CloudSploit Security Remediation Guides
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
Background
This repository is an extension of CloudSploit's open-source scanning engine. We first released the scanning engine in 2015, and this documentation repository is a natural follow up to that tool. The goal of these guides are to provide detailed steps on remediation common security issues in cloud services.
Table of Contents
- AWS
- ACM
- AutoScaling
- CloudFront
- CloudTrail
- CloudWatchLogs
- ConfigService
- EC2
- Cross VPC Public Private Communication
- Default Security Group
- Default VPC In Use
- Detect EC2 Classic Instances
- EBS Encrypted Snapshots
- EBS Encryption Enabled
- EC2 Instance Key Based Login
- EC2 Max Instances
- Elastic IP Limit
- Encrypted AMI
- Excessive Security Groups
- Instance IAM Role
- Instance Limit
- NAT Multiple AZ
- Network Acl Has Tags
- Open All Ports Protocols
- Open CIFS
- Open DNS
- Open Elasticsearch
- Open FTP
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQL Server
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Overlapping Security Groups
- Public AMI
- Subnet IP Availability
- VPC Elastic IP Limit
- VPC Flow Logs Enabled
- VPC Multiple Subnets
- ELB
- Firehose
- IAM
- Access Keys Extra
- Access Keys Last Used
- Access Keys Rotated
- Certificate Expiry
- Empty Groups
- IAM User Admins
- Maximum Password Age
- Minimum Password Length
- No User IAM Policies
- Password Expiration
- Password Requires Lowercase
- Password Requires Numbers
- Password Requires Symbols
- Password Requires Uppercase
- Password Reuse Prevention
- Root Access Keys
- Root Account In Use
- Root MFA Enabled
- SSH Keys Rotated
- Users MFA Enabled
- Users Password Last Used
- KMS
- Kinesis
- Lambda
- RDS
- Redshift
- Route53
- S3
- SES
- SNS
- SQS
- SSM
- SageMaker
- Azure
- Active Directory
- App Service
- Azure Policy
- Blob Service
- CDN Profiles
- Container Registry
- File Service
- Key Vaults
- Kubernetes Service
- Load Balancer
- Log Alerts
- Monitor
- MySQL Server
- Network Security Groups
- Default Security Group
- Excessive Security Groups
- Network Watcher Enabled
- Open All Ports
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open Oracle Auto Data Warehouse
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- PostgreSQL Server
- Queue Service
- Resources
- SQL Databases
- SQL Server
- Security Center
- Admin Security Alerts Enabled
- Application Whitelisting Enabled
- Auto Provisioning Enabled
- High Severity Alerts Enabled
- Monitor Blob Encryption
- Monitor Disk Encryption
- Monitor Endpoint Protection
- Monitor JIT Network Access
- Monitor NSG Enabled
- Monitor SQL Auditing
- Monitor SQL Encryption
- Monitor System Updates
- Monitor VM Vulnerability
- Security Configuration Monitoring
- Security Contacts Enabled
- Standard Pricing Enabled
- Storage Accounts
- Table Service
- Virtual Machines
- Virtual Networks
- Google
- CLB
- Compute
- Cryptographic Keys
- DNS
- IAM
- Kubernetes
- Alias IP Ranges Enabled
- Automatic Node Repair Enabled
- Automatic Node Upgrades Enabled
- Basic Authentication Disabled
- COS Image Enabled
- Cluster Labels Added
- Cluster Least Privilege
- Default Service Account
- Legacy Authorization Disabled
- Logging Enabled
- Master Authorized Network
- Monitoring Enabled
- Network Policy Enabled
- Pod Security Policy Enabled
- Private Cluster Enabled
- Private Endpoint
- Web Dashboard Disabled
- Logging
- SQL
- Storage
- VPC Network
- Default VPC In Use
- Excessive Firewall Rules
- Flow Logs Enabled
- Multiple Subnets
- Open All Ports
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open Oracle Auto Data Warehouse
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Private Access Enabled
- GitHub
- Oracle
- Audit
- Block Storage
- Compute
- Database
- File Storage
- Identity
- Networking
- Default Security List
- Excessive Security Lists
- LB Network Security Groups Enabled
- Load Balancer HTTPS Only
- Load Balancer No Instances
- Open All Ports Protocols
- Open Autonomous Data Warehouse
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Stateless Security Rules
- Subnet Multi AD
- VCN Multiple Subnets
- WAF Public IP Enabled
- Object Store
Contributing
Please see the contributor's guide.