Rule Name |
Cloud |
Remediation |
Remediation Description |
CHECK_SECURITY_GROUP_SSH_OPEN_TO_PUBLIC |
AWS |
SG_SSH_OPEN_TO_PUBLIC |
Delete security group ingress SSH rule that allows access to public |
SECURITYGROUP_ALL_INCOMING_PORTS_OPEN |
AWS |
SG_DELETE_ALL_INCOMING_PORTS_RULE |
Delete All Incoming port rule from Security Group |
VPC_FLOWLOGS_ENABLED |
AWS |
ENABLE_VPC_FLOW_LOG |
Enable vpc flow log for non compliant vpc. Note:- Auto remediation is not supported for this rule. Please proceed to "Compliance Analysis" to remediate non compliant resources of this rule. |
ICMP_OPEN_TO_PUBLIC |
AWS |
BLOCK_ICMP_PUBLIC_ACCESS |
Delete network ACL entry which is allowing ICMP public access. |
CHECK_RESOURCE_GROUP_BUDGET_EXCEEDED |
AZURE |
CHECK_SUBSCRIPTION_SCOPE_BUDGET_EXCEEDED |
Stop all non compliant Virtual Machine instances |
S3_BUCKET_ACL_GLOBAL_READ |
AWS |
S3_BUCKET_ACL_GLOBAL_READ |
Disable global read permission by changing access control list |
CHECK_SUBSCRIPTION_SCOPE_BUDGET_EXCEEDED |
AZURE |
CHECK_SUBSCRIPTION_SCOPE_BUDGET_EXCEEDED |
Stop all non compliant Virtual Machine instances |
CHECK_EC2_INSTANCE_IDLE_CPU |
AWS |
CHECK_EC2_INSTANCE_THRESHOLD_EXCEEDED |
Stop all non compliant EC2 instances |
S3_BUCKET_ACL_GLOBAL_FULL_CONTROL |
AWS |
S3_BUCKET_ACL_GLOBAL_FULL_CONTROL |
Disable global full control permission by changing access control list |
S3_BUCKET_ACL_GLOBAL_WRITE |
AWS |
S3_BUCKET_ACL_GLOBAL_WRITE |
Disable global write permission by changing access control list |
S3_OBJECT_VERSIONING_ENABLED |
AWS |
ENABLE_S3_OBJECT_VERSIONING |
Enable object versioning and provide user an option to enable mfa delete for non compliant bucket. |
CHECK_EC2_INSTANCE_THRESHOLD_EXCEEDED |
AWS |
CHECK_EC2_INSTANCE_THRESHOLD_EXCEEDED |
Stop all non compliant EC2 instances |
CHECK_SECURITY_GROUP_TCP_OPEN_TO_PUBLIC |
AWS |
SG_CUSTOM_TCP_OPEN_TO_PUBLIC |
Delete security group ingress TCP rule that allows access to public on port or port range inputted by user in Security policy |
CHECK_SECURITY_GROUP_UDP_OPEN_TO_PUBLIC |
AWS |
SG_CUSTOM_UDP_OPEN_TO_PUBLIC |
Delete security group ingress UDP rule that allows access to public on port or port range inputted by user in Security policy |
CHECK_SECURITY_GROUP_RDP_OPEN_TO_PUBLIC |
AWS |
SG_RDP_OPEN_TO_PUBLIC |
Delete security group ingress RDP rule that allows access to public |
IAM_USER_IS_GROUP_MEMBER |
AWS |
IAM-USER-GROUP-MEMBERSHIP-CHECK |
Add user to a deafult group "No Access". |
BUDGET_CHECK_COST_EXCEEDED_ON_EC2_WITH_REMEDIATION_ON_TAG |
AWS |
CHECK_EC2_INSTANCE_THRESHOLD_EXCEEDED |
Stop all non compliant EC2 instances |
Note: Azure budget rules "CHECK RESOURCE GROUP BUDGET EXCEEDED" and "CHECK_SUBSCRIPTION_SCOPE_BUDGET_EXCEEDED" are only supported on Classic Azure subscriptions
Comments
0 comments
Please sign in to leave a comment.