TotalCloud Release 2.21 API
January 12, 2026
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
Get Control MetaDeta
Applicable for: 
| New or Updated API | Updated |
| API Endpoint | /rest/v1/controls/metadata/list |
| Method | GET |
| DTD or XSD changes | Not Applicable |
With this release, we have enhanced the Control Metadata API by adding a new response element, expectedResults.
The expectedResults field shows what a compliant control looks like, making it easier for customers to understand evaluation results and take the right remediation actions.
Sample - Get the control metadata (AWS)Sample - Get the control metadata (AWS)
API request
curl -X GET -u <username>:<password>
'<qualys_base_url>//cloudview-api/rest/v1/controls/metadata/list?filter=provider%3AAWS&pageNo=0&pageSize=100" "accept: application/xml'
Response (XML)
<?xml version='1.0' encoding='UTF-8'?>
<CONTROL_LIST_OUTPUT>
<DATETIME>2021-07-06T12:50:34.526+00:00</DATETIME>
<CONTROL_LIST>
<CONTROL>
<CID>1</CID>
<CONTROL_NAME>
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
</CONTROL_NAME>
<CREATED>2020-05-07T12:56:56+0000</CREATED>
<MODIFIED>2021-05-06T11:31:00+0000</MODIFIED>
<CONTROL_TYPE>System Defined</CONTROL_TYPE>
<PROVIDER>AWS</PROVIDER>
<IS_CUSTOMIZABLE>false</IS_CUSTOMIZABLE>
<SERVICE_TYPE><![CDATA[IAM]]></SERVICE_TYPE>
<CRITICALITY>HIGH</CRITICALITY>
<EVALUATION>
<EVALUATION_DESCRIPTION>
<![CDATA[
<p>Check IAM Users having console password enabled has MFA Set to True.</p>
<p>Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM
evaluations. The time taken depends on when the last credential report was fetched by the Cloud
View service and the time when changes were made in AWS IAM</p>
]]>
</EVALUATION_DESCRIPTION>
<PASS_MESSAGE>IAM user is configured with MFA.</PASS_MESSAGE>
<FAIL_MESSAGE>IAM user is not configured with MFA.</FAIL_MESSAGE>
<EVALUATION_CRITERIA_LIST/>
<EXPECTED_RESULTS>Multi factor authentication should be set to true</EXPECTED_RESULTS>
</EVALUATION>
<SPECIFICATION>
<![CDATA[
<p>Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user
name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted
for their user name and password as well as for an authentication code from their AWS MFA device.
It is recommended that MFA be enabled for all accounts that have a console password.</p>
]]>
</SPECIFICATION>
<RATIONALE>
<![CDATA[<p>Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.</p>]]>
</RATIONALE>
<MANUAL_REMEDIATION>
<![CDATA[<p><strong>Perform the following to enable MFA :</strong></p><ol><li><p>Sign in to the AWS Management Console and open the IAM console at <a href="https://console.aws.amazon.com/iam/" rel="noopener" target="_blank">https://console.aws.amazon.com/iam/</a>.</p></li><li><p>In the navigation pane, choose <strong>Users</strong>.</p></li><li><p>In the <strong>User Name</strong> list, choose the name of the intended MFA user.</p></li><li><p>Choose the <strong>Security credentials</strong> tab. Under<strong>Multi-factor authentication (MFA)</strong>, choose<strong>Assign MFA device</strong>.</p></li><li><p>In the <strong>Select MFA device</strong> wizard, type a<strong>Device name</strong>, choose<strong>Authenticator app</strong>, and then choose<strong>Next</strong>.</p><p>IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.</p></li><li><p>Open your virtual MFA app. (For a list of apps that you can use for hosting virtual MFA devices, see <a href="https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications" rel="noopener" target="_blank">Multi-Factor Authentication</a>.) If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.</p></li><li><p>Determine whether the MFA app supports QR codes, and then do one of the following:</p><div><ul type="disc"><li><p>From the wizard, choose <strong>Show QR code</strong>, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to<strong>Scan code</strong>, and then use the device's camera to scan the code.