Home

Remediable Control List

Here is the list of controls that are available for remediation. 

AWS | Microsoft Azure | GCP

Remediable Controls for AWS

CID

Title

Permissions

41

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress

42

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

ec2:RevokeSecurityGroupIngress,ec2:AuthorizeSecurityGroupIngress

48

Ensure versioning is enabled for S3 buckets

s3:PutBucketVersioning

51

Ensure that Public Accessibility is set to No for Database Instances

rds:ModifyDBInstance

55

Ensure that auto minor version upgrade is enabled for database Instances

rds:ModifyDBInstance

59

Ensure Block new public bucket policies" for a bucket is set to true"

s3:PutBucketPublicAccessBlock

60

Ensure that Block public and cross-account access" if bucket has public policies for bucket is set to true"

s3:PutBucketPublicAccessBlock

61

Ensure that Block new public ACLs and uploading public objects" for a bucket is set to true."

s3:PutBucketPublicAccessBlock

62

Ensure that Remove public access granted through public ACLs" for a bucket is set to true"

s3:PutBucketPublicAccessBlock

63

Ensure "Block new public bucket policies" for an account is set to true

s3:PutAccountPublicAccessBlock

64

Ensure that "Block public and cross-account access" if bucket has public policies for the account is set to true

s3:PutAccountPublicAccessBlock

65

Ensure that "Block new public ACLs and uploading public objects" for the account is set to true

s3:PutAccountPublicAccessBlock

66

Ensure that "Remove public access granted through public ACLs" for the account is enabled

s3:PutAccountPublicAccessBlock

70

Ensure that Deletion Protection is enabled for RDS DB Cluster

rds:ModifyDBCluster

71

Ensure that Deletion Protection is enabled for RDS Database instances

rds:ModifyDBInstance

90

Ensure RDS database Cluster snapshots are not public

rds:ModifyDBClusterSnapshotAttribute

92

Ensure AWS RDS DB Cluster with copy tags to snapshots option is enabled

rds:ModifyDBCluster

93

Ensure AWS RDS instances with copy tags to snapshots option is enabled

rds:ModifyDBInstance

110

Ensure AWS Redshift clusters are not publicly accessible

redshift:ModifyCluster

114

Ensure Images (AMIs) owned by an AWS account are not public

ec2:ModifyImageAttribute

135

Ensure deletion protection is enabled for DocumentDB clusters

rds:ModifyDBCluster

143

Ensure deletion protection is enabled for neptune DB

rds:ModifyDBCluster

146

Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public

ec2:ModifySnapshotAttribute

Remediable Controls for Microsoft Azure

CID

Title

Permissions

50002

Ensure no SQL Servers allow ingress from Internet (ANY IP)

Microsoft.Sql/servers/firewallRules/delete

50011

Ensure that Secure transfer required" is set to "Enabled"

Microsoft.Storage/storageAccounts/write

50012

Ensure that Public access level is set to Private for blob containers

Microsoft.Storage/storageAccounts/blobServices/containers/write

50029

Disable RDP access on Network Security Groups from Internet (ANY IP)

Microsoft.Network/networkSecurityGroups/write

50031

Disable SSH access on Network Security Groups from Internet (ANY IP)

Microsoft.Network/networkSecurityGroups/write

50048

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service

Microsoft.Web/sites/config/Write

50049

Ensure web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Microsoft.Web/sites/config/Write

50051

Ensure web app is using the latest version of TLS encryption version

Microsoft.Web/sites/config/Write

50061

Ensure that 'HTTP Version' is latest if used to run the web app

Microsoft.Web/sites/config/Write

50085

Ensure Function app redirects all HTTP traffic to HTTPS

Microsoft.Web/sites/Write

50088

Ensure function app is using the latest version of TLS encryption version

Microsoft.Web/sites/Write

Remediable Controls for GCP

CID

Title

Permissions

52021

Ensure that SSH access is restricted from the internet

compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy

52022

Ensure that RDP access is restricted from the internet

compute.firewalls.update, compute.firewalls.delete, compute.networks.updatePolicy

52026

Ensure Block Project-wide SSH keys" enabled for VM instances"

compute.instances.setMetadata

52030

Ensure that Cloud Storage bucket is not anonymously or publicly accessible

storage.buckets.setIamPolicy

52033

Ensure that Cloud SQL - Mysql database Instances are not open to the world

cloudsql.instances.update

52056

Ensure that Cloud function is not anonymously or publicly accessible

cloudfunctions.functions.setIamPolicy

52059

Ensure log_connections database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52060

Ensure log_disconnections database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52064

Ensure log_hostname database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52066

Ensure that Cloud SQL PostgreSQL database Instances are not open to the world

cloudsql.instances.update

52068

Ensure that Cloud SQL SQL Server database Instances are not open to the world

cloudsql.instances.update

52069

Ensure log_lock_waits database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52074

Ensure log_checkpoints database flag for Cloud SQL PostgreSQL instance is set to on

cloudsql.instances.update

52075

Ensure skip_show_database database flag for Cloud SQL Mysql instance is set to on

cloudsql.instances.update

52076

Ensure local_infile database flag for Cloud SQL Mysql instance is set to off

cloudsql.instances.update

52077

Ensure external scripts enabled database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52078

Ensure cross db ownership chaining database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52081

Ensure remote access database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52083

Ensure contained database authentication database flag for Cloud SQL SQL Server instance is set to off

cloudsql.instances.update

52065

Ensure that Cloud SQL PostgreSQL database instance requires all incoming connections to use SSL

cloudsql.instances.update

52067

Ensure that Cloud SQL SQL Server database instance requires all incoming connections to use SSL

cloudsql.instances.update

52090

Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible

cloudkms.cryptoKeys.setIamPolicy