This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 1.1:
    • 2:
      • 2.1:
      • 3:
        • 3.1:

        Sysdig Secure for cloud

        Sysdig Secure for cloud is the software that connects Sysdig Secure features to your cloud environments to provide unified threat detection, compliance, forensics, and analysis.

        Because modern cloud applications are no longer just virtualized compute resources, but a superset of cloud services on which businesses depend, controlling the security of your cloud accounts is essential. Errors can expose an organization to risks that could bring resources down, infiltrate workloads, exfiltrate secrets, create unseen assets, or otherwise compromise the business or reputation. As the number of cloud services and configurations available grows exponentially, using a cloud security platform protects against having an unseen misconfiguration turn into a serious security issue.

        Installation

        Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations

        Usage

        Supported cloud providers at this time are:

        1 -

        About Sysdig Secure for cloud on AWS

        Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations - Cloud - AWS

        Available Features

        • Threat detection based on auditing CloudTrail events
        • Compliance Security Posture Management (CSPM), including CIS AWS Benchmark compliance assessments
        • Container registry scanning for ECR
        • Image scanning for Fargate on ECS
        • Permissions and Entitlements management (CIEM)

        Threat Detection Based on CloudTrail

        Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

        A rich set of Falco rules, an AWS Best Practices default policy, and an AWS CloudTrail policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS Foundational Security Best Practices

        CSPM/Compliance with CIS AWS Benchmarks

        A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

        The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

        ECR Registry Scanning

        ECR Registry Scanning automatically scans all container images pushed to all your Elastic Container Registries, so you have a vulnerability report available in your Sysdig Secure dashboard at all times, without having to set up any additional pipeline.

        An ephemeral CodeBuild pipeline is created each time a new image is pushed, which executes an inline scan based on your defined scan policies. Default policies cover vulnerabilities and dockerfile best practices, and you can define advanced rules yourself.

        Fargate Image Scanning on ECS

        Fargate Image Scanning automatically scans any container image deployed on a serverless Fargate task that run on Elastic Container Service. This includes public images that live in registries other than ECR, as well as private ones for which you set the credentials.

        An ephemeral CodeBuild pipeline is automatically created when a container is deployed on ECS Fargate to execute the inline scan.

        Permissions and Entitlements Management

        As cloud accounts proliferate, excessive permissions can become a security risk and a management headache. Sysdig Secure for cloud provides a Permissions and Entitlements module under Posture, that allows you to:

        • Gain visibility into all cloud identities and their privileges: get a comprehensive view into access permissions across all AWS users and services
        • Enforce least privilege: eliminate excessive permissions by applying least-privilege policies to users and services with automatically generated IAM policies. Sysdig proposes policies based on analyzing which entitlements are granted versus which are actually used.
        • Simplify audit of access controls to meet compliance requirements: use reports for regular access reviews to evaluate active and inactive user permissions and activity.

        1.1 -

        AWS CloudTrail Falco rules

        Scroll Top APPRUNNER 4rules AUTOSCALING 2rules CLOUDSHELL 1rules CLOUDTRAIL 7rules CLOUDWATCH 3rules CONFIG 19rules CONSOLE 3rules DMS 1rules EBS 1rules EC2 20rules ECR 1rules ECS 8rules ECS EXEC 3rules EFS 1rules ELASTICSEARCH 2rules ELB 4rules FARGATE 8rules GUARDDUTY 6rules IAM 39rules KMS 5rules LAMBDA 6rules RDS 13rules ROUTE53 3rules S3 14rules SAGEMAKER 1rules SECRETSMANAGER 1rules SECURITYHUB 9rules VPC 14rules WAF 2rules OTHER 2rules

        Total 189 rules.

        APPRUNNER

        Create App Runner Service from Code Repository

        Detect the building and deployment of an App Runner service from a code repository.

        cloud aws aws_apprunner
        Create App Runner Service from Image Repository

        Detect the deployment of an App Runner service from an image repository.

        cloud aws aws_apprunner
        Delete App Runner Service

        Detect the deletion of an App Runner service.

        cloud aws aws_apprunner
        Deploy App Runner Service

        Detect the deployment of an App Runner service.

        cloud aws aws_apprunner

        AUTOSCALING

        Create Autoscaling Group without ELB Health Checks

        Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.

        cloud aws aws_autoscaling
        Update Autoscaling Group without ELB Health Checks

        Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.

        cloud aws aws_autoscaling

        CLOUDSHELL

        CloudShell Environment Created

        Detect creation of a new Cloud Shell environment.

