that SSH access is restricted from the internet

compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy

52022

Ensure that RDP access is restricted from the internet

compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy

52026

Ensure Block Project-wide SSH keys" enabled for VM instances"

compute.instances.setMetadata

52030

Ensure that Cloud Storage bucket is not anonymously or publicly accessible

storage.buckets.setIamPolicy

52033

Ensure that Cloud SQL - Mysql database Instances are not open to the world

cloudsql.instances.update

52056

Ensure that Cloud function is not anonymously or publicly accessible

cloudfunctions.functions.setIamPolicy

52059

Ensure log_connections database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52060

Ensure log_disconnections database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52064

Ensure log_hostname database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52066

Ensure that Cloud SQL PostgreSQL database Instances are not open to the world

cloudsql.instances.update

52068

Ensure that Cloud SQL SQL Server database Instances are not open to the world

cloudsql.instances.update

52069

Ensure log_lock_waits database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52074

Ensure log_checkpoints database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52075

Ensure skip_show_database database flag for Cloud SQL Mysql instance is set to on

cloudsql.instances.update

52076

Ensure local_infile database flag for Cloud SQL Mysql instance is set to off

cloudsql.instances.update

52077

Ensure external scripts enabled database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52078

Ensure cross db ownership chaining database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52081

Ensure remote access database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52083

Ensure contained database authentication database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52065

Ensure that Cloud SQL PostgreSQL database instance requires all incoming connections to use SSL

cloudsql.instances.update

52067

Ensure that Cloud SQL SQL Server database instance requires all incoming connections to use SSL

cloudsql.instances.update

52090

Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible

cloudkms.cryptoKeys.setIamPolicy

 

Remediable Controls for OCI

CID

Title

40001

Ensure Secure Boot is enabled on Compute Instance

40002

Ensure Compute Instance boot volume has in-transit data encryption is Enabled

40003

Ensure no Object Storage buckets are publicly visible

40004

Ensure Versioning is Enabled for Object Storage Buckets

40005

Ensure Emit Objet Events is Enabled for Object Storage Buckets

40006

Ensure Bucket Pre-Authenticated Request allows Read Only Access

40007

Ensure Bucket does not persists Expired Pre-Authenticated Request

40008

Ensure Object Storage Buckets are encrypted with a Customer Managed Key CMK

40009

Ensure no Object Storage buckets are left Untagged

40010

Ensures password policy requires at least one lowercase letter

40011

Ensures password policy requires at least one uppercase letter

40012

Ensures password policy requires at least one numeric

40013

Ensures password policy requires at least one Special Character

40014

Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

40015

Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389

40016

Ensure the default security list of every VCN restricts all traffic except ICMP

40017

Ensure MFA is enabled for all users with a console password

40018

Ensure user API keys rotate within 90 days or less

40019

Ensure user Customer Secret keys rotate within 90 days or less

40020

Ensure user Auth Tokens rotate within 90 days or less

40021

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22

40022

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

40023

Ensure API keys are not created for tenancy administrator users