Findings type coverage
The following is an approximate list of vulnerability, insight, and secret types and the CWE and OWASP categories that Qwiet preZero is capable of finding. We also list the finding types available for those submitting JavaScript applications or Terraform projects to preZero.
This list is subject to change as our security team identifies additional finding types.
- Bug Classes of Vulnerabilities
- Secrets
- Common Weakness Enumeration (CWE) Categories
- OWASP Top 10 Categories
- Terraform
Please note that the bug class/category names that preZero uses may vary for open-source vulnerabilities. Qwiet does not control the categorization of vulnerabilities in the global CVE system.
Bug Classes of Vulnerabilities
- Authentication Bypass
- Buffer Overflow
- CRLF Injection
- CSS Injection
- Client Side Injection
- Command Injection
- Cross-Site Request Forgery
- Cross-Site Scripting
- Cryptography
- Dangling Pointer
- Denial of Service
- Deprecated Function Use
- Deserialization
- Directory Listing
- Directory Traversal
- Double Free
- Error Handling
- Fingerprinting
- Format String Attack
- Hardcoded Credentials
- Header Injection
- Insecure Authentication
- Insecure Content Provider
- Insecure Data Storage
- Insecure Direct Object Reference
- Insecure File Provider Paths
- Integer Overflow
- Intent Redirection
- Invalid Certificate Validation
- JSON Injection
- LDAP Injection
- Log Forging
- Logical Error
- Loose File Permissions
- Mail Injection
- NoSQL Injection
- Open Redirect
- Phishing
- Privilege Escalation
- Prototype Pollution
- Race Condition
- Regex Injection
- Remote Code Execution
- SQL Injection
- Security Best Practices
- Security Misconfiguration
- Sensitive Data Exposure
- Sensitive Data Leak
- Server-Side Request Forgery
- Session Injection
- Tabnabbing
- Template Injection
- Timing Attack
- Undefined Behavior
- Unsafe Lambda Call
- Unsafe RPC Call
- Unsafe Reflection
- Use After Free
- Weak Cipher
- Weak Hash
- Weak Random
- Weak Secret Storage
- XML External Entities
- XPath Injection
Secrets
- Access ID
- Access Token
- Amazon
- API Gateway
- API Key
- ARN Token
- Artifactory
- CloudFront
- Credit Card Number
- Crypto
- Drive API Key
- Drive OAuth
- ECommerce
- Email Address
- Finance
- GitHub
- Gmail API Key
- Gmail OAuth
- Google Cloud Platform API Key
- IaaS
- Infra
- JWT
- Mailgun
- PaaS
- Password
- Picatic
- PII
- RDS
- Restricted API Key
- RKCS8
- RSA
- S3 Bucket
- S3 Object Bucket
- Secret
- Slack
- Social Media
- Stripe
- Telephone
- URI
- User
- Webhook
- YouTube API Key
- YouTube OAuth
Common Weakness Enumeration (CWE) Categories
- 20: Improper Input Validation
- 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- 23: Relative Path Traversal
- 74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- 77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- 78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- 90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- 91: XML Injection (aka Blind XPath Injection)
- 93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- 94: Improper Control of Generation of Code ('Code Injection')
- 98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
- 111: Direct Use of Unsafe JNI
- 113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
- 114: Process Control
- 117: Improper Output Neutralization for Logs
- 121: Stack-based Buffer Overflow
- 122: Heap-based Buffer Overflow
- 125: Out-of-bounds Read
- 129: Improper Validation of Array Index
- 131: Incorrect Calculation of Buffer Size
- 134: Use of Externally-Controlled Format String
- 143: Improper Neutralization of Record Delimiters
- 159: Improper Handling of Invalid Use of Special Elements
- 190: Integer Overflow or Wraparound
- 200: Exposure of Sensitive Information to an Unauthorized Actor
- 208: Observable Timing Discrepancy
- 242: Use of Inherently Dangerous Function
- 259: Use of Hard-coded Password
- 271: Privilege Dropping / Lowering Errors
- 272: Least Privilege Violation
- 276: Incorrect Default Permissions
- 284: Improper Access Control
- 287: Improper Authentication
- 288: Authentication Bypass Using an Alternate Path or Channel
- 290: Authentication Bypass by Spoofing
- 295: Improper Certificate Validation
- 306: Missing Authentication for Critical Function
- 312: Cleartext Storage of Sensitive Information
- 319: Cleartext Transmission of Sensitive Information
- 327: Use of a Broken or Risky Cryptographic Algorithm
- 328: Use of Weak Hash
- 330: Use of Insufficiently Random Values
- 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