        cloud aws aws_cloudshell

        CLOUDTRAIL

        CloudTrail Trail Created

        Detect creation of a new trail.

        cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-object
        CloudTrail Trail Deleted

        Detect deletion of an existing trail.

        cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        CloudTrail Logfile Encryption Disabled

        Detect disabling the CloudTrail logfile encryption.

        cloud aws aws_cloudtrail
        CloudTrail Logfile Validation Disabled

        Detect disabling the CloudTrail logfile validation.

        cloud aws aws_cloudtrail
        CloudTrail Logging Disabled

        The CloudTrail logging has been disabled, this could be potentially malicious.

        cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        CloudTrail Multi-region Disabled

        Detect disabling CloudTrail multi-region.

        cloud aws aws_cloudtrail
        CloudTrail Trail Updated

        Detect update of an existing trail.

        cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-object

        CLOUDWATCH

        CloudWatch Delete Alarms

        Detect deletion of an alarm.

        cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
        CloudWatch Delete Log Group

        Detect deletion of a CLoudWatch log group.

        cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction
        CloudWatch Delete Log Stream

        Detect deletion of a CLoudWatch log stream.

        cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction

        CONFIG

        Delete Config Rule

        Detect deletion of a configuration rule.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Configuration Aggregator

        Detect deletion of the configuration aggregator.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Configuration Recorder

        Detect deletion of the configuration recorder.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Conformance Pack

        Detect deletion of a conformance pack.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Delivery Channel

        Detect deletion of the delivery channel.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Organization Config Rule

        Detect deletion of an organization config rule.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Organization Conformance Pack

        Detect deletion of an organization conformance pack.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Remediation Configuration

        Detect deletion of a remediation configuration.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Retention Configuration

        Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Config Rule

        Detect addition or update in an AWS Config rule.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Configuration Aggregator

        Detect creation and update of the configuration aggregator with the selected source accounts and regions.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Conformance Pack

        Detect creation or update of a conformance pack.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Delivery Channel

        Detect creation of a delivery channel.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Organization Config Rule

        Detect addition or update in an AWS Organization Config rule.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Organization Conformance Pack

        Detect deployment of conformance packs across member accounts in an AWS Organization.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Remediation Configurations

        Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Remediation Exceptions

        Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Put Retention Configuration

        Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Stop Configuration Recorder

        Detect stoping the configuration recorder.

        cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

        CONSOLE

        Console Login Through Assume Role

        Detect a console login through Assume Role.

        cloud aws aws_console aws_iam
        Console Login Without MFA

        Detect a console login without MFA.

        cloud aws aws_console aws_iam
        Console Root Login Without MFA

        Detect root console login without MFA.

        cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal

        DMS

        Create Public DMS Replication Instance

        Detect creation of a public DMS replication instance.

        cloud aws aws_dms

        EBS

        EBS Volume Creation without Encryption at Rest

        Detect creation of an EBS volume without encryption at rest enabled.

        cloud aws aws_ebs

        EC2

        Allocate New Elastic IP Address to AWS Account

        Detect that a public IP address has been allocated to the account.

        cloud aws aws_ec2
        Associate Elastic IP Address to AWS Network Interface

        Detect that a public IP address has been associated with a network interface.

        cloud aws aws_ec2
        Authorize Security Group Egress

        Detect addition of the specified egress rules to a security group.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Authorize Security Group Ingress

        Detect addition of the specified ingress rules to a security group.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create Snapshot

        Detect creation of an EBS volume snapshot and stores it in Amazon S3.

        cloud aws aws_ec2
        Delete Subnet

        Detect deletion of the specified subnet.

        cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction
        Describe Instances

        Detect description of the specified EC2 instances or all EC2 instances.

        cloud aws aws_ec2
        Disable EBS Encryption by Default

        Detect disabling EBS encryption by default for an account in the current region.

        cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulation
        Make EBS Snapshot Public

        Detect making public an EBS snapshot.

        cloud aws aws_ec2
        EC2 Serial Console Access Enabled

        Detect EC2 serial Console Acess enabled in the account for a specific region.

        cloud aws aws_ec2
        Get Password Data

        Detect retrieval of the encrypted administrator password for a running Windows instance.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-access
        Modify Image Attribute

        Detect modification of the specified attribute of the specified AMI.

        cloud aws aws_ec2 mitre_TA0010-exfiltration
        Modify Snapshot Attribute

        Detect addition or removal of permission settings for the specified EC2 snapshot.

        cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-account
        Replace Route

        Detect replacing an existing route within a route table in a VPC.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Revoke Security Group Egress

        Detect removal of the specified egress rules from a security group.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Revoke Security Group Ingress

        Detect removal of the specified ingress rules from a security group.

        cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Run Instances in Non-approved Region

        Detect launching of a specified number of instances in a non-approved region.

        cloud aws aws_ec2
        Run Instances with Non-standard Image

        Detect launching of a specified number of instances with a non-standard image.

        cloud aws aws_ec2
        Run Instances

        Detect launching of a specified number of instances.

        cloud aws aws_ec2
        Delete Cluster

        Detect deletion of the specified cluster.

        cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction

        ECR

        ECR Image Pushed

        Detect a new image has been pushed to an ECR registry

        cloud aws aws_ecr

        ECS

        ECS Service Created

        Detect a new service is created in ECS.

        cloud aws aws_ecs aws_fargate
        ECS Service Deleted

        Detect a service is deleted in ECS.

        cloud aws aws_ecs aws_fargate
        Execute Interactive Command inside an ECS Container

        Detect execution of an interactive command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
        Execute Command inside an ECS Container

        Detect execution of a command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
        ECS Task Run or Started

        Detect a new task is started in ECS.

        cloud aws aws_ecs aws_fargate
        ECS Task Stopped

        Detect a task is stopped in ECS.

        cloud aws aws_ecs aws_fargate
        Terminal Shell in ECS Container

        A terminal shell has been executed inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
        ECS Service Task Definition Updated

        Detect a service task definition is updated in ECS.

        cloud aws aws_ecs aws_fargate

        ECS EXEC

        Execute Interactive Command inside an ECS Container

        Detect execution of an interactive command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
        Execute Command inside an ECS Container

        Detect execution of a command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
        Terminal Shell in ECS Container

        A terminal shell has been executed inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell

        EFS

        Create Unencrypted EFS

        Detect creation of an unencrypted elastic file system.

        cloud aws aws_efs

        ELASTICSEARCH

        Elasticsearch Domain Creation without Encryption at Rest

        Detect creation of an Elasticsearch domain without encryption at rest enabled.

        cloud aws aws_elasticsearch
        Elasticsearch Domain Creation without VPC

        Detect creation of an Elasticsearch domain without a VPC.

        cloud aws aws_elasticsearch

        ELB

        Create HTTP Target Group without SSL

        Detect creation of HTTP target group not using SSL.

        cloud aws aws_elb
        Create Internet-facing AWS Public Facing Load Balancer

        Detect creation of an AWS internet-facing load balancer.

        cloud aws aws_elb
        Delete Listener

        Detect deletion of the specified listener.

        cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application
        Modify Listener

        Detect replacing the specified properties of the specified listener.

        cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application

        FARGATE

        ECS Service Created

        Detect a new service is created in ECS.

        cloud aws aws_ecs aws_fargate
        ECS Service Deleted

        Detect a service is deleted in ECS.

        cloud aws aws_ecs aws_fargate
        Execute Interactive Command inside an ECS Container

        Detect execution of an interactive command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
        Execute Command inside an ECS Container

        Detect execution of a command inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
        ECS Task Run or Started

        Detect a new task is started in ECS.

        cloud aws aws_ecs aws_fargate
        ECS Task Stopped

        Detect a task is stopped in ECS.

        cloud aws aws_ecs aws_fargate
        Terminal Shell in ECS Container

        A terminal shell has been executed inside an ECS container.

        cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
        ECS Service Task Definition Updated

        Detect a service task definition is updated in ECS.

        cloud aws aws_ecs aws_fargate

        GUARDDUTY

        Delete Detector

        Detect deletion of an Amazon GuardDuty detector.

        cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Guard Duty Delete Members

        Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

        cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Disable GuardDuty

        Detect disabling of GuardDuty.

        cloud aws aws_guardduty
        Guard Duty Disassociate from Master Account

        Detect disassociation of the current GuardDuty member account from its administrator account.

        cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Guard Duty Disassociate Members

        Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

        cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Stop Monitoring Members

        Detect stopping GuardDuty monitoring for the specified member accounts.

        cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

        IAM

        Console Login Failure

        Detect a console login failure

        cloud aws aws_iam
        Console Login Success From Untrusted IP

        Detect a console login success from an untrusted IP address

        cloud aws aws_iam
        Console Login Success

        Detect a console login success

        cloud aws aws_iam
        Console Login Through Assume Role

        Detect a console login through Assume Role.

