Assessments related to infrastructure management and planning.
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| DR-001 | DR Readiness | 2.0 | Evaluates disaster recovery readiness based on plan compliance, testing frequency, and recovery... | |
| MONITOR-001 | Automated Monitoring | 1.5 | Evaluates the effectiveness of automated monitoring systems based on coverage, alert quality,... | |
| EC2-001 | EC2 Instances Monitoring | 1.5 | Checks the operational health of EC2 instances and their monitoring configuration. |
Assessments related to system architecture and engineering practices.
Assessments related to security practices and compliance.
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| SSL-001 | SSL Certificates Registered | 1.0 | Verifies that SSL certificates are properly registered and maintained. | |
| SEC-001 | Enrolled in ORCA | 1.0 | Verifies enrollment in the Operational Risk Compliance Assessment program. | |
| SEC-002 | IAC Scan | 1.2 | Evaluates results from Infrastructure as Code security scans. | |
| NET-001 | Network Perimeter Testing | 1.5 | Assesses the results of network perimeter security testing. | |
| IAM-001 | IAM Compliance | 2.0 | Evaluates AWS IAM user and role security configuration, including password policies, MFA, and... | |
| S3-001 | S3 Bucket Security | 2.0 | Verifies S3 buckets are configured securely with encryption, logging, and proper access controls. | |
| SEC-003 | Vulnerability Scanning | 1.6 | Checks if regular security vulnerability scans are conducted. | |
| COMP-001 | Regulatory Compliance | 1.7 | Checks compliance with relevant regulations like GDPR, HIPAA, etc. |
Assessments related to hosting infrastructure and services.
Assessments related to application functionality and performance.
General assessments that apply across multiple domains.
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| ENV-001 | Environment Readiness | 1.3 | Checks if all environments (dev, test, prod) are properly configured and consistent. |
Assessments specific to disaster recovery plans and procedures.
Checks for Azure cloud services and infrastructure.
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| azure_vm_monitoring | Azure VM Monitoring | 1.0 | Evaluates Azure Virtual Machines for operational health and configuration compliance. | |
| azure_storage_monitoring | Azure Storage Monitoring | 1.0 | Evaluates Azure Blob Storage for operational health and configuration compliance. | |
| azure_rbac_compliance | Azure RBAC Compliance | 1.0 | Evaluates Azure Role-Based Access Control for compliance with security best practices. | |
| azure_dr_readiness | Azure Disaster Recovery Readiness | 1.0 | Evaluates Azure Disaster Recovery for operational health and configuration compliance. | |
| AZURE-VM-001 | Azure VM Monitoring | 1.0 | Evaluates Azure Virtual Machines for operational health and configuration compliance. | |
| AZURE-STORAGE-001 | Azure Storage Monitoring | 1.0 | Evaluates Azure Blob Storage for operational health and configuration compliance. | |
| AZURE-RBAC-001 | Azure RBAC Compliance | 1.0 | Evaluates Azure Role-Based Access Control for compliance with security best practices. | |
| AZURE-DR-001 | Azure Disaster Recovery Readiness | 1.0 | Evaluates Azure Disaster Recovery for operational health and configuration compliance. | |
| AZURE_RBAC_COMPLIANCE | Azure RBAC Compliance | 1.0 | Evaluates Azure role-based access control | |
| AZURE_LOGGING_MONITORING | Azure Logging & Monitoring | 1.0 | Checks Azure Monitor and logging configuration | |
| AZURE_COST_OPTIMIZATION | Azure Cost Optimization | 1.0 | Analyzes Azure resource utilization for cost efficiency | |
| AZURE_STORAGE_MONITORING | Azure Storage Monitoring | 1.0 | Evaluates Azure Storage account configuration and security |
Extended AWS Cloud compliance checks for security best practices
