Remediable Control List
Here is the list of controls that are available for remediation.
AWS | Microsoft Azure | GCP | OCI
Remediable Controls for AWS
CID |
Title |
Permissions |
---|---|---|
41 |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress |
42 |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress |
48 |
Ensure versioning is enabled for S3 buckets |
s3:PutBucketVersioning |
51 |
Ensure that Public Accessibility is set to No for Database Instances |
rds:ModifyDBInstance |
55 |
Ensure that auto minor version upgrade is enabled for database Instances |
rds:ModifyDBInstance |
59 |
Ensure Block new public bucket policies" for a bucket is set to true" |
s3:PutBucketPublicAccessBlock |
60 |
Ensure that Block public and cross-account access" if bucket has public policies for bucket is set to true" |
s3:PutBucketPublicAccessBlock |
61 |
Ensure that Block new public ACLs and uploading public objects" for a bucket is set to true." |
s3:PutBucketPublicAccessBlock |
62 |
Ensure that Remove public access granted through public ACLs" for a bucket is set to true" |
s3:PutBucketPublicAccessBlock |
63 |
Ensure "Block new public bucket policies" for an account is set to true |
s3:PutAccountPublicAccessBlock |
64 |
Ensure that "Block public and cross-account access" if bucket has public policies for the account is set to true |
s3:PutAccountPublicAccessBlock |
65 |
Ensure that "Block new public ACLs and uploading public objects" for the account is set to true |
s3:PutAccountPublicAccessBlock |
66 |
Ensure that "Remove public access granted through public ACLs" for the account is enabled |
s3:PutAccountPublicAccessBlock |
70 |
Ensure that Deletion Protection is enabled for RDS DB Cluster |
rds:ModifyDBCluster |
71 |
Ensure that Deletion Protection is enabled for RDS Database instances |
rds:ModifyDBInstance |
90 |
Ensure RDS database Cluster snapshots are not public |
rds:ModifyDBClusterSnapshotAttribute |
92 |
Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled |
rds:ModifyDBCluster |
93 |
Ensure AWS RDS instances with copy tags to snapshots option is enabled |
rds:ModifyDBInstance |
110 |
Ensure AWS Redshift clusters are not publicly accessible |
redshift:ModifyCluster |
114 |
Ensure Images (AMIs) owned by an AWS account are not public |
ec2:ModifyImageAttribute |
135 |
Ensure deletion protection is enabled for DocumentDB clusters |
rds:ModifyDBCluster |
143 |
Ensure deletion protection is enabled for neptune DB |
rds:ModifyDBCluster |
146 |
Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public |
ec2:ModifySnapshotAttribute |
Remediable Controls for Microsoft Azure
CID |
Title |
Permissions |
---|---|---|
50002 |
Ensure no SQL Servers allow ingress from Internet (ANY IP) |
Microsoft.Sql/servers/firewallRules/delete |
50011 |
Ensure that Secure transfer required" is set to "Enabled" |
Microsoft.Storage/storageAccounts/write |
50012 |
Ensure that Public access level is set to Private for blob containers |
Microsoft.Storage/storageAccounts/blobServices/containers/write |
50029 |
Disable RDP access on Network Security Groups from Internet (ANY IP) |
Microsoft.Network/networkSecurityGroups/write |
50031 |
Disable SSH access on Network Security Groups from Internet (ANY IP) |
Microsoft.Network/networkSecurityGroups/write |
50048 |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Microsoft.Web/sites/config/Write |
50049 |
Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
Microsoft.Web/sites/config/Write |
50051 |
Ensure web app is using the latest version of TLS encryption version |
Microsoft.Web/sites/config/Write |
50061 |
Ensure that 'HTTP Version' is latest if used to run the web app |
Microsoft.Web/sites/config/Write |
50085 |
Ensure Function app redirects all HTTP traffic to HTTPS |
Microsoft.Web/sites/Write |
50088 |
Ensure function app is using the latest version of TLS encryption version |
Microsoft.Web/sites/Write |
Remediable Controls for GCP
CID |
Title |
Permissions |
---|---|---|
52021 |
Ensure that SSH access is restricted from the internet |
compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy |
52022 |
Ensure that RDP access is restricted from the internet |
compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy |
52026 |
Ensure Block Project-wide SSH keys" enabled for VM instances" |
compute.instances.setMetadata |
52030 |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
storage.buckets.setIamPolicy |
52033 |
Ensure that Cloud SQL - Mysql database Instances are not open to the world |
cloudsql.instances.update |
52056 |
Ensure that Cloud function is not anonymously or publicly accessible |
cloudfunctions.functions.setIamPolicy |
52059 |
Ensure log_connections database flag for Cloud SQL PostgreSQL instance is set to on |
cloudsql.instances.update |
52060 |
Ensure log_disconnections database flag for Cloud SQL PostgreSQL instance is set to on |
cloudsql.instances.update |
52064 |
Ensure log_hostname database flag for Cloud SQL PostgreSQL instance is set to on |
cloudsql.instances.update |
52066 |
Ensure that Cloud SQL PostgreSQL database Instances are not open to the world |
cloudsql.instances.update |
52068 |
Ensure that Cloud SQL SQL Server database Instances are not open to the world |
cloudsql.instances.update |
52069 |
Ensure log_lock_waits database flag for Cloud SQL PostgreSQL instance is set to on |
cloudsql.instances.update |
52074 |
Ensure log_checkpoints database flag for Cloud SQL PostgreSQL instance is set to on |
cloudsql.instances.update |
52075 |
Ensure skip_show_database database flag for Cloud SQL Mysql instance is set to on |
cloudsql.instances.update |
52076 |
Ensure local_infile database flag for Cloud SQL Mysql instance is set to off |
cloudsql.instances.update |
52077 |
Ensure external scripts enabled database flag for Cloud SQL SQL Server instance is set to off |
cloudsql.instances.update |
52078 |
Ensure cross db ownership chaining database flag for Cloud SQL SQL Server instance is set to off |
cloudsql.instances.update |
52081 |
Ensure remote access database flag for Cloud SQL SQL Server instance is set to off |
cloudsql.instances.update |
52083 |
Ensure contained database authentication database flag for Cloud SQL SQL Server instance is set to off |
cloudsql.instances.update |
52065 |
Ensure that Cloud SQL PostgreSQL database instance requires all incoming connections to use SSL |
cloudsql.instances.update |
52067 |
Ensure that Cloud SQL SQL Server database instance requires all incoming connections to use SSL |
cloudsql.instances.update |
52090 |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
cloudkms.cryptoKeys.setIamPolicy |
Remediable Controls for OCI
CID |
Title |
---|---|
40001 |
Ensure Secure Boot is enabled on Compute Instance |
40002 |
Ensure Compute Instance boot volume has in-transit data encryption is Enabled |
40003 |
Ensure no Object Storage buckets are publicly visible |
40004 |
Ensure Versioning is Enabled for Object Storage Buckets |
40005 |
Ensure Emit Objet Events is Enabled for Object Storage Buckets |
40006 |
Ensure Bucket Pre-Authenticated Request allows Read Only Access |
40007 |
Ensure Bucket does not persists Expired Pre-Authenticated Request |
40008 |
Ensure Object Storage Buckets are encrypted with a Customer Managed Key CMK |
40009 |
Ensure no Object Storage buckets are left Untagged |
40010 |
Ensures password policy requires at least one lowercase letter |
40011 |
Ensures password policy requires at least one uppercase letter |
40012 |
Ensures password policy requires at least one numeric |
40013 |
Ensures password policy requires at least one Special Character |
40014 |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 |
40015 |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 |
40016 |
Ensure the default security list of every VCN restricts all traffic except ICMP |
40017 |
Ensure MFA is enabled for all users with a console password |
40018 |
Ensure user API keys rotate within 90 days or less |
40019 |
Ensure user Customer Secret keys rotate within 90 days or less |
40020 |
Ensure user Auth Tokens rotate within 90 days or less |
40021 |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 |
40022 |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 |
40023 |
Ensure API keys are not created for tenancy administrator users |