Security requirements verified in CSPM | Fluid Attacks Help

Security requirements verified in CSPM

The following tables present the security requirements on which Fluid Attacks' cloud security posture management (CSPM) scans are based, differentiating by the supported cloud provider and by the scanner method that automates the check. To learn how to make the configurations to use CSPM, refer to Use cloud integrations.
Idea
You can use the scanner as a standalone tool. Learn to configure it yourself reading CSPM scanner configuration file.

AWS

Scanner method name
Related security requirement verified
AWS_APIGATEWAY_ALLOWS_ANONYMOUS_ACCESS
AWS_CFT_SERVES_CONTENT_OVER_HTTP
AWS_CF_DISTRIBUTION_HAS_LOGGING_DISABLED
AWS_CLOUDFRONT_HAS_LOGGING_DISABLED
AWS_CLOUDFRONT_INSECURE_PROTOCOLS
AWS_CLOUDTRAIL_FILES_NOT_VALIDATED
AWS_CLOUDTRAIL_IS_TRAIL_BUCKET_LOGGING_DISABLED
AWS_CLOUDTRAIL_NOT_LOGGING
AWS_CLOUDTRAIL_TRAILS_NOT_MULTIREGION
AWS_COGNITO_HAS_MFA_DISABLED
AWS_CREDENTIALS
AWS_DYNAMODB_ENCRYPTED_WITH_AWS_MASTER_KEYS
AWS_DYNAMODB_HAS_NOT_POINT_IN_TIME_RECOVERY
AWS_DYNAMODB_NOT_DEL_PROTEC
AWS_EBS_HAS_ENCRYPTION_DISABLED
AWS_EC2_ACL_ALLOW_ALL_INGRESS_TRAFFIC
AWS_EC2_ACL_ALLOW_EGRESS_TRAFFIC
AWS_EC2_ANYONE_ADMIN_PORTS
AWS_EC2_DEFAULT_ALL_TRAFFIC
AWS_EC2_DEFAULT_SECURITY_GROUP
AWS_EC2_HAS_ASSOCIATE_PUBLIC_IP_ADDRESS
AWS_EC2_HAS_DEFAULT_SECURITY_GROUPS_IN_USE
AWS_EC2_HAS_INSTANCES_USING_UNAPPROVED_AMIS
AWS_EC2_HAS_MODIFY_ATTRIBUTE
AWS_EC2_HAS_NOT_TERMINATION_PROTECTION
AWS_EC2_HAS_TERMINATE_SHUTDOWN_BEHAVIO
AWS_EC2_HAS_UNENCRYPTED_AMIS
AWS_EC2_HAS_UNENCRYPTED_SNAPSHOTS
AWS_EC2_HAS_UNUSED_KEY_PAIRS
AWS_EC2_HAS_UNUSED_SEGGROUPS
AWS_EC2_IAM_INSTANCE_WITHOUT_PROFILE
AWS_EC2_INSECURE_PORT_RANGE
AWS_EC2_INSTANCES_WITHOUT_PROFILE
AWS_EC2_OPEN_ALL_PORTS_TO_THE_PUBLIC
AWS_EC2_SEC_GROUPS_RFC1918
AWS_EC2_UNRESTRICTED_CIDRS
AWS_EC2_UNRESTRICTED_DNS_ACCESS
AWS_EC2_UNRESTRICTED_FTP_ACCESS
AWS_EC2_UNRESTRICTED_IP_PROTOCOLS
AWS_EC2_VPC_ENDPOINTS_EXPOSED
AWS_EC2_VPC_WITHOUT_FLOWLOG
AWS_EFS_IS_ENCRYPTION_DISABLED
AWS_EKS_HAS_ENDPOINTS_PUBLICLY_ACCESSIBLE
AWS_ELASTICACHE_REST_ENCRYPTION_DISABLED
AWS_ELASTICACHE_TRANSIT_ENCRYPTION_DISABLED
AWS_ELASTICACHE_USES_DEFAULT_PORT