</p></li><li><p>From the wizard, choose <strong>Show secret key</strong>, and then type the secret key into your MFA app</p></li></ul><p>When you are finished, the virtual MFA device starts generating one-time passwords.</p></li><li><p>In the wizard, in the <strong>MFA code 1</strong> box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the<strong>MFA code 2</strong> box. Choose<strong>Add MFA</strong>.</p><div><p><b>Important</b></p><p>Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sync.html" target="_blank">resync the device</a>.</p></li></ol><p>The virtual MFA device is now ready for use with AWS.</p><p>Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations. The time taken depends on when the last credential report was fetched by Total Cloud and the time when changes were made in AWS IAM.</p><p><strong>Reference:</strong></p><p><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html" target="_blank">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html</a></p><p><strong>Using AWS CLI:</strong></p><p># aws iam create-virtual-mfa-device --virtual-mfa-device-name <Name device> --outfile <path> --bootstrap-method <method> <br/> For command usage refer: <a href="https://docs.aws.amazon.com/cli/latest/reference/iam/create-virtual-mfa-device.html" target="_blank"> https://docs.aws.amazon.com/cli/latest/reference/iam/create-virtual-mfa-device.html </a></p><p># aws iam enable-mfa-device --user-name <UserName> --serial-number <Arm MFA device> --authentication-code-1 <Code1> --authentication-code-2 <Code 2> <br/> For command usage refer: <a href="https://docs.aws.amazon.com/cli/latest/reference/iam/enable-mfa-device.html" target="_blank"> https://docs.aws.amazon.com/cli/latest/reference/iam/enable-mfa-device.html </a></p>]]>
</MANUAL_REMEDIATION>
<REFERENCES>
<![CDATA[<p> CIS Amazon Web Services Foundations Benchmark v5.0.0 - 31-03-2025: Recommendation #1.9 </p><li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html" target="_blank">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html</a></li><li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users" target="_blank">https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users</a></li>]]>
</REFERENCES>
<RESOURCE_TYPE>IAM User</RESOURCE_TYPE>
<REMEDIATION_ENABLED>false</REMEDIATION_ENABLED>
<POLICY_NAME_LIST>
<POLICY_NAME>CIS Amazon Web Services Foundations Benchmark</POLICY_NAME>
</POLICY_NAME_LIST>
<EXECUTION_TYPE>
<![CDATA[Run Time]]>
</EXECUTION_TYPE>
<QFLOW_BASED>false</QFLOW_BASED>
</CONTROL>
</CONTROL_LIST>
</CONTROL_LIST_OUTPUT>
Response (JSON)
{
"dateTime": "2021-07-06T12:52:15.637+00:00",
"control": [
{
"cid": 1,
"controlName": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password",
"created": "2022-07-07T09:50:11+0000",
"modified": "2025-11-19T10:16:43+0000",
"controlType": "System Defined",
"provider": "AWS",
"isCustomizable": false,
"serviceType": "IAM",
"criticality": "HIGH",
"evaluation": {
"evaluationDescription": "<p>Check IAM Users having console password enabled have MFA Enabled.</p> <p>Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations. The time taken depends on when the last credential report was fetched by Total Cloud and the time when changes were made in AWS IAM.</p>",
"passMessage": "IAM user is configured with MFA.",
"failMessage": "IAM user is not configured with MFA.",
"evaluationCriteria": [],
"expectedResults": "Multi factor authentication should be set to true"
},
"specification": "<p>Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to the AWS console, they will be prompted for their user name and password as well as for an authentication code from their MFA device. It is recommended that MFA be enabled for all accounts that have a console password.</p> <p> CIS reference: CIS Amazon Web Services Foundations Benchmark v5.0.0 - 31-03-2025: Recommendation #1.9 </p>",
"rationale": "<p>Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential.</p>",