Extended Azure Cloud compliance checks for security best practices
IAM compliance checks for AWS and Azure
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS-IAM-001 | AWS: Root account has active access keys | 1.5 | Checks if AWS root account has active access keys, which is a security risk | |
| AWS-IAM-002 | AWS: IAM users with administrator privileges | 1.2 | Checks for IAM users with administrator privileges | |
| AWS-IAM-003 | AWS: IAM users without MFA enabled | 1.5 | Checks for IAM users that don't have Multi-Factor Authentication enabled | |
| AWS-IAM-004 | AWS: IAM policies allowing wildcard actions | 1.2 | Checks for IAM policies that use wildcard actions, which can create security risks | |
| AZURE-IAM-002 | Azure: More than three owners assigned to a subscription | 1.2 | Checks if more than three owners are assigned to an Azure subscription | |
| AZURE-IAM-003 | Azure: Users can register applications without restriction | 1.2 | Checks if users can register applications without restriction in Azure AD | |
| AZURE-IAM-004 | Azure: Users can add gallery apps to their Access Panel | 1.0 | Checks if users can add gallery apps to their Access Panel without approval | |
| AZURE-IAM-005 | Azure: Custom subscription administrator roles exist | 1.2 | Checks for custom subscription administrator roles in Azure | |
| AZURE-IAM-006 | Azure: Non-privileged users executing privileged functions | 1.5 | Checks for non-privileged users executing privileged functions without audit logs |
Security configuration compliance checks for cloud resources
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS-SEC-001 | AWS: S3 buckets with public read access | 1.5 | Checks for S3 buckets with public read access, which is a security risk | |
| AZURE-SEC-001 | Azure: Storage accounts not using secure transfer | 1.5 | Checks for storage accounts that are not configured to use secure transfer | |
| AWS-SEC-002 | AWS: Security groups allowing unrestricted SSH access | 1.5 | Checks for security groups that allow unrestricted SSH access | |
| AWS-SEC-003 | AWS: RDS instances not using encryption at rest | 1.2 | Checks for RDS instances that are not using encryption at rest | |
| AWS-SEC-004 | AWS: CloudTrail not enabled in all regions | 1.2 | Checks if CloudTrail is not enabled in all AWS regions | |
| AWS-SEC-005 | AWS: EBS volumes not encrypted | 1.2 | Checks for EBS volumes that are not encrypted | |
| AZURE-SEC-002 | Azure: SQL servers without auditing enabled | 1.2 | Checks for SQL servers that do not have auditing enabled | |
| AZURE-SEC-003 | Azure: Key Vaults without purge protection | 1.2 | Checks for Key Vaults that do not have purge protection enabled | |
| AZURE-SEC-004 | Azure: NSGs allowing inbound RDP from any source | 1.5 | Checks for NSGs that allow inbound RDP from any source | |
| AZURE-SEC-005 | Azure: VMs without endpoint protection installed | 1.2 | Checks for VMs that do not have endpoint protection installed |
Logging and monitoring compliance checks for cloud resources
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS-LOG-001 | AWS: CloudTrail logs not integrated with CloudWatch | 1.2 | Checks if CloudTrail logs are not integrated with CloudWatch Logs | |
| AZURE-LOG-001 | Azure: App Service apps without diagnostic logs | 1.2 | Checks for App Service apps that do not have diagnostic logs enabled | |
| AWS-LOG-002 | AWS: VPC flow logs not enabled | 1.2 | Checks if VPC flow logs are not enabled | |
| AWS-LOG-003 | AWS: ELB access logs not enabled | 1.2 | Checks if ELB access logs are not enabled | |
| AZURE-LOG-002 | Azure: Resource logs not enabled for Key Vault | 1.2 | Checks if resource logs are not enabled for Key Vault | |
| AZURE-LOG-003 | Azure: Activity log alerts not configured | 1.2 | Checks if activity log alerts are not configured for administrative operations | |