AWS_ELB2_HAS_NOT_DELETION_PROTECTION
AWS_ELB2_HAS_NOT_HTTPS
AWS_ELBV2_HAS_ACCESS_LOGGING_DISABLED
AWS_ELBV2_INSECURE_PROTOCOLS
AWS_ELBV2_INSECURE_SSL_CIPHER
AWS_HAS_PUBLICLY_SHARED_AMIS
AWS_IAM_ADMIN_POLICY_ATTACHED
AWS_IAM_ALLOWS_PRIV_ESCALATION_BY_ATTACH_POLICY
AWS_IAM_ALLOWS_PRIV_ESCALATION_BY_POLICIES_VERSIONS
AWS_IAM_FULL_ACCESS_SSM
AWS_IAM_GROUP_WITH_INLINE_POLICY
AWS_IAM_HAS_MFA_DISABLED
AWS_IAM_HAS_OLD_ACCESS_KEYS
AWS_IAM_HAS_OLD_CREDS_ENABLED
AWS_IAM_HAS_OLD_SSH_PUBLIC_KEYS
AWS_IAM_HAS_PERMISSIVE_ROLE_POLICY
AWS_IAM_HAS_ROOT_ACTIVE_SIGNING_CERTIFICATES
AWS_IAM_HAS_WILDCARD_RESOURCE_IN_WRITE_ACTION
AWS_IAM_IS_POLICY_MISS_CONFIGURED
AWS_IAM_MFA_DISABLED_FOR_USERS_WITH_CONSOLE_PASSWD
AWS_IAM_MIN_PASSWORD_LEN_UNSAFE
AWS_IAM_NEGATIVE_STATEMENT
AWS_IAM_NOT_REQUIRES_LOWERCASE
AWS_IAM_NOT_REQUIRES_NUMBERS
AWS_IAM_NOT_REQUIRES_SYMBOLS
AWS_IAM_NOT_REQUIRES_UPPERCASE
AWS_IAM_OPEN_PASSROLE
AWS_IAM_PASSWORD_EXPIRATION_UNSAFE
AWS_IAM_PASSWORD_REUSE_UNSAFE
AWS_IAM_PERMISSIVE_POLICY
AWS_IAM_POLICIES_ATTACHED_TO_USERS
AWS_IAM_ROOT_HAS_ACCESS_KEYS
AWS_IAM_ROOT_HAS_MFA_DISABLED
AWS_IAM_USERS_WITH_PASSWORD_AND_ACCESS_KEYS
AWS_IAM_USER_WITH_INLINE_POLICY
AWS_IAM_USER_WITH_MULTIPLE_ACCESS_KEYS
AWS_KMS_HAS_MASTER_KEYS_EXPOSED_TO_EVERYONE
AWS_KMS_IS_KEY_ROTATION_DISABLED
AWS_RDS_HAS_NOT_AUTOMATED_BACKUPS
AWS_RDS_HAS_NOT_DELETION_PROTECTION
AWS_RDS_HAS_PUBLIC_INSTANCES
AWS_RDS_HAS_PUBLIC_SNAPSHOTS
AWS_RDS_HAS_UNENCRYPTED_STORAGE
AWS_RDS_NOT_INSIDE_A_DB_SUBNET_GROUP
AWS_RDS_NOT_USES_IAM_AUTHENTICATION
AWS_RDS_UNRESTRICTED_DB_SECURITY_GROUPS
AWS_REDSHIFT_HAS_AUDIT_LOGS_DISABLED
AWS_REDSHIFT_HAS_ENCRYPTION_DISABLED
AWS_REDSHIFT_HAS_PUBLIC_CLUSTERS
AWS_REDSHIFT_HAS_USER_ACTIVITY_LOG_DISABLED
AWS_REDSHIFT_NOT_REQUIRES_SSL
AWS_S3_ACL_PUBLIC_BUCKETS
AWS_S3_BUCKETS_ALLOW_UNAUTHORIZED_PUBLIC_ACCESS
AWS_S3_BUCKET_POLICY_ENCRYPTION_DISABLE
AWS_S3_BUCKET_VERSIONING_DISABLED
AWS_S3_HAS_ACCESS_LOGGING_DISABLED
AWS_S3_HAS_INSECURE_TRANSPORT
AWS_S3_PRIVATE_BUCKETS_NOT_BLOCKING_PUBLIC_ACLS
AWS_S3_PUBLIC_BUCKETS
AWS_SECRETS_HAS_AUTOMATIC_ROTATION_DISABLED
AWS_SNS_CAN_ANYONE_PUBLISH
AWS_SNS_CAN_ANYONE_SUBSCRIBE
AWS_SNS_HAS_SERVER_SIDE_ENCRYPTION_DISABLED
AWS_SQS_HAS_ENCRYPTION_DISABLED
AWS_SQS_IS_PUBLIC