"manualRemediation": "<p><strong>Perform the following to enable MFA :</strong></p> <ol> <li> <p>Sign in to the AWS Management Console and open the IAM console at <a href=\"https://console.aws.amazon.com/iam/\" rel=\"noopener\" target=\"_blank\">https://console.aws.amazon.com/iam/</a>.</p> </li> <li> <p>In the navigation pane, choose <strong>Users</strong>.</p> </li> <li> <p>In the <strong>User Name</strong> list, choose the name of the intended MFA user.</p> </li> <li> <p>Choose the <strong>Security credentials</strong> tab. Under <strong>Multi-factor authentication (MFA)</strong>, choose <strong>Assign MFA device</strong>.</p> </li> <li> <p>In the <strong>Select MFA device</strong> wizard, type a <strong>Device name</strong>, choose <strong>Authenticator app</strong>, and then choose <strong>Next</strong>.</p> <p>IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.</p> </li> <li> <p>Open your virtual MFA app. (For a list of apps that you can use for hosting virtual MFA devices, see <a href=\"https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications\" rel=\"noopener\" target=\"_blank\">Multi-Factor Authentication</a>.) If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account. </p> </li> <li> <p>Determine whether the MFA app supports QR codes, and then do one of the following:</p> <div> <ul type=\"disc\"> <li> <p>From the wizard, choose <strong>Show QR code</strong>, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to <strong>Scan code</strong>, and then use the device's camera to scan the code.</p> </li> <li> <p>From the wizard, choose <strong>Show secret key</strong>, and then type the secret key into your MFA app</p> </li> </ul> <p>When you are finished, the virtual MFA device starts generating one-time passwords.</p> </li> <li> <p>In the wizard, in the <strong>MFA code 1</strong> box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the <strong>MFA code 2</strong> box. Choose <strong>Add MFA</strong>.</p> <div> <p><b>Important</b></p> <p>Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sync.html\" target=\"_blank\">resync the device</a>.</p> </li> </ol> <p>The virtual MFA device is now ready for use with AWS.</p> <p>Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations. The time taken depends on when the last credential report was fetched by Total Cloud and the time when changes were made in AWS IAM.</p> <p><strong>Reference:</strong></p> <p> <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\" target=\"_blank\">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html</a> </p> <p><strong>Using AWS CLI:</strong></p> <p># aws iam create-virtual-mfa-device --virtual-mfa-device-name <Name device> --outfile <path> --bootstrap-method <method> <br/> For command usage refer: <a href=\"https://docs.aws.amazon.com/cli/latest/reference/iam/create-virtual-mfa-device.html\" target=\"_blank\"> https://docs.aws.amazon.com/cli/latest/reference/iam/create-virtual-mfa-device.html </a> </p> <p># aws iam enable-mfa-device --user-name <UserName> --serial-number <Arm MFA device> --authentication-code-1 <Code1> --authentication-code-2 <Code 2> <br/> For command usage refer: <a href=\"https://docs.aws.amazon.com/cli/latest/reference/iam/enable-mfa-device.html\" target=\"_blank\"> https://docs.aws.amazon.com/cli/latest/reference/iam/enable-mfa-device.html </a> </p>",
"references": "<p> CIS Amazon Web Services Foundations Benchmark v5.0.0 - 31-03-2025: Recommendation #1.9 </p> <li><a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\" target=\"_blank\">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html</a></li> <li><a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\" target=\"_blank\">https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users</a></li>",
"resourceType": "IAM User",
"remediationEnabled": false,
"policyNames": [
"CIS Amazon Web Services Foundations Benchmark"
],
"executionType": "Run Time",
"workflowBased": false
}
]
}
Sample - Get the control metadata (Azure)Sample - Get the control metadata (Azure)
API request
curl -X GET -u <username>:<password>