| AZURE-LOG-004 | Azure: Diagnostic settings not configured | 1.2 | Checks if diagnostic settings are not configured for selected resource types | |
| AZURE-LOG-005 | Azure: Log analytics workspace retention policies | 1.2 | Checks if Log Analytics workspace is not configured for retention policies | |
| AZURE-LOG-006 | Azure: Missing alerts for policy changes | 1.2 | Checks for missing alerts for policy changes | |
| AZURE-LOG-007 | Azure: Missing alerts for security operations | 1.2 | Checks for missing alerts for security operations |
Resource configuration and management compliance checks
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS-RES-001 | AWS: EC2 instances without termination protection | 1.0 | Checks for EC2 instances that do not have termination protection enabled | |
| AZURE-RES-001 | Azure: Virtual machines without backup configured | 1.5 | Checks for VMs that do not have backup configured | |
| AWS-RES-002 | AWS: Unused Elastic IP addresses | 1.0 | Checks for unused Elastic IP addresses that may incur charges | |
| AWS-RES-003 | AWS: RDS instances without backups enabled | 1.5 | Checks for RDS instances that do not have backups enabled | |
| AZURE-RES-002 | Azure: Unassociated public IP addresses | 1.0 | Checks for unassociated public IP addresses that may incur charges | |
| AZURE-RES-003 | Azure: Virtual networks without Network Watcher | 1.2 | Checks for virtual networks that do not have Network Watcher enabled | |
| AZURE-RES-004 | Azure: Load balancers without diagnostic logs | 1.2 | Checks for load balancers that do not have diagnostic logs enabled | |
| AZURE-RES-005 | Azure: SQL databases without geo-redundant backups | 1.2 | Checks for SQL databases that do not have geo-redundant backups configured | |
| AZURE-RES-006 | Azure: App Service plans without scaling configured | 1.0 | Checks for App Service plans that do not have scaling configured | |
| AZURE-RES-007 | Azure: Storage accounts without soft delete enabled | 1.2 | Checks for storage accounts that do not have soft delete enabled |
Cost optimization checks for cloud resources
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS-COST-001 | AWS: Underutilized EC2 instances | 1.0 | Checks for underutilized EC2 instances that may be wasting resources | |
| AZURE-COST-001 | Azure: Unused virtual machines | 1.0 | Checks for unused virtual machines that may be wasting resources | |
| AWS-COST-002 | AWS: Idle RDS instances | 1.0 | Checks for idle RDS instances that may be wasting resources | |
| AWS-COST-003 | AWS: Unattached EBS volumes | 1.0 | Checks for unattached EBS volumes that may incur unnecessary charges | |
| AZURE-COST-002 | Azure: Orphaned disks not attached to any VM | 1.0 | Checks for orphaned disks that are not attached to any VM | |
| AZURE-COST-003 | Azure: Unused public IP addresses | 1.0 | Checks for unused public IP addresses that may incur charges | |
| AZURE-COST-004 | Azure: Unused network interfaces | 1.0 | Checks for unused network interfaces that may incur charges | |
| AZURE-COST-005 | Azure: Unused load balancers | 1.0 | Checks for unused load balancers that may incur charges | |
| AZURE-COST-006 | Azure: Unused application gateways | 1.0 | Checks for unused application gateways that may incur charges | |
| AZURE-COST-007 | Azure: Unused ExpressRoute circuits | 1.0 | Checks for unused ExpressRoute circuits that may incur charges |
AWS Cloud compliance checks
| ID | Name | Weight | Description | Actions |
|---|---|---|---|---|
| AWS_SECURITY_CONFIG | AWS Security Configuration | 1.0 | Checks AWS security settings compliance | |
| AWS_LOGGING_MONITORING | AWS Logging & Monitoring | 1.0 | Evaluates AWS CloudTrail and CloudWatch setup | |
| AWS_COST_OPTIMIZATION | AWS Cost Optimization | 1.0 | Analyzes AWS resource utilization and cost efficiency |