- 346: Origin Validation Error
- 347: Improper Verification of Cryptographic Signature
- 352: Cross-Site Request Forgery (CSRF)
- 359: Exposure of Private Personal Information to an Unauthorized Actor
- 367: Time-of-check Time-of-use (TOCTOU) Race Condition
- 382: J2EE Bad Practices: Use of System.exit()
- 383: J2EE Bad Practices: Direct Use of Threads
- 384: Session Fixation
- 391: Unchecked Error Condition
- 397: Declaration of Throws for Generic Exception
- 400: Uncontrolled Resource Consumption
- 401: Missing Release of Memory after Effective Lifetime
- 409: Improper Handling of Highly Compressed Data (Data Amplification)
- 415: Double Free
- 416: Use After Free
- 419: Unprotected Primary Channel
- 434: Unrestricted Upload of File with Dangerous Type
- 441: Unintended Proxy or Intermediary ('Confused Deputy')
- 470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
- 477: Use of Obsolete Function
- 486: Comparison of Classes by Name
- 489: Active Debug Code
- 497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
- 502: Deserialization of Untrusted Data
- 522: Insufficiently Protected Credentials
- 548: Exposure of Information Through Directory Listing
- 550: Server-generated Error Message Containing Sensitive Information
- 552: Files or Directories Accessible to External Parties
- 562: Return of Stack Variable Address
- 565: Reliance on Cookies without Validation and Integrity Checking
- 570: Expression is Always False
- 571: Expression is Always True
- 601: URL Redirection to Untrusted Site ('Open Redirect')
- 605: Multiple Binds to the Same Port
- 611: Improper Restriction of XML External Entity Reference
- 613: Insufficient Session Expiration
- 614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
- 639: Authorization Bypass Through User-Controlled Key
- 641: Improper Restriction of Names for Files and Other Resources
- 643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
- 676: Use of Potentially Dangerous Function
- 680: Integer Overflow to Buffer Overflow
- 693: Protection Mechanism Failure
- 705: Incorrect Control Flow Scoping
- 758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
- 759: Use of a One-Way Hash without a Salt
- 760: Use of a One-Way Hash with a Predictable Salt
- 776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
- 784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision
- 798: Use of Hard-coded Credentials
- 910: Use of Expired File Descriptor
- 916: Use of Password Hash With Insufficient Computational Effort
- 917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
- 918: Server-Side Request Forgery (SSRF)
- 927: Use of Implicit Intent for Sensitive Communication
- 933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration
- 940: Improper Verification of Source of a Communication Channel
- 942: Permissive Cross-domain Policy with Untrusted Domains
- 943: Improper Neutralization of Special Elements in Data Query Logic
- 1004: Sensitive Cookie Without 'HttpOnly' Flag
- 1021: Improper Restriction of Rendered UI Layers or Frames
- 1120: Excessive Code Complexity
- 1204: Generation of Weak Initialization Vector (IV)
- 1220: Insufficient Granularity of Access Control
- 1240: Use of a Cryptographic Primitive with a Risky Implementation
- 1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- 1322: Use of Blocking Code in Single-threaded, Non-blocking Context
- 1333: Inefficient Regular Expression Complexity
- 1336: Improper Neutralization of Special Elements Used in a Template Engine
OWASP Top 10 Categories
- A01:2021 - Broken Access Control
- A02:2021 - Cryptographic Failures
- A03:2021 - Injection
- A04:2021 - Insecure Design
- A05:2021 - Security Misconfiguration
- A06:2021 - Vulnerable and Outdated Components
- A07:2021 - Identification and Authentication Failures
- A08:2021 - Software and Data Integrity Failures
- A09:2021 - Security Logging and Monitoring Failures
- A10:2021 - Server-Side Request Forgery
Terraform
- AdminPolicyDocument: Ensure IAM policies that allow full administrative privileges are not created.
- AKSApiServerAuthorizedIpRanges: Ensure AKS has an API Server Authorized IP Ranges enabled.
- AKSDashboardDisabled: Ensure Kube Dashboard is disabled.
- AKSLoggingEnabled: Ensure AKS logging to Azure Monitoring is Configured.
- AKSNetworkPolicy: Ensure AKS cluster has Network Policy configured.
- AKSRbacEnabled: Ensure AKS cluster has Network Policy configured.
- ALBListenerHTTPS: Ensure ALB protocol is HTTPS.
- AllowedCapabilities: CIS Benchmark 5.2.8** Minimize the admission of containers with added capabilities.