'<qualys_base_url>/cloudview-api/rest/v1/azure/connectors?pageNo=0&pageSize=50'
Response (XML)
<?xml version='1.0' encoding='UTF-8'?> <CONTROL_LIST_OUTPUT> <DATETIME>2021-07-06T12:55:48.065+00:00</DATETIME> <CONTROL_LIST> <CONTROL> <CID>50001</CID> <CONTROL_NAME>Ensure that Data encryption is set to ON for a SQL database</CONTROL_NAME> <CREATED>2020-05-07T01:27:53+0000</CREATED> <MODIFIED>2025-11-19T10:19:18+0000</MODIFIED> <CONTROL_TYPE>System Defined</CONTROL_TYPE> <PROVIDER>AZURE</PROVIDER> <IS_CUSTOMIZABLE>false</IS_CUSTOMIZABLE> <SERVICE_TYPE> <![CDATA[Azure SQL]]> </SERVICE_TYPE> <CRITICALITY>HIGH</CRITICALITY> <EVALUATION> <EVALUATION_DESCRIPTION> <![CDATA[<p> This control ensures that `Transparent Data Encryption' is enabled for a threat detection policy on a SQL server. </p>]]> </EVALUATION_DESCRIPTION> <PASS_MESSAGE>Transparent Encryption is Enabled for a SQL Database</PASS_MESSAGE> <FAIL_MESSAGE>Transparent Encryption is not Enabled for a SQL Database</FAIL_MESSAGE> <EVALUATION_CRITERIA_LIST/> <EXPECTED_RESULTS>Encryption status should be set to 'Enabled'.</EXPECTED_RESULTS> </EVALUATION> <SPECIFICATION> <![CDATA[<p> Enable Transparent Data Encryption on every SQL database. </p><p> CIS reference: Azure Foundations Benchmark v3.0.0 - 05-09-2024 : Recommendation #5.1.5 CIS Microsoft Azure Database Services Benchmark v1.0.0 - 28-06-24 : Recommendation #10.5 </p>]]> </SPECIFICATION> <RATIONALE> <![CDATA[<p> Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. <br/> By default, Data encryption is set to ON. </p>]]> </RATIONALE> <MANUAL_REMEDIATION> <![CDATA[<p><strong>To enable Transparent data encryption for SQL DB instance:</strong></p><p><strong>Azure Console</strong></p><ol><li>Go to SQL databases</li><li>Select DB instance to configure Data Encryption</li><li>Click on Transparent data encryption under Security section.</li><li>Set Data encryption to On</li></ol><p><strong>Azure Command Line Interface 2.0</strong></p><p>az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled</p>]]> </MANUAL_REMEDIATION> <REFERENCES> <![CDATA[<ul><li>CIS Microsoft Azure Foundations Benchmark v3.0.0 - 05-09-2024 : Recommendation #5.1.5</li><li>CIS Microsoft Azure Database Services Benchmark v1.0.0 - 28-06-24 : Recommendation #10.5</li><li><a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database" target="_blank"> https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database </a></li></ul>]]> </REFERENCES> <RESOURCE_TYPE>SQL Server Database</RESOURCE_TYPE> <REMEDIATION_ENABLED>false</REMEDIATION_ENABLED> <POLICY_NAME_LIST> <POLICY_NAME>Azure Infrastructure as Code Security Best Practices Policy</POLICY_NAME> <POLICY_NAME>CIS Microsoft Azure Database Services Benchmark</POLICY_NAME> </POLICY_NAME_LIST> <BUILD_TIME_REMEDIATION> <![CDATA[<p><strong>Terraform</strong></p><p>Ensure azurerm_mssql_server_transparent_data_encryption has server_id set to azurerm_mssql_server resource</p>]]> </BUILD_TIME_REMEDIATION> <TEMPLATE_TYPE_LIST> <TEMPLATE_TYPE>Terraform</TEMPLATE_TYPE> </TEMPLATE_TYPE_LIST> <EXECUTION_TYPE> <![CDATA[Build & Run Time]]> </EXECUTION_TYPE> <QFLOW_BASED>false</QFLOW_BASED> </CONTROL> </CONTROL_LIST> </CONTROL_LIST_OUTPUT>
Response (JSON)
{
"dateTime": "1764678322924",
"control": [
{
"cid": 50001,
"controlName": "Ensure that Data encryption is set to ON for a SQL database",
"created": "2020-05-07T01:27:53+0000",
"modified": "2025-12-01T01:16:15+0000",
"controlType": "System Defined",
"provider": "AZURE",
"isCustomizable": false,
"serviceType": "Azure SQL",
"criticality": "HIGH",
"evaluation": {
"evaluationDescription": "<p> This control ensures that `Transparent Data Encryption' is enabled for a threat detection policy on a SQL server. </p>",
"passMessage": "Transparent Encryption is Enabled for a SQL Database",
"failMessage": "Transparent Encryption is not Enabled for a SQL Database",
"evaluationCriteria": [],
"expectedResults": "Encryption status should be set to 'Enabled'."
