iCompaas Support

IAM policy 5

• How to add additional aws accounts to your plan ?
• How do i check my existing subscription plan ?
• How does good Cybersecurity operate?
• What are the costs of a Cybersecurity attack?
• EC2 Approved AMIs Check (by AMI Tag)

Policy Updates 137

• Ensure any of the Elastic or Public IP are in Shodan
• Ensure Amazon Sage Maker Notebook instances have root access disabled
• Ensure Amazon SageMaker Notebook instances have VPC settings configured
• Ensure Amazon SageMaker Models have network isolation enabled
• Ensure Amazon SageMaker Models have VPC settings configured

View all 137

Azure_compliance/control/check 100

• Ensure Trusted Locations Are Defined In Conditional Access Policies
• Ensure that an exclusionary Geographic Access Policy is considered
• Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• Ensure that A Multi-factor Authentication Policy Exists for All Users
• Ensure Multi-factor Authentication is Required for Risky Sign-ins

View all 100

Process Documents 5

• CloudFlare Vs AWS Route 53
• Google Workspace Integration with iCompaas
• Cloudflare Implementation & Security Guide
• Steps to Update Default Region in AWS
• Retrieving Snapshots and Deploying AWS Stack with CISOBot

CIS Microsoft Azure Foundations Benchmark v4.0.0 0

IAM Policies 42

• Ensure there are no EC2 AMIs set as Public
• Ensure users of groups with AdministratorAccess policy have MFA tokens enabled
• Ensure there are no EBS Snapshots set as Public
• Ensure there are no S3 buckets open to the Everyone or Any AWS user
• Ensure there are no Security Groups without ingress filtering being used

View all 42

AWS Services 130

• Ensure there are no ECR repositories set as Public
• Ensure there are no Public Accessible RDS instances
• Ensure there are no internet facing Elastic Load Balancers
• Ensure there are no internet facing EC2 Instances
• Ensure Redshift Cluster is not publicly accessible

View all 130

VPC Policies 20

• Ensure Security Groups do not allow unrestricted ingress access to any port
• Ensure Security Groups do not allow unrestricted ingress access to Oracle Ports 1521 or 2483
• Ensure Security Groups do not allow unrestricted ingress access to MySQL port 3306
• Ensure Security Groups do not allow unrestricted ingress access to Postgres port 5432
• Ensure Security Groups do not allow unrestricted ingress access to Redis port 6379

View all 20

Automation Policies 18

• Ensure Lambda Dead Letter Queue(DLQ) is enabled
• Ensure Lambda Concurrency Limit is Configured
• Ensure CloudFormation Stack Drift Detection Check
• Ensure EC2 Instances Managed by Systems Manager (SSM)
• Ensure Elastic Beanstalk Enhanced Health Reporting Enabled

View all 18

Amