CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
This repository is an extension of CloudSploit's open-source scanning engine. We first released the scanning engine in 2015, and this documentation repository is a natural follow up to that tool. The goal of these guides are to provide detailed steps on remediation common security issues in cloud services.
- AWS
- ACM
- AutoScaling
- CloudFront
- CloudTrail
- CloudWatchLogs
- ConfigService
- EC2
- Cross VPC Public Private Communication
- Default Security Group
- Default VPC In Use
- Detect EC2 Classic Instances
- EBS Encrypted Snapshots
- EBS Encryption Enabled
- EC2 Instance Key Based Login
- EC2 Max Instances
- Elastic IP Limit
- Encrypted AMI
- Excessive Security Groups
- Instance IAM Role
- Instance Limit
- NAT Multiple AZ
- Network Acl Has Tags
- Open All Ports Protocols
- Open CIFS
- Open DNS
- Open Elasticsearch
- Open FTP
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQL Server
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Overlapping Security Groups
- Public AMI
- Subnet IP Availability
- VPC Elastic IP Limit
- VPC Flow Logs Enabled
- VPC Multiple Subnets
- ELB
- Firehose
- IAM
- Access Keys Extra
- Access Keys Last Used
- Access Keys Rotated
- Certificate Expiry
- Empty Groups
- IAM User Admins
- Maximum Password Age
- Minimum Password Length
- No User IAM Policies
- Password Expiration
- Password Requires Lowercase
- Password Requires Numbers
- Password Requires Symbols
- Password Requires Uppercase
- Password Reuse Prevention
- Root Access Keys
- Root Account In Use
- Root MFA Enabled
- SSH Keys Rotated
- Users MFA Enabled
- Users Password Last Used
- KMS
- Kinesis
- Lambda
- RDS
- Redshift
- Route53
- S3
- SES
- SNS
- SQS
- SSM
- SageMaker
- Azure
- Active Directory
- App Service
- Azure Policy
- Blob Service
- CDN Profiles
- Container App
- Container Registry
- Defender
- Auto Provisioning Enabled
- High Severity Alerts Enabled
- Monitor Endpoint Protection
- Monitor External Accounts with Write Permissions
- Monitor IP Forwarding
- Monitor JIT Network Access
- Monitor Next Generation Firewall
- Monitor System Updates
- Monitor Total Number of Subscription Owners
- Security Configuration Monitoring
- Security Contact Additional Email
- Security Contacts Enabled
- Security Contact Enabled for Subscription Owner
- Standard Pricing Enabled
- File Service
- Key Vaults
- Kubernetes Service
- Load Balancer
- Log Alerts
- Monitor
- MySQL Server
- Network Security Groups
- Default Security Group
- Excessive Security Groups
- Network Watcher Enabled
- Open All Ports
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open Oracle Auto Data Warehouse
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- PostgreSQL Server
- Queue Service
- Resources
- SQL Databases
- SQL Server
- Storage Accounts
- Table Service
- Virtual Machines
- Virtual Networks
- Virtual Machine Scale Set
- Google
- CLB
- Compute
- Cryptographic Keys
- DNS
- IAM
- Kubernetes
- Alias IP Ranges Enabled
- Automatic Node Repair Enabled
- Automatic Node Upgrades Enabled
- Basic Authentication Disabled
- COS Image Enabled
- Cluster Labels Added
- Cluster Least Privilege
- Default Service Account
- Legacy Authorization Disabled
- Logging Enabled
- Master Authorized Network
- Monitoring Enabled
- Network Policy Enabled
- Pod Security Policy Enabled
- Private Cluster Enabled
- Private Endpoint
- Web Dashboard Disabled
- Logging
- SQL
- Storage
- VPC Network
- Default VPC In Use
- Excessive Firewall Rules
- Flow Logs Enabled
- Multiple Subnets
- Open All Ports
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open Oracle Auto Data Warehouse
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Private Access Enabled
- GitHub
- Oracle
- Audit
- Block Storage
- Compute
- Database
- File Storage
- Identity
- Networking
- Default Security List
- Excessive Security Lists
- LB Network Security Groups Enabled
- Load Balancer HTTPS Only
- Load Balancer No Instances
- Open All Ports Protocols
- Open Autonomous Data Warehouse
- Open CIFS
- Open DNS
- Open FTP
- Open Hadoop HDFS NameNode Metadata Service
- Open Hadoop HDFS NameNode WebUI
- Open Kibana
- Open MySQL
- Open NetBIOS
- Open Oracle
- Open PostgreSQL
- Open RDP
- Open RPC
- Open SMBoTCP
- Open SMTP
- Open SQLServer
- Open SSH
- Open Telnet
- Open VNC Client
- Open VNC Server
- Stateless Security Rules
- Subnet Multi AD
- VCN Multiple Subnets
- WAF Public IP Enabled
- Object Store
Please see the contributor's guide.