},
"specification": "<p> Enable Transparent Data Encryption on every SQL database. </p> <p> CIS reference: Azure Foundations Benchmark v3.0.0 - 05-09-2024 : Recommendation #5.1.5 CIS Microsoft Azure Database Services Benchmark v1.0.0 - 28-06-24 : Recommendation #10.5 </p>",
"rationale": "<p> Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. <br/> By default, Data encryption is set to ON. </p>",
"manualRemediation": "<p><strong>To enable Transparent data encryption for SQL DB instance:</strong></p> <p><strong>Azure Console</strong></p> <ol> <li>Go to SQL databases</li> <li>Select DB instance to configure Data Encryption</li> <li>Click on Transparent data encryption under Security section.</li> <li>Set Data encryption to On</li> </ol> <p><strong>Azure Command Line Interface 2.0</strong></p> <p>az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled</p>",
"references": "<ul> <li>CIS Microsoft Azure Foundations Benchmark v3.0.0 - 05-09-2024 : Recommendation #5.1.5</li> <li>CIS Microsoft Azure Database Services Benchmark v1.0.0 - 28-06-24 : Recommendation #10.5</li> <li> <a href=\"https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\" target=\"_blank\"> https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database </a> </li> </ul>",
"resourceType": "SQL Server Database",
"remediationEnabled": false,
"policyNames": [
"Azure Infrastructure as Code Security Best Practices Policy",
"CIS Microsoft Azure Database Services Benchmark"
],
"buildTimeRemediation": "<p><strong>Terraform</strong></p><p>Ensure azurerm_mssql_server_transparent_data_encryption has server_id set to azurerm_mssql_server resource</p>",
"templateType": [
"Terraform"
],
"executionType": "Build & Run Time",
"workflowBased": false
}
]
}
Sample - Get the control metadata (GCP)Sample - Get the control metadata (GCP)
API request
curl -X GET -u <username>:<password>
'<qualys_base_url>/cloudview-api/rest/v1/gcp/connectors?pageNo=0&pageSize=50'
Response (XML)
<?xml version='1.0' encoding='UTF-8'?> <CONTROL_LIST_OUTPUT> <DATETIME>2021-07-06T12:57:27.547+00:00</DATETIME> <CONTROL_LIST> <CONTROL> <CID>52000</CID> <CONTROL_NAME>Ensure that corporate login credentials are used instead of Gmail accounts</CONTROL_NAME> <CREATED>2020-05-07T01:24:08+0000</CREATED> <MODIFIED>2025-11-07T06:03:43+0000</MODIFIED> <CONTROL_TYPE>System Defined</CONTROL_TYPE> <PROVIDER>GCP</PROVIDER> <IS_CUSTOMIZABLE>false</IS_CUSTOMIZABLE> <SERVICE_TYPE> <![CDATA[IAM & Admin]]> </SERVICE_TYPE> <CRITICALITY>MEDIUM</CRITICALITY> <EVALUATION> <EVALUATION_DESCRIPTION> <![CDATA[<p> This control ensures that corporate login credentials are used instead of Gmail accounts. </p>]]> </EVALUATION_DESCRIPTION> <PASS_MESSAGE>Corporate login credentials are used instead of Gmail account</PASS_MESSAGE> <FAIL_MESSAGE>Corporate login credentials are not used instead of Gmail account</FAIL_MESSAGE> <EVALUATION_CRITERIA_LIST/> <EXPECTED_RESULTS>Gmail accounts must not be used.