CloudSploit Security Remediation Guides

CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.

Background

This repository is an extension of CloudSploit's open-source scanning engine. We first released the scanning engine in 2015, and this documentation repository is a natural follow up to that tool. The goal of these guides are to provide detailed steps on remediation common security issues in cloud services.

Table of Contents

• AWS
  • ACM
    • ACM Certificate Validation
  • AutoScaling
    • ASG Multiple AZ
  • CloudFront
    • CloudFront HTTPS Only
    • CloudFront Logging Enabled
    • Insecure CloudFront Protocols
    • Public S3 CloudFront Origin
    • Secure CloudFront Origin
  • CloudTrail
    • CloudTrail Bucket Access Logging
    • CloudTrail Bucket Delete Policy
    • CloudTrail Bucket Private
    • CloudTrail Enabled
    • CloudTrail Encryption
    • CloudTrail File Validation
    • CloudTrail To CloudWatch
  • CloudWatchLogs
    • CloudWatch Monitoring Metrics
  • ConfigService
    • Config Service Enabled
  • EC2
    • Cross VPC Public Private Communication
    • Default Security Group
    • Default VPC In Use
    • Detect EC2 Classic Instances
    • EBS Encrypted Snapshots
    • EBS Encryption Enabled
    • EC2 Instance Key Based Login
    • EC2 Max Instances
    • Elastic IP Limit
    • Encrypted AMI
    • Excessive Security Groups
    • Instance IAM Role
    • Instance Limit
    • NAT Multiple AZ
    • Network Acl Has Tags
    • Open All Ports Protocols
    • Open CIFS
    • Open DNS
    • Open Elasticsearch
    • Open FTP
    • Open MySQL
    • Open NetBIOS
    • Open Oracle
    • Open PostgreSQL
    • Open RDP
    • Open RPC
    • Open SMBoTCP
    • Open SMTP
    • Open SQL Server
    • Open SSH
    • Open Telnet
    • Open VNC Client
    • Open VNC Server
    • Overlapping Security Groups
    • Public AMI
    • Subnet IP Availability
    • VPC Elastic IP Limit
    • VPC Flow Logs Enabled
    • VPC Multiple Subnets
  • ELB
    • ELB HTTPS Only
    • ELB Logging Enabled
    • ELB No Instances
    • Insecure Ciphers
  • Firehose
    • Firehose Delivery Streams Encrypted
  • IAM
    • Access Keys Extra
    • Access Keys Last Used
    • Access Keys Rotated
    • Certificate Expiry
    • Empty Groups
    • IAM User Admins
    • Maximum Password Age
    • Minimum Password Length
    • No User IAM Policies
    • Password Expiration
    • Password Requires Lowercase
    • Password Requires Numbers
    • Password Requires Symbols
    • Password Requires Uppercase
    • Password Reuse Prevention
    • Root Access Keys
    • Root Account In Use
    • Root MFA Enabled
    • SSH Keys Rotated
    • Users MFA Enabled
    • Users Password Last Used
  • KMS
    • KMS Default Key Usage
    • KMS Key Policy
    • KMS Key Rotation
    • KMS Scheduled Deletion
  • Kinesis
    • Kinesis Streams Encrypted
  • Lambda
    • Lambda Old Runtimes
  • RDS
    • RDS Automated Backups
    • RDS Encryption Enabled
    • RDS Multiple AZ
    • RDS Publicly Accessible
    • RDS Restorable
  • Redshift
    • Redshift Encryption Enabled
    • Redshift Publicly Accessible
  • Route53
    • Domain Auto Renew
    • Domain Expiry
    • Domain Transfer Lock
  • S3
    • S3 Bucket All Users ACL
    • S3 Bucket All Users Policy
    • S3 Bucket Logging
    • S3 Bucket Versioning
  • SES
    • Email DKIM Enabled
  • SNS
    • SNS Topic Policies
  • SQS
    • SQS Cross Account Access
    • SQS Encrypted
  • SSM
    • SSM Encrypted Parameters
  • SageMaker
    • Notebook Data Encrypted
    • Notebook Direct Internet Access
• Azure
  • Active Directory
    • Ensure No Guest User
    • Minimum Password Length
    • No Custom Owner Roles
    • Password Requires Lowercase
    • Password Requires Numbers
    • Password Requires Symbols
    • Password Requires Uppercase
  • App Service
    • .NET Framework Version
    • Authentication Enabled
    • Client Certificates Enabled
    • HTTP 2.0 Enabled
    • HTTPS Only Enabled
    • Identity Enabled
    • Java Version
    • PHP Version
    • Python Version
    • TLS Version Check
  • Azure Policy
    • Resource Location Matches Resource Group
    • Resources Allowed Locations
  • Blob Service
    • Blob Container Private Access
    • Blob Service Immutable
  • CDN Profiles
    • Detect Insecure Custom Origin
    • Endpoint Logging Enabled
  • Container Registry
    • ACR Admin User
  • File Service
    • File Service All Access ACL
  • Key Vaults
    • Key Expiration Enabled
    • Key Vault Recovery Enabled
    • Secret Expiration Enabled
  • Kubernetes Service
    • Kubernetes Latest Version
    • Kubernetes RBAC Enabled
  • Load Balancer
    • LB HTTPS Only
    • LB No Instances
  • Log Alerts
    • Network Security Groups Logging Enabled
    • Network Security Groups Rule Logging Enabled
    • Policy Assignment Alerts Enabled
    • SQL Server Firewall Rule Alerts Monitor
    • Security Policy Alerts Enabled
    • Security Solution Logging
    • Virtual Network Alerts Monitor
  • Monitor
    • Key Vault Log Analytics Enabled
    • Load Balancer Log Analytics Enabled
    • Log Profile Archive Data
    • Log Profile Retention Policy
    • NSG Log Analytics Enabled
  • MySQL Server
    • Enforce MySQL SSL Connection
  • Network Security Groups
    • Default Security Group
    • Excessive Security Groups
    • Network Watcher Enabled
    • Open All Ports
    • Open CIFS
    • Open DNS
    • Open FTP
    • Open Hadoop HDFS NameNode Metadata Service
    • Open Hadoop HDFS NameNode WebUI
    • Open Kibana
    • Open MySQL
    • Open NetBIOS
    • Open Oracle
    • Open Oracle Auto Data Warehouse
    • Open PostgreSQL
    • Open RDP
    • Open RPC
    • Open SMBoTCP
    • Open SMTP
    • Open SQLServer
    • Open SSH
    • Open Telnet
    • Open VNC Client
    • Open VNC Server
  • PostgreSQL Server
    • Connection Throttling Enabled
    • Enforce PostgreSQL SSL Connection
    • Log Checkpoints Enabled
    • Log Connections Enabled
    • Log Disconnections Enabled
    • Log Duration Enabled
    • Log Retention Period
  • Queue Service
    • Queue Service All Access ACL
  • Resources
    • Management Lock Enabled
    • Resources Usage Limits
  • SQL Databases
    • DB Restorable
    • Database Auditing Enabled
    • SQL DB Multiple AZ
  • SQL Server
    • Advanced Data Security Enabled
    • Audit Action Groups Enabled
    • Audit Retention Policy
    • Azure Active Directory Admin Enabled
    • Email Account Admins Enabled
    • SQL Server Public Access
    • Send Alerts Enabled
    • Server Auditing Enabled
    • TDE Protector Encrypted
  • Security Center
    • Admin Security Alerts Enabled
    • Application Whitelisting Enabled
    • Auto Provisioning Enabled
    • High Severity Alerts Enabled
    • Monitor Blob Encryption
    • Monitor Disk Encryption
    • Monitor Endpoint Protection
    • Monitor JIT Network Access
    • Monitor NSG Enabled
    • Monitor SQL Auditing
    • Monitor SQL Encryption
    • Monitor System Updates
    • Monitor VM Vulnerability
    • Security Configuration Monitoring
    • Security Contacts Enabled
    • Standard Pricing Enabled
  • Storage Accounts
    • Blob Service Encryption
    • File Service Encryption
    • Log Container Public Access
    • Log Storage Encryption
    • Network Access Default Action
    • Storage Accounts AAD Enabled
    • Storage Accounts Encryption
    • Storage Accounts HTTPS
    • Trusted MS Access Enabled
  • Table Service
    • Table Service All Access ACL
  • Virtual Machines
    • Classic Instances
    • Scale Set Multi Az
    • Scale Sets Autoscale Enabled
    • VM Agent Enabled
    • VM Auto Update Enabled
    • VM Availability Set Enabled
    • VM Availability Set Limit
    • VM Data Disk Encryption
    • VM Endpoint Protection
    • VM Instance Limit
    • VM OS Disk Encryption
  • Virtual Networks
    • Multiple Subnets
• Google
  • CLB
    • CLB CDN Enabled
    • CLB HTTPS Only
    • CLB No Instances
    • Security Policy Enabled
  • Compute
    • Autoscale Enabled
    • CSEK Encryption Enabled
    • Connect Serial Ports Disabled
    • IP Forwarding Disabled
    • Instance Level SSH Only
    • Instances Multi AZ
    • OS Login Enabled
    • VM Instances Least Privilege
    • VM Max Instances
  • Cryptographic Keys
    • Key Rotation
  • DNS
    • DNS Security Enabled
    • DNS Security Signing Algorithm