        cloud aws aws_console aws_iam
        Console Login Without MFA

        Detect a console login without MFA.

        cloud aws aws_console aws_iam
        Console Root Login Without MFA

        Detect root console login without MFA.

        cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
        Logged in without Using MFA

        (DEPRECATED) Detect user login without using MFA (multi-factor authentication). Use "Console Login Without MFA" instead.

        cloud aws aws_iam
        Password Recovery Requested

        Detect AWS IAM password recovery requests.

        cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
        Put Inline Policy in Group to Allow Access to All Resources

        Detect putting an inline policy in a group that allows access to all resources.

        cloud aws aws_iam
        Create Access Key for Root User

        Detect creation of an access key for root.

        cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
        Deactivate Hardware MFA for Root User

        Detect deactivating hardware MFA configuration for root.

        cloud aws aws_iam
        Deactivate MFA for Root User

        Detect deactivating MFA configuration for root.

        cloud aws aws_iam
        Deactivate Virtual MFA for Root User

        Detect deactivating virtual MFA configuration for root.

        cloud aws aws_iam
        Delete Virtual MFA for Root User

        Detect deleting MFA configuration for root.

        cloud aws aws_iam pcs_dss_iam.5
        Root User Executing AWS Command

        Detect root user executing AWS command.

        cloud aws aws_iam
        Add AWS User to Group

        Detect adding an user to a group.

        cloud aws aws_iam
        Attach Administrator Policy

        Detect attaching an administrator policy to a user.

        cloud aws aws_iam
        Attach IAM Policy to User

        Detect attaching an IAM policy to a user.

        cloud aws aws_iam
        Create Group

        Detect creation of a new user group.

        cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-access
        Create Security Group Rule Allowing SSH Ingress

        Detect creation of security group rule allowing SSH ingress.

        cloud aws aws_iam
        Create Security Group Rule Allowing Ingress Open to the World

        Detect creation of security group rule allowing ingress open to the world.

        cloud aws aws_iam
        Create AWS user

        Detect creation of a new AWS user.

        cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-account
        Create IAM Policy that Allows All

        Detect creation of IAM policy that allows all.

        cloud aws aws_iam
        Deactivate MFA for User Access

        Detect deactivating MFA configuration for user access.

        cloud aws aws_iam
        Delete Group

        Detect deletion of a user group.

        cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
        Delete AWS user

        Detect deletion of an AWS user.

        cloud aws aws_iam
        Put IAM Inline Policy to User

        Detect putting an IAM inline policy to an user.

        cloud aws aws_iam
        Remove AWS User from Group

        Detect removing a user from a group.

        cloud aws aws_iam
        Update Account Password Policy Not Expiring

        Detect updating password policy not expiring at all.

        cloud aws aws_iam
        Update Account Password Policy Expiring in More Than 90 Days

        Detect updating password policy expiring in more than 90 days.

        cloud aws aws_iam
        Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

        Detect updating password policy not preventing reuse of the last 24 passwords.

        cloud aws aws_iam
        Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

        Detect updating password policy not preventing reuse of the last 4 passwords.

        cloud aws aws_iam
        Update Account Password Policy Not Requiring 14 Characters

        Detect updating password policy not requiring a minimum length of 14 characters.

        cloud aws aws_iam
        Update Account Password Policy Not Requiring 7 Characters

        Detect updating password policy not requiring a minimum length of 7 characters.

        cloud aws aws_iam
        Update Account Password Policy Not Requiring Lowercase

        Detect updating password policy not requiring the use of an lowercase letter

        cloud aws aws_iam
        Update Account Password Policy Not Requiring Number

        Detect updating password policy not requiring the use of a number

        cloud aws aws_iam
        Update Account Password Policy Not Requiring Symbol

        Detect updating password policy not requiring the use of a symbol

        cloud aws aws_iam
        Update Account Password Policy Not Requiring Uppercase

        Detect updating password policy not requiring the use of an uppercase letter

        cloud aws aws_iam
        Update Assume Role Policy

        Detect modifying a role.

        cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-force

        KMS

        Create Customer Master Key

        Detect creation of a new CMK (with rotation disabled).

        cloud aws aws_kms
        Disable CMK Rotation

        Detect disabling of a customer master key's rotation.

        cloud aws aws_kms
        Disable Key

        Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.

        cloud aws aws_kms
        Remove KMS Key Rotation

        Detect removal of KMS key rotation.