</EXPECTED_RESULTS> </EVALUATION> <SPECIFICATION> <![CDATA[<p> Use corporate login credentials instead of Gmail accounts. </p><p> CIS reference: CIS Google Cloud Platform Foundation Benchmark v2.0.0 - 12-30-2022: Recommendation #1.1 </p>]]> </SPECIFICATION> <RATIONALE> <![CDATA[<p> Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. </p><p> By default, any Gmail account can be associated with a Google Cloud Platform Project. </p>]]> </RATIONALE> <MANUAL_REMEDIATION> <![CDATA[<p><strong>To identify the Gmail accounts used, use the following command for each Google Cloud Platform project.</strong></p><p><strong>gcloud command-line tool:</strong></p><pre><code>gcloud projects get-iam-policy [Project-ID] | grep @gmail.com</code></pre><p>For creating Corporate login accounts, follow the documentation and setup the login accounts as per requirements.</p>]]> </MANUAL_REMEDIATION> <REFERENCES> <![CDATA[<ul><li>CIS Google Cloud Platform Foundation Benchmark v2.0.0 - 12-30-2022: Recommendation #1.1</li><li><a href="https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#use_corporate_login_credentials" target="_blank"> https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#use_corporate_login_credentials </a></li><li><a href="https://support.google.com/work/android/answer/6371476" target="_blank"> https://support.google.com/work/android/answer/6371476 </a></li></ul>]]> </REFERENCES> <RESOURCE_TYPE>Project IAM</RESOURCE_TYPE> <REMEDIATION_ENABLED>false</REMEDIATION_ENABLED> <POLICY_NAME_LIST> <POLICY_NAME>GCP Infrastructure as Code Security Best Practices Policy</POLICY_NAME> <POLICY_NAME>CIS Google Cloud Platform Foundation Benchmark</POLICY_NAME> </POLICY_NAME_LIST> <BUILD_TIME_REMEDIATION> <![CDATA[<p><strong>Terraform</strong></p><p>Ensure google_iam_policy has binding.members doesn't have any gmail.com email IDs</p>]]> </BUILD_TIME_REMEDIATION> <TEMPLATE_TYPE_LIST> <TEMPLATE_TYPE>Terraform</TEMPLATE_TYPE> </TEMPLATE_TYPE_LIST> <EXECUTION_TYPE> <![CDATA[Build & Run Time]]> </EXECUTION_TYPE> <QFLOW_BASED>false</QFLOW_BASED> </CONTROL> </CONTROL_LIST> </CONTROL_LIST_OUTPUT>
Response (JSON)
{
"dateTime": "1764678263670",
"control": [
{
"cid": 52000,
"controlName": "Ensure that corporate login credentials are used instead of Gmail accounts",
"created": "2020-05-07T01:24:08+0000",
"modified": "2025-12-01T01:17:34+0000",
"controlType": "System Defined",
"provider": "GCP",
"isCustomizable": false,
"serviceType": "IAM & Admin",
"criticality": "MEDIUM",
"evaluation": {
"evaluationDescription": "<p> This control ensures that corporate login credentials are used instead of Gmail accounts. </p>",
"passMessage": "Corporate login credentials are used instead of Gmail account",
"failMessage": "Corporate login credentials are not used instead of Gmail account",
"evaluationCriteria": [],
"expectedResults": "Gmail accounts must not be used."