Azure

Scanner method nameRelated security requirement verified
AZ_SUBSCRIPTION_NOT_ALLOWED_RESOURCE_TYPES_POLICY266. Disable insecure functionalities
AZURE_AKS_API_SERVER_ALLOWS_PUBLIC_ACCESS266. Disable insecure functionalities
AZURE_AKS_HAS_ENABLE_LOCAL_ACCOUNTS
AZURE_AKS_HAS_KUBENET_NETWORK_PLUGIN
AZURE_AKS_HAS_RBAC_DISABLED
AZURE_AKS_IS_NOT_USING_LATEST_VERSION
AZURE_API_MGMT_BACK__INSECURE_TLS_VERSION
AZURE_API_MGMT_FRONT__INSECURE_TLS_VERSION
AZURE_APP_SERVICE_ALLOWS_FTP_DEPLOYMENTS
AZURE_APP_SERVICE_ALLOWS_HTTP_TRAFIC
AZURE_APP_SERVICE_ALWAYS_ON_IS_NOT_ENABLED
AZURE_APP_SERVICE_AUTHENTICATION_IS_NOT_ENABLED
AZURE_APP_SERVICE_DOES_NOT_USE_A_MANAGED_IDENTITY
AZURE_APP_SERVICE_LOGGING_IS_DISABLED
AZURE_APP_SERVICE_MUTUAL_TLS_IS_DISABLED
AZURE_APP_SERVICE_REMOTE_DEBUGGING_ENABLED
AZURE_BATCH_JOBS_RUNS_IN_ADMIN_MODE
AZURE_BLOB_CONTAINERS_ARE_PUBLIC
AZURE_BLOB_SOFT_DELETED_DISABLED
AZURE_CONTAINER_REGISTRY_ADMIN_USER_ENABLED
AZURE_CONTAINER_REGISTRY_IS_NOT_USING_REPLICATION
AZURE_CONTAINERS_SOFT_DELETED_DISABLED
AZURE_DB_FOR_MYSQL_FLEX_SERVERS_INSECURE_TLS_VERSION
AZURE_DB_MYSQL_FIREWALL_ALLOWS_PUBLIC_ACCESS
AZURE_DB_MYSQL_SSL_DISABLED
AZURE_DB_POSTGRESQL_CONNECTION_THROTTLING_DISABLED
AZURE_DB_POSTGRESQL_FIREWALL_ALLOWS_PUBLIC_ACCESS
AZURE_DB_POSTGRESQL_INSECURE_LOG_RETENTION
AZURE_DB_POSTGRESQL_INSECURE_TLS_VERSION
AZURE_DB_POSTGRESQL_LOG_SETTINGS_DISABLED
AZURE_DB_POSTGRESQL_SSL_DISABLED
AZURE_DB_SQL_EXTENDED_AUDIT_DISABLED
AZURE_DB_SQL_FIREWALL_ALLOWS_PUBLIC_ACCESS
AZURE_DB_SQL_INSECURE_AUDIT_RETENTION_PERIOD
AZURE_DEV_PORTAL_HAS_AUTH_METHODS_INACTIVE
AZURE_FIREWALL_NETWORK_RULES_UNRESTRICTED
AZURE_FUNCTION_APP_USE_NOT_HOST_KEYS
AZURE_FUNCTION_APP_WITH_ADMIN_PRIVILEGES
AZURE_KEY_VAULT_ACCIDENTAL_PURGE_PREVENTION_IS_DISABLED
AZURE_KEY_VAULT_SOFT_DELETE_RETENTION
AZURE_KEYS_EXPIRATION_DATE_IS_NOT_ENABLED
AZURE_NETWORK_APP_GATEWAY_WAF_IS_DISABLED
AZURE_NETWORK_FIREWALL_APP_RULES_UNRESTRICTED
AZURE_NETWORK_FLOW_LOG_INSECURE_RETENTION_PERIOD
AZURE_NETWORK_ICMP_INGRESS_NOT_RESTRICTED
AZURE_NETWORK_OUT_OF_DATE_OWASP_RULES
AZURE_NETWORK_SECURITY_GROUP_ACCESS_ON_PORTS
AZURE_NETWORK_SECURITY_GROUP_ALLOWS_PUBLIC_ACCESS
AZURE_NETWORK_SECURITY_GROUP_USING_PORT_RANGES
AZURE_NETWORK_WATCHER_NOT_ENABLED
AZURE_PUBLICLY_EXPOSED_FUNCT_APP
AZURE_REDIS_AUTHNOTREQUIRED_ENABLE
AZURE_REDIS_FIREWALL_ALLOWS_PUBLIC_ACCESS
AZURE_REDIS_INSECURE_PORT
AZURE_REDIS_INSECURE_TLS_VERSION
AZURE_REDIS_PUBLIC_NETWORK_ACCESS_ENABLED
AZURE_ROLE_ACTIONS_IS_A_WILDCARD
AZURE_ROLE_BASED_ACCESS_CONTROL_ON_KEY_VAULT_IS_NOT_ENABLED
AZURE_SEARCH_SERVICE__INSUFFICIENT_REPLICAS_CONFIGURED
AZURE_SEARCH_SERVICE_DOES_NOT_USE_A_MANAGED_IDENTITY
AZURE_SECRET_EXPIRATION_DATE_IS_NOT_ENABLED
AZURE_STORAGE_ACCOUNT_ALLOWS_PUBLIC_BLOBS
AZURE_STORAGE_ACCOUNT_ALLOWS_PUBLIC_TRAFFIC
AZURE_STORAGE_ACCOUNT_GEO_REPLICATION_DISABLED
AZURE_STORAGE_ACCOUNT_NOT_ENFORCING_HTTPS
AZURE_STORAGE_ACCOUNT_NOT_ENFORCING_LATEST_TLS
AZURE_STORAGE_NOT_ENABLED_INFRASTRUCTURE_ENCRYPTION
AZURE_SUBSCRIPTION_DOES_NOT_HAVE_A_LOCKING_RESOURCE_MANAGER
AZURE_SUBSCRIPTION_HAS_AT_LEAST_TWO_OWNERS
AZURE_VM_ENCRYPTION_AT_HOST_DISABLED
AZURE_VM_SSH_KEY_AUTHENTICATION
AZURE_WEB_APP_INSECURE_TLS_VERSION

GCP


Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.