        cloud aws aws_kms
        Schedule Key Deletion

        Detect scheduling of the deletion of a customer master key.

        cloud aws aws_kms

        LAMBDA

        Create Lambda Function Not Using Latest Runtime

        Detect creation of a Lambda function not using the latest runtime.

        cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
        Create Lambda Function Using Unsupported Runtime

        Detect creation of a Lambda function using an unsupported runtime.

        cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
        Create Lambda Function

        Detect creation of a Lambda function.

        cloud aws aws_lambda mitre_TA0003-persistence
        Dissociate Lambda Function from VPC

        Detect dissociation of a Lambda function from a VPC.

        cloud aws aws_lambda
        Update Lambda Function Code

        Detect updates to a Lambda function code.

        cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking
        Update Lambda Function Configuration

        Detect updates to a Lambda function configuration.

        cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking

        RDS

        Authorize DB Security Group Ingress

        Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.

        cloud aws aws_rds
        Create DB Cluster

        Detect creation of a database cluster.

        cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
        Create DB Security Group

        Detect creation of a database security group.

        cloud aws aws_rds
        Create Global Cluster

        Detect creation of a global cluster.

        cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
        Delete DB Cluster

        Detect deletion of a database cluster.

        cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
        Delete DB Security Group

        Detect deletion of a database security group.

        cloud aws aws_rds
        Delete DB Snapshot

        Detect deletion of a database snapshot.

        cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
        Make RDS DB Instance Public

        Detect making public an RDS DB instance.

        cloud aws aws_rds
        Make RDS Snapshot Public

        Detect making public an RDS snapshot.

        cloud aws aws_rds
        Modify RDS Snapshot Attribute

        Detect modification of an RDS snapshot attribute.

        cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-account
        Revoke DB Security Group Ingress

        Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.

        cloud aws aws_rds
        Stop DB Cluster

        Detect stopping of a database cluster.

        cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop
        Stop DB Instance

        Detect stopping of a database instance.

        cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop

        ROUTE53

        Associate VPC with Hosted Zone

        Detect association of an Amazon VPC with a private hosted zone.

        cloud aws aws_route53
        Change Resource Record Sets

        Detect creation, changes, or deletion of a resource record set.

        cloud aws aws_route53
        Register Domain

        Detect registry of a new domain.

        cloud aws aws_route53

        S3

        Delete Bucket CORS

        Detect deletion of the cors configuration for a bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Delete Bucket Encryption

        Detect deleting configuration to use encryption for bucket storage.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Delete Bucket Lifecycle

        Detect deletion of the lifecycle configuration from the specified bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Delete Bucket Policy

        Detect deletion of the policy of a specified bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Delete Bucket Public Access Block

        Detect deleting blocking public access to bucket.

        cloud aws aws_s3
        Delete Bucket Replication

        Detect deletion of the replication configuration from the bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Read Object in Watched Bucket

        Detect a Read operation on objects in watched buckets.

        cloud aws aws_s3
        List Buckets

        Detect listing of all S3 buckets.

        cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
        Put Bucket ACL

        Detect setting the permissions on an existing bucket using access control lists.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Put Bucket CORS

        Detect setting the cors configuration for a bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Put Bucket Lifecycle

        Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Put Bucket Policy

        Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Put Bucket Replication

        Detect creation of a replication configuration or the replacement of an existing one..

        cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
        Put Object in Watched Bucket

        Detect a Put operation on objects in watched buckets.

        cloud aws aws_s3

        SAGEMAKER

        Create SageMaker Notebook Instance with Direct Internet Access

        Detect creation of a SageMaker notebook instance with direct internet access.

        cloud aws aws_sagemaker

        SECRETSMANAGER

        Get Secret Value

        Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

        cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-token

        SECURITYHUB

        Batch Disable Standards

        Detect disabling of the standards specified by the provided StandardsSubscriptionArns.

        cloud aws aws_securityhub
        Delete Action Target

        Detect deletion of a custom action target from Security Hub.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Security Hub Delete Members

        Detect deletion the specified member accounts from Security Hub.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Disable Import Findings for Product

        Detect disabling of the integration of the specified product with Security Hub.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Disable Security Hub

        Detect disabling the Security Hub in the current region.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Security Hub Disassociate From Master Account

        Detect disassociation of the current Security Hub member account from the associated master account.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Security Hub Disassociate Members

        Detect disassociation of the current Security Hub member account from the associated master account.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Update Action Target

        Detect updating the name and description of a custom action target in Security Hub.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Update Standards Control

        Detect enabling or disabling of a standard control.

        cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

        VPC

        Accept VPC Peering Connection

        Detect accepting an VPC peering connection.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Attach Internet Gateway

        Detect attaching an internet gateway.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create a Network ACL Entry Allowing Ingress Open to the World

        Detect creation of access control list entry allowing ingress open to the world.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create a Network ACL Entry

        Detect creating a network ACL entry.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create a Network ACL

        Detect creating a network ACL.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create VPC Route

        Detect creating an VPC route.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create VPC Peering Connection

        Detect creating an VPC peering connection.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Create VPC with Default Security Group

        Detect creation of a new VPC with default security group.

        cloud aws aws_vpc
        Create VPC with No Flow Log

        Detect creation of a new VPC with no flow log.

        cloud aws aws_vpc
        Delete VPC Flow Log

        Detect deleting VPC flow log.

        cloud aws aws_vpc mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
        Delete a Network ACL Entry

        Detect deletion of a network ACL entry.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Delete a Network ACL

        Detect deleting a network ACL.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Replace a Network ACL Association

        Detect replacement of a network ACL association.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
        Replace a Network ACL Entry

        Detect replacement of a network ACL entry.

        cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools

        WAF

        Delete WAF Rule Group

        Detect deleting a WAF rule group.

        cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
        Delete Web ACL

        Detect deleting a web ACL.

        cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

        OTHER

        AWS Command Executed by Untrusted User

        Detect AWS command execution by an untrusted user.

        cloud aws
        AWS Command Executed on Unused Region

        Detect AWS command execution on unused regions.

        cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

        2 -

        About Sysdig Secure for cloud on GCP

        Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations - Cloud - GCP

        Available Features

        • Threat detection based on GCP Cloud Audit Logs integration
        • Compliance Security Posture Management (CSPM), including CIS GCP and CIS GKE Benchmark compliance assessments
        • GCP Cloud Container scanning
        • Image scanning on GCP

        Threat Detection Based on GCP Cloud Audit Logs

        Threat Detection leverages audit logs from GCP Cloud Audit logs plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

        A rich set of Falco rules, a GCP Best Practices default policy, and a GCP policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, and Google Cloud Security best practices.

        CSPM/Compliance with CIS GKE and CIS GCP Benchmarks

        A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS GCP benchmarks. These assessments are based on an  open-source engine - Cloud Custodian - in Sysdig’s Cloud Security Posture Management (CSPM) engine.

        The assessments evaluate your Google Cloud services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

        GCP Cloud Container Scanning

        GCP Cloud Container Scanning uses a PubSub topic to automatically detect any container image pushed to registries on Google Container Registry or Google Artifact Registry, as well as images deployed to Google Cloud Run. An ephemeral Google Cloud Build pipeline is then created to scan that image so a vulnerability report is available in your Sysdig backend.

        2.1 -

        GCP Auditlog Falco rules

        Scroll Top APIKEYS 1rules CLOUDFUNCTIONS 3rules CLOUDKMS 2rules CLOUDRESOURCEMANAGER 1rules CLOUDRUN 2rules DNS 1rules GCE 1rules GKE 4rules IAM 5rules LOGGING 1rules MONITORING 2rules SQL 3rules STORAGE BUCKETS 7rules VM 5rules VPC 2rules VPC NETWORKS 2rules OTHER 2rules

        Total 44 rules.

        APIKEYS

        GCP Create API Keys for a Project

        Detect creation of API keys for a project.

        cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12

        CLOUDFUNCTIONS

        GCP Create Cloud Function Not Using Latest Runtime

        Detect creation of a Cloud Function using and old or deprecated runtime.

        cloud gcp gcp_cloudfunctions soc2 soc2_CC7.1 mitre_T1190-exploit-public-facing-application
        GCP Create Cloud Function

        Detect creation of a Cloud function.

        cloud gcp gcp_cloudfunctions mitre_TA0003-persistence
        GCP Update Cloud Function

        Detect updates to a Cloud Function.

        cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijacking

        CLOUDKMS

        GCP Create KMS Key Without Rotation

        Detect creation of a new KMS with rotation disabled.

        cloud gcp gcp_cloudkms soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2
        GCP Remove KMS Key Rotation

        Detect removal of KMS key rotation.

        cloud gcp gcp_cloudkms soc2 soc2_CC6.1 soc2_CC8.1 ISO_27001 ISO_27001_A.10.1.2 ISO_27001_A.18.1.5 GDPR GDPR_32.1 GDPR_32.2

        CLOUDRESOURCEMANAGER

        GCP Invitation Sent to Non-corporate Account

        Detect sending invitations to not allowed corporate account.

        cloud gcp gcp_cloudresourcemanager HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-account

        CLOUDRUN

        CloudRun Create Service

        Detect creation of a CloudRun Service.

        cloud gcp gcp_cloudrun
        CloudRun Replace Service

        Detect the replacement of a CloudRun Service.

        cloud gcp gcp_cloudrun

        DNS

        GCP Create or Patch DNS Zone without DNSSEC

        Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.

        cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3

        GCE

        GCP Describe Instance

        Detect description of the specified GCE instance.

        cloud gcp gcp_gce

        GKE

        GCP Delete DNS Zone

        Detect the deletion of a DNS zone.

        cloud gcp gcp_gke
        GCP Delete GKE Cluster

        Detect the deletion of a GKE cluster.

        cloud gcp gcp_gke
        GCP Delete GKE Node Pool

        Detect the deletion of a GKE node pool.

        cloud gcp gcp_gke
        GCP Delete Router

        Detect the deletion of a router.

        cloud gcp gcp_gke

        IAM

        GCP Create GCP-managed Service Account Key

        Detect creating an access key for a GCP-managed service account.

        cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 mitre_T1550-use-alternate-authentication-material
        GCP Create User-managed Service Account Key

        Detect creating an access key for a user-managed service account.

        cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-material
        GCP Delete IAM Role

        Detect the deletion of an IAM role.

        cloud gcp gcp_iam
        GCP Operation by a Non-corporate Account

        Detect executing an operation by a non-corporate account.

        cloud gcp gcp_iam HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1
        GCP Super Admin Executing Command

        Detect super admin executing GPC command.

        cloud gcp gcp_iam soc2 soc2_CC6.2 soc2_CC6.6 FedRAMP FedRAMP_AC-2(12) ISO_27001 ISO_27001_A.6.1.2 ISO_27001_A.9.2.3 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_09.aa GDPR GDPR_25.1 GDPR_25.2 GDPR_25.3

        LOGGING

        GCP Update, Disable or Delete Sink

        Detect the updating, disabling or deletion of a sink.

        cloud gcp gcp_logging FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2

        MONITORING

        GCP Monitoring Alert Deleted

        Detect deletion of an alert.

        cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
        GCP Monitoring Alert Updated

        Detect updating of an alert.

        cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools

        SQL

        GCP Disable Automatic Backups for a Cloud SQL Instance

        Detect that automatic backups have been disabled for a Cloud SQL instance.

        cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7
        GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

        Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.

        cloud gcp gcp_sql FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s HITRUST_CSF_10.k cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4
        GCP Set a Public IP for a Cloud SQL Instance

        Detect that a public IP address has been set for a Cloud SQL instance.

        cloud gcp gcp_sql FedRAMP FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_09.m cis_controls_13 cis_gcp_6.6

        STORAGE BUCKETS

        GCP Create Bucket

        Detect creation of a bucket.

        cloud gcp gcp_storage_buckets mitre_T1074-data-staged
        GCP Delete Bucket

        Detect deletion of a bucket.

        cloud gcp gcp_storage_buckets
        GCP List Buckets

        Detect listing of all storage buckets.

        cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
        GCP List Bucket Objects

        Detect listing of all objects in a bucket.

        cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
        GCP Put Bucket ACL

        Detect setting the permissions on an existing bucket using access control lists.

        cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-object
        GCP Set Bucket IAM Policy

        Detect setting the permissions on an existing bucket using IAM policies.

        cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_T1530-data-from-cloud-storage-object
        GCP Update Bucket

        Detect the update of a bucket.

        cloud gcp gcp_storage_buckets

        VM

        GCP Enable Connecting to Serial Ports for a VM Instance

        Detect enabling of connection to serial ports for a VM instance.

        cloud gcp gcp_vm FedRAMP FedRAMP_CM-3(1) HITRUST_CSF HITRUST_CSF_10.k cis_controls_9.2 cis_gcp_4.5
        GCP Creation of a VM Instance with IP Forwarding Enabled

        Detect creating a VM instance with IP forwarding enabled.

        cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6
        GCP Suspected Disable of OS Login in a VM Instance

        Detect modification of the enable-oslogin metadata in an instance.