},
"specification": "<p> Use corporate login credentials instead of Gmail accounts. </p> <p> CIS reference: CIS Google Cloud Platform Foundation Benchmark v2.0.0 - 12-30-2022: Recommendation #1.1 </p>",
"rationale": "<p> Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Thus, it is recommended that you use fully managed corporate Google accounts for increased visibility, auditing, and control over access to Cloud Platform resources. </p> <p> By default, any Gmail account can be associated with a Google Cloud Platform Project. </p>",
"manualRemediation": "<p><strong>To identify the Gmail accounts used, use the following command for each Google Cloud Platform project.</strong></p> <p><strong>gcloud command-line tool:</strong></p> <pre><code>gcloud projects get-iam-policy [Project-ID] | grep @gmail.com</code></pre> <p>For creating Corporate login accounts, follow the documentation and setup the login accounts as per requirements.</p>",
"references": "<ul> <li>CIS Google Cloud Platform Foundation Benchmark v2.0.0 - 12-30-2022: Recommendation #1.1</li> <li> <a href=\"https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#use_corporate_login_credentials\" target=\"_blank\"> https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#use_corporate_login_credentials </a> </li> <li><a href=\"https://support.google.com/work/android/answer/6371476\" target=\"_blank\"> https://support.google.com/work/android/answer/6371476 </a></li> </ul>",
"resourceType": "Project IAM",
"remediationEnabled": false,
"policyNames": [
"GCP Infrastructure as Code Security Best Practices Policy",
"CIS Google Cloud Platform Foundation Benchmark"
],
"buildTimeRemediation": "<p><strong>Terraform</strong></p><p>Ensure google_iam_policy has binding.members doesn't have any gmail.com email IDs</p>",
"templateType": [
"Terraform"
],
"executionType": "Build & Run Time",
"workflowBased": false
}
]
}
Sample - Get the control metadata (OCI)Sample - Get the control metadata (OCI)
API request
curl -X GET -u <username>:<password>
'https:/<qualys_base_url>//cloudview-api/rest/v1/controls/metadata/list?filter=provider%3AOCI&pageNo=0&pageSize=100" -H "accept: application/xml'
Response (XML)
<?xml version='1.0' encoding='UTF-8'?> <CONTROL_LIST_OUTPUT> <DATETIME>2021-07-06T12:57:27.547+00:00</DATETIME> <CONTROL_LIST> <CONTROL> <CID>40001</CID> <CONTROL_NAME>Ensure Secure Boot is enabled on Compute Instance</CONTROL_NAME> <CREATED>2023-06-19T01:45:21+0000</CREATED> <MODIFIED>2025-11-19T10:17:38+0000</MODIFIED> <CONTROL_TYPE>System Defined</CONTROL_TYPE> <PROVIDER>OCI</PROVIDER> <IS_CUSTOMIZABLE>false</IS_CUSTOMIZABLE> <SERVICE_TYPE> <![CDATA[COMPUTE]]> </SERVICE_TYPE> <CRITICALITY>MEDIUM</CRITICALITY> <EVALUATION> <EVALUATION_DESCRIPTION> <![CDATA[<p> This control ensures that Compute Instance has Secure Boot Enabled </p>]]> </EVALUATION_DESCRIPTION> <PASS_MESSAGE>Instance has Secure Boot Enabled</PASS_MESSAGE> <FAIL_MESSAGE>Instance has Secure Boot Disabled</FAIL_MESSAGE> <EVALUATION_CRITERIA_LIST/> <EXPECTED_RESULTS>Compute Instances should use Secure Boot Statergy</EXPECTED_RESULTS> </EVALUATION> <SPECIFICATION> <![CDATA[<p> Secure Boot verifies digital signature of the system's software to check authenticity of the software. The digital signature ensures the operating system has not been tampered with and is from a trusted source. </p><p> When the system attempts to execute the software, it will first check digital signature to ensure validity. If the digital signature is not valid, the system will not allow the software to run. </p>]]> </SPECIFICATION> <RATIONALE> <![CDATA[<p> A Threat Actor may seek to alter boot components to persist malware or root kits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. </p>]]> </RATIONALE> <MANUAL_REMEDIATION> <![CDATA[<p><strong>Note:</strong> Secure Boot facility is available on selected VM images and Shapes in OCI. User have to configure Secured Boot at time of instance creation only.