- AllowPrivilegeEscalation: CIS Benchmark 5.2.5** Minimize the admission of containers with allowPrivilegeEscalation.
- APIGatewayAuthorization: Ensure there is no open access to back-end resources through API.
- AppServiceAuthentication: Ensure App Service Authentication is set on Azure App Service.
- AppServiceHttps20Enabled: Ensure that
HTTP Version
is the latest if used to run the web app. - AppServiceHTTPSOnly: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service.
- AppServiceMinTLSVersion: Ensure web app is using the latest version of TLS encryption.
- AppServieClientCertificate: Ensure web app is using the latest version of TLS encryption.
- AppServieIdentity: Ensure that Register with Azure Active Directory is enabled on App Service.
- AZU003: Resource
azurerm_managed_disk.example
defines an unencrypted managed disk. - AZU005: Resource
azurerm_virtual_machine.podman
has password authentication enabled. Use SSH keys instead. - AzureInstancePassword: Ensure Azure Instance does not use basic authentication(Use SSH Key Instead).
- AzureManagedDiscEncryption: Ensure Azure managed disk have encryption enabled.
- CloudfrontDistributionEncryption: Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS.
- CloudfrontDistributionLogging: Ensure Cloudfront distribution has Access Logging enabled.
- CloudtrailEncryption: Ensure CloudTrail logs are encrypted at rest using KMS CMKs.
- CloudtrailLogValidation: Ensure CloudTrail log file validation is enabled.
- CloudtrailMultiRegion: Ensure CloudTrail is enabled in all Regions.
- cloudwatchLogGroupRetention: Ensure CloudTrail is enabled in all Regions.
- ContainerSecurityContext: CIS Benchmark 5.7.3** Apply Security Context to Your Pods and Containers.
- CPULimits: CPU limits should be set.
- CPURequests: CPU requests should be set.
- credentials: Ensure no hardcoded AWS access key and secret key exists in the provider.
- CutsomRoleDefinitionSubscriptionOwner: Ensure that no custom subscription owner roles are created.
- DefaultNamespace: CIS Benchmark 5.7.4** Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them.
- DefaultServiceAccountBinding: CIS Benchmark 5.1.5** Ensure that default service accounts are not actively used.
- DockerSocketVolume: Do not expose the Docker daemon socket to containers.
- DropCapabilities: CIS Benchmark 5.2.7** Do not generally permit containers with the potentially dangerous NET_RAW capability.
- DynamodbRecovery: Ensure Dynamodb point in time recovery (backup) is enabled.
- EBSEncryption: Ensure all data stored in the EBS is securely encrypted.
- EC2Credentials: Ensure no hardcoded AWS access key and secret key exists in EC2 user data.
- ECRImageScanning: Ensure ECR image scanning on push is enabled.
- ECRImmutableTags: Ensure ECR Image Tags are immutable.
- ECSClusterContainerInsights: Ensure ECR Image Tags are immutable.
- EKSControlPlaneLogging: Ensure Amazon EKS control plane logging enabled for all log types.
- EKSPublicAccess: Ensure Amazon EKS public endpoint disabled.
- EKSPublicAccessCIDR: Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0.
- EKSSecretsEncryption: Ensure EKS Cluster has Secrets Encryption Enabled.
- ElasticacheReplicationGroupEncryptionAtRest: Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest.
- ElasticacheReplicationGroupEncryptionAtTransit: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit.
- ElasticacheReplicationGroupEncryptionAtTransitAuthToken: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit.
- ElasticsearchEncryption: Ensure all data stored in the Elasticsearch is securely encrypted at rest.
- GKEAliasIpEnabled: Ensure Kubernetes Cluster is created with Alias IP ranges enabled.
- GKEBasicAuth: Ensure Kubernetes Cluster is created with Alias IP ranges enabled.
- GKEClientCertificateEnabled: Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters.
- GKEClusterLogging: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
- GKEDisableLegacyAuth: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
- GKEHasLabels: Ensure Kubernetes Clusters are configured with Labels.
- GKEMonitoringEnabled: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
- GKENetworkPolicyEnabled: Ensure Network Policy is enabled on Kubernetes Engine Clusters.
- GKENodePoolAutoRepairEnabled: Ensure
Automatic node repair
is enabled for Kubernetes Clusters. - GKENodePoolAutoUpgradeEnabled: Ensure
Automatic node upgrade
is enabled for Kubernetes Clusters. - GKEPodSecurityPolicyEnabled: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters.
- GKEPrivateClusterConfig: Ensure Kubernetes Cluster is created with Private cluster enabled.
- GKEPublicControlPlane: Ensure GKE Control Plane is not public.