        cloud gcp gcp_vm cis_controls_16 cis_gcp_4.4
        GCP Enable Project-wide SSH keys for a VM Instance

        Detect enabling of project-wide SSH keys for a VM instance.

        cloud gcp gcp_vm HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s cis_controls_16 cis_gcp_4.3
        GCP Shield Disabled for a VM Instance

        Detect disabling of the Shielded VM parameter(s) of a VM instance.

        cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8

        VPC

        GCP Delete VPC Network

        Detect the deletion of a VPC network.

        cloud gcp gcp_vpc
        GCP Delete VPC Subnetwork

        Detect the deletion of a VPC subnetwork.

        cloud gcp gcp_vpc

        VPC NETWORKS

        GCP Create a Default VPC Network

        Detect creation of a default network in a project.

        cloud gcp gcp_vpc_networks FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_10.k cis_controls_11.1 cis_gcp_3.1
        GCP Disable Subnet Flow Logs

        Detect disabling the flow logs of a subnet.

        cloud gcp gcp_vpc_networks soc2 soc2_CC6.6 FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8

        OTHER

        GCP Delete Resources from the PCI Blueprint Environment

        Detect the deletion of resources from the blueprint environment.

        cloud gcp
        GCP Command Executed on Unused Region

        Detect GCP command execution on unused regions.

        cloud gcp FedRAMP FedRAMP_AC-2(12) HIPAA HIPAA_164.308(a) HIPAA_164.312(a) mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

        3 -

        About Sysdig Secure for cloud on Azure

        Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations - Cloud - Azure

        Available Features

        • Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
        • Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure
        • Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instances

        3.1 -

        Azure Platformlogs Falco rules

        Scroll Top DATABASE SERVICES 2rules FUNCTION APPS 5rules LOGGING AND MONITORING 1rules NETWORKING 2rules SQL SERVER 2rules STORAGE ACCOUNTS 11rules

        Total 21 rules.

        DATABASE SERVICES

        Azure Auditing on SQL Server Has Been Disabled

        The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

        cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
        Azure Server Vulnerability Assessment on SQL Server Has Been Removed

        Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

        cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

        FUNCTION APPS

        Azure Function App Deleted

        A function app has been deleted.

        cloud azure azure_function_apps
        Azure Function App Deployment Slot Deleted

        A function app deployment slot has been deleted.

        cloud azure azure_function_apps
        Azure Function App Host Key Deleted

        A function app host key has been deleted.

        cloud azure azure_function_apps
        Azure Function App Host Master Key Modified

        A function app host master key has been renewed.

        cloud azure azure_function_apps
        Azure Function Key Deleted

        A function key has been deleted.

        cloud azure azure_function_apps

        LOGGING AND MONITORING

        Azure Diagnostic Setting Has Been Disabled

        A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

        cloud azure azure_logging_and_monitoring cis_azure_5.1.1 cis_controls_6.5

        NETWORKING

        Azure RDP Access Is Allowed from The Internet

        The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.

        cloud azure azure_networking cis_azure_6.1 cis_controls_9.2
        Azure SSH Access Is Allowed from The Internet

        The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

        cloud azure azure_networking cis_azure_6.2 cis_controls_9.2

        SQL SERVER

        Azure Auditing on SQL Server Has Been Disabled

        The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

        cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
        Azure Server Vulnerability Assessment on SQL Server Has Been Removed

        Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

        cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

        STORAGE ACCOUNTS

        Azure Access Level creation attempt for Blob Container Set to Public

        Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.

        cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
        Creation attempt Azure Secure Transfer Required Set to Disabled

        The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.

        cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
        Creation attempt Azure Default Network Access Rule for Storage Account Set to Allow

        Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

        cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
        Azure Access Level for Blob Container Set to Public

        Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.

        cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
        Azure Default Network Access Rule for Storage Account Set to Allow

        Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

        cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
        Azure Secure Transfer Required Set to Disabled

        The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.

        cloud azure azure_storage_accounts cis_azure_3.1 cis_controls_14.4
        Azure Blob Created

        A blob has been created in a storage container.

        cloud azure azure_storage_accounts
        Azure Blob Deleted

        A blob has been deleted from a storage container.

        cloud azure azure_storage_accounts
        Azure Container Created

        A Container has been created.

        cloud azure azure_storage_accounts
        Azure Container Deleted

        A Container has been deleted.

        cloud azure azure_storage_accounts
        Azure Container ACL Modified

        A container ACL has been modified.

        cloud azure azure_storage_accounts