</p><p><strong>OCI Console:</strong></p><ol><li>Navigate to <a href="https://console.us-ashburn-1.oraclecloud.com/compute/instances" target="_blank">https://console.us-ashburn-1.oraclecloud.com/compute/instances</a></li><li>Click on Create Instance.</li><li>Select Image and Shape which supports Shielded Instance configuration. Icon for Shield in front of Image/Shape row indicates support of Shielded Instance.</li><li>Click on edit of Security Blade.</li><li>Turn On Shielded Instance, then Turn on Secure Boot Toggle.</li><li>Fill in rest of the details as per requirements.</li><li>Click Create.</li></ol>]]> </MANUAL_REMEDIATION> <REFERENCES> <![CDATA[<ul><li><a href="https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf" target="_blank"> https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf </a></li><li><a href="https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm">https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm</a></li><li>CIS Oracle Cloud Infrastructure Foundations Benchmark v3.0.0 - 28-02-2025: Recommendation #3.2</li></ul>]]> </REFERENCES> <RESOURCE_TYPE>INSTANCE</RESOURCE_TYPE> <REMEDIATION_ENABLED>false</REMEDIATION_ENABLED> <POLICY_NAME_LIST> <POLICY_NAME>CIS Oracle Cloud Infrastructure Foundation Benchmark</POLICY_NAME> </POLICY_NAME_LIST> <EXECUTION_TYPE> <![CDATA[Run Time]]> </EXECUTION_TYPE> <QFLOW_BASED>false</QFLOW_BASED> </CONTROL> </CONTROL_LIST> </CONTROL_LIST_OUTPUT>
Response (JSON)
{
"dateTime": "1764676114431",
"control": [
{
"cid": 40001,
"controlName": "Ensure Secure Boot is enabled on Compute Instance",
"created": "2023-06-19T01:45:21+0000",
"modified": "2025-12-01T01:14:31+0000",
"controlType": "System Defined",
"provider": "OCI",
"isCustomizable": false,
"serviceType": "COMPUTE",
"criticality": "MEDIUM",
"evaluation": {
"evaluationDescription": "<p> This control ensures that Compute Instance has Secure Boot Enabled </p>",
"passMessage": "Instance has Secure Boot Enabled",
"failMessage": "Instance has Secure Boot Disabled",
"evaluationCriteria": [],
"expectedResults": "Compute Instances should use Secure Boot Statergy"
},
"specification": "<p> Secure Boot verifies digital signature of the system's software to check authenticity of the software. The digital signature ensures the operating system has not been tampered with and is from a trusted source. </p> <p> When the system attempts to execute the software, it will first check digital signature to ensure validity. If the digital signature is not valid, the system will not allow the software to run. </p>",
"rationale": "<p> A Threat Actor may seek to alter boot components to persist malware or root kits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. </p>",
"manualRemediation": "<p><strong>Note:</strong> Secure Boot facility is available on selected VM images and Shapes in OCI. User have to configure Secured Boot at time of instance creation only. </p> <p><strong>OCI Console:</strong></p> <ol> <li>Navigate to <a href=\"https://console.us-ashburn-1.oraclecloud.com/compute/instances\" target=\"_blank\">https://console.us-ashburn-1.oraclecloud.com/compute/instances</a></li> <li>Click on Create Instance.</li> <li>Select Image and Shape which supports Shielded Instance configuration. Icon for Shield in front of Image/Shape row indicates support of Shielded Instance.</li> <li>Click on edit of Security Blade.</li> <li>Turn On Shielded Instance, then Turn on Secure Boot Toggle.</li> <li>Fill in rest of the details as per requirements.</li> <li>Click Create.</li> </ol>",
"references": "<ul> <li> <a href=\"https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf\" target=\"_blank\"> https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf </a> </li> <li><a href=\"https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm\">https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm</a></li> <li>CIS Oracle Cloud Infrastructure Foundations Benchmark v3.0.0 - 28-02-2025: Recommendation #3.2</li> </ul>",
"resourceType": "INSTANCE",
"remediationEnabled": false,
"policyNames": [
"CIS Oracle Cloud Infrastructure Foundation Benchmark"
],
"executionType": "Run Time",
"workflowBased": false
}
]
}