  • IAM
    • Corporate Emails Only
    • KMS User Separation
    • Service Account Admin
    • Service Account Key Rotation
    • Service Account Managed Keys
    • Service Account Separation
    • Service Account User
    • Service Limits
  • Kubernetes
    • Alias IP Ranges Enabled
    • Automatic Node Repair Enabled
    • Automatic Node Upgrades Enabled
    • Basic Authentication Disabled
    • COS Image Enabled
    • Cluster Labels Added
    • Cluster Least Privilege
    • Default Service Account
    • Legacy Authorization Disabled
    • Logging Enabled
    • Master Authorized Network
    • Monitoring Enabled
    • Network Policy Enabled
    • Pod Security Policy Enabled
    • Private Cluster Enabled
    • Private Endpoint
    • Web Dashboard Disabled
  • Logging
    • Audit Configuration Logging
    • Audit Logging Enabled
    • Custom Role Logging
    • Log Sinks Enabled
    • Project Ownership Logging
    • SQL Configuration Logging
    • Storage Permissions Logging
    • VPC Firewall Rule Logging
    • VPC Network Logging
    • VPC Network Route Logging
  • SQL
    • Any Host Root Access
    • DB Automated Backups
    • DB Multiple AZ
    • DB Publicly Accessible
    • DB Restorable
    • Database SSL Enabled
  • Storage
    • Bucket Logging
    • Bucket Versioning
    • Storage Bucket All Users Policy
  • VPC Network
    • Default VPC In Use
    • Excessive Firewall Rules
    • Flow Logs Enabled
    • Multiple Subnets
    • Open All Ports
    • Open CIFS
    • Open DNS
    • Open FTP
    • Open Hadoop HDFS NameNode Metadata Service
    • Open Hadoop HDFS NameNode WebUI
    • Open Kibana
    • Open MySQL
    • Open NetBIOS
    • Open Oracle
    • Open Oracle Auto Data Warehouse
    • Open PostgreSQL
    • Open RDP
    • Open RPC
    • Open SMBoTCP
    • Open SMTP
    • Open SQLServer
    • Open SSH
    • Open Telnet
    • Open VNC Client
    • Open VNC Server
    • Private Access Enabled
• GitHub
  • Orgs
    • Org Default Permission
    • Org Excessive Owners
    • Org MFA Required
    • Org Plan Limit
  • Repos
    • Repo Deploy Keys Rotated
    • Repo Outside Collaborators
  • Users
    • GPG Keys Rotated
    • Public Keys Rotated
    • User MFA Enabled
    • User Private Emails
• Oracle
  • Audit
    • Log Retention Period
  • Block Storage
    • Block Storage Policy Protection
    • Block Volume Backup Enabled
    • Block Volume Restorable
    • Volume Groups Restorable
  • Compute
    • Autoscale Enabled
    • Boot Volume Backup Enabled
    • Boot Volume Restorable
    • Boot Volume Transit Encryption
    • Instance Max Count
    • Instance Monitoring Enabled
    • Instance Policy Protection
    • Instance Pool Multiple AD
  • Database
    • DB Network Security Groups Enabled
    • DB Private Subnet Only
    • Database Backup Enabled
    • Database Policy Protection
  • File Storage
    • File Storage Policy Protection
    • NFS Public Access
  • Identity
    • Empty Groups
    • Excessive Policies
    • Excessive Policy Statements
    • Minimum Password Length
    • Password Requires Lowercase
    • Password Requires Numbers
    • Password Requires Symbols
    • Password Requires Uppercase
    • Policy Least Privilege
    • Users MFA Enabled
  • Networking
    • Default Security List
    • Excessive Security Lists
    • LB Network Security Groups Enabled
    • Load Balancer HTTPS Only
    • Load Balancer No Instances
    • Open All Ports Protocols
    • Open Autonomous Data Warehouse
    • Open CIFS
    • Open DNS
    • Open FTP
    • Open Hadoop HDFS NameNode Metadata Service
    • Open Hadoop HDFS NameNode WebUI
    • Open Kibana
    • Open MySQL
    • Open NetBIOS
    • Open Oracle
    • Open PostgreSQL
    • Open RDP
    • Open RPC
    • Open SMBoTCP
    • Open SMTP
    • Open SQLServer
    • Open SSH
    • Open Telnet
    • Open VNC Client
    • Open VNC Server
    • Stateless Security Rules
    • Subnet Multi AD
    • VCN Multiple Subnets
    • WAF Public IP Enabled
  • Object Store
    • Bucket Public Access Type
    • Object Store Policy Protection
    • Pre-Authenticated Requests Access
    • Pre-Authenticated Requests Expiry

Contributing

Please see the contributor's guide.