- GKEUseCosImage: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
- GoogleBigQueryDatasetPublicACL: Ensure that BigQuery datasets are not anonymously or publicly accessible.
- GoogleCloudSqlBackupConfiguration: Ensure that BigQuery datasets are not anonymously or publicly accessible.
- GoogleCloudSqlDatabasePublicallyAccessible: Ensure that BigQuery datasets are not anonymously or publicly accessible.
- GoogleCloudSqlDatabaseRequireSsl: Ensure all Cloud SQL database instance requires all incoming connections to use SSL.
- GoogleComputeBootDiskEncryption: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
- GoogleComputeDefaultServiceAccount: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
- GoogleComputeDiskEncryption: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
- GoogleComputeFirewallUnrestrictedIngress22: Ensure Google compute firewall ingress does not allow unrestricted SSH access.
- GoogleComputeFirewallUnrestrictedIngress3389: Ensure Google compute firewall ingress does not allow unrestricted rdp access.
- GoogleComputeInstanceOSLogin: Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in prject metadata for all instances).
- GoogleComputeIPForward: Ensure that IP forwarding is not enabled on Instances.
- GoogleComputeSerialPorts: Ensure that IP forwarding is not enabled on Instances.
- GoogleComputeShieldedVM: Ensure Compute instances are launched with Shielded VM enabled.
- GoogleComupteBlockProjectSSH: Ensure
Block Project-wide SSH keys
is enabled for VM instances. - GoogleStorageBucketEncryption: Ensure
Block Project-wide SSH keys
is enabled for VM instances. - GoogleStorageBucketNotPublic: Ensure
Block Project-wide SSH keys
is enabled for VM instances. - GoogleStorageBucketUniformAccess: Ensure
Block Project-wide SSH keys
is enabled for VM instances. - GoogleSubnetworkLoggingEnabled: Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network.
- HostPort: Do not specify hostPort unless absolutely necessary.
- IAMPolicyAttachedToGroupOrRoles: Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to receive or retain excessive privileges inadvertently).
- IAMRoleAllowAssumeFromAccount: Ensure IAM role allows only specific principals in account to assume it.
- ImageDigest: Image should use digest.
- ImagePullPolicyAlways: Image Pull Policy should be Always.
- ImageTagFixed: Image Tag should be fixed - not latest or blank.
- IMDSv1Disabled: Ensure Instance Metadata Service Version 1 is not enabled.
- KeyExpirationDate: Ensure that the expiration date is set on all keys.
- KeyvaultRecoveryEnabled: Ensure the key vault is recoverable.
- KinesisStreamEncryptionType: Ensure Kinesis Stream is securely encrypted.
- KMSRotation: Ensure rotation for customer-created CMKs is enabled.
- KubernetesDashboard: Ensure the Kubernetes dashboard is not deployed.
- LambdaEnvironmentCredentials: Ensure the Kubernetes dashboard is not deployed.
- LambdaXrayEnabled: X-ray tracing is enabled for Lambda.
- LaunchConfigurationEBSEncryption: Ensure all data stored in the Launch configuration EBS is securely encrypted.
- LivenessProbe: Liveness Probe Should be Configured.
- MemoryLimits: Memory limits should be set.
- MemoryRequests: Memory limits should be set.
- MinimizeCapabilities: CIS Benchmark 5.2.9. Minimize the admission of containers with capabilities assigned.
- MonitorLogProfileCategories: Ensure audit profile captures all the activities.
- MonitorLogProfileRetentionDays: Ensure that Activity Log Retention is set 365 days or greater.
- MQBrokerLogging: Ensure MQ Broker logging is enabled.
- MySQLServerSSLEnforcementEnabled: Ensure
Enforce SSL connection
is set toENABLED
for MySQL Database Server. - NeptuneClusterStorageEncrypted: Ensure Neptune storage is securely encrypted.
- NetworkWatcherFlowLogPeriod: Ensure that Network Security Group Flow Log retention period is
greater than 90 days
. - NSGRuleRDPAccessRestricted: Ensure that RDP access is restricted from the internet.
- NSGRuleSSHAccessRestricted: Ensure that SSH access is restricted from the internet.
- PodSecurityContext: CIS Benchmark 5.7.3. Apply Security Context to Your Pods and Containers.
- PostgreSQLServerConnectionThrottlingEnabled: Ensure server parameter
connection_throttling
is set toON
for PostgreSQL Database Server. - PostgreSQLServerLogCheckpointsEnabled: Ensure server parameter
log_checkpoints
is set toON
for PostgreSQL Database Server. - PostgreSQLServerSSLEnforcementEnabled: Ensure
Enforce SSL connection
is set toENABLED
for PostgreSQL Database Server. - PrivateRepo: Ensure Repository is Private.
- PrivilegedContainers: CIS Benchmark 5.2.1. Minimize the admission of privileged containers.
- RDSEncryption: Ensure all data stored in the RDS is securely encrypted at rest.
- RDSPubliclyAccessible: Ensure all data stored in the RDS bucket is not public accessible.
- ReadinessProbe: Readiness Probe Should be Configured.
- ReadOnlyFilesystem: Use read-only filesystem for containers where possible.
- RedshiftClusterEncryption: Ensure all data stored in the Redshift cluster is securely encrypted at rest.
- RootContainers: CIS Benchmark 5.2.6. Minimize the admission of root containers.
- RootContainersHighUID: Containers should run as a high UID to avoid host conflict.
- S3AccessLogs: Ensure the S3 bucket has access logging enabled.
- S3AllowsAnyPrincipal: Ensure S3 bucket does not allow an action with any Principal.
- S3BlockPublicACLs: Ensure S3 bucket has block public ACLS enabled.
- S3BlockPublicPolicy: Ensure S3 bucket has block public policy enabled.
- S3Encryption: Ensure all data stored in the S3 bucket is securely encrypted at rest.
- S3IgnorePublicACLs: Ensure S3 bucket has ignore public ACLs enabled.
- S3MFADelete: Ensure S3 bucket has MFA delete enabled.
- S3PublicACLRead: S3 bucket has an ACL defined which allows public READ access.
- S3RestrictPublicBuckets: Ensure S3 bucket has
restrict_public_bucket
enabled. - S3Versioning: Ensure S3 bucket has
restrict_public_bucket
enabled. - Seccomp: CIS Benchmark 5.7.2. Ensure that the seccomp profile is set to docker/default in your pod definitions.
- SecretExpirationDate: Ensure that the expiration date is set on all secrets.
- Secrets: CIS Benchmark 5.4.1. Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.
- SecurityCenterContactEmailAlert: Ensure that
Send email notification for high severity alerts
is set toOn
. - SecurityCenterContactEmailAlertAdmins: Ensure that
Send email notification for high severity alerts
is set toOn
. - SecurityCenterContactPhone: Ensure that security contact
Phone number
is set. - SecurityCenterStandardPricing: Ensure that standard pricing tier is selected.
- SecurityGroupRuleDescription: Ensure every security groups rule has a description.
- SecurityGroupUnrestrictedIngress22: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22.
- SecurityGroupUnrestrictedIngress3389: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389.
- ServiceAccountTokens: CIS Benchmark 5.1.6. Ensure that Service Account Tokens are only mounted where necessary.
- SharedHostNetworkNamespace: CIS Benchmark 5.2.4. Minimize the admission of containers wishing to share the host network namespace.
- ShareHostIPC: CIS Benchmark 5.2.3. Minimize the admission of containers wishing to share the host IPC namespace.
- ShareHostPID: CIS Benchmark 5.2.2. Minimize the admission of containers wishing to share the host process ID namespace.
- SNSTopicEncryption: Ensure all data stored in the SNS topic is encrypted.
- SQLServerAuditingEnabled: Ensure that
Auditing
is set toOn
for SQL servers. - SQLServerAuditingRetention90Days: Ensure that
Auditing
Retention isgreater than 90 days
for SQL servers. - SQLServerEmailAlertsEnabled: Ensure that
Send Alerts To
is enabled for MSSQL servers. - SQLServerEmailAlertsToAdminsEnabled: Ensure that
Email service and co-administrators
isEnabled
for MSSQL servers. - SQLServerThreatDetectionTypes: Ensure that
Threat Detection types
is set toAll
. - SQSQueueEncryption: Ensure that
Threat Detection types
is set toAll
. - StarActionPolicyDocument: Ensure that
Threat Detection types
is set toAll
. - StorageAccountAzureServicesAccessEnabled: Ensure
Trusted Microsoft Services
is enabled for Storage Account access. - StorageAccountDefaultNetworkAccessDeny: Ensure default network access rule for Storage Accounts is set to deny.
- StorageAccountLoggingQueueServiceEnabled: Ensure Storage logging is enabled for Queue service for read, write and delete requests.
- StorageAccountMinimumTlsVersion: Ensure Storage Account is using the latest version of TLS encryption.
- StorageAccountsTransportEncryption: Ensure that
Secure transfer required
is set toEnabled
. - WAFEnabled: CloudFront Distribution should have WAF enabled.
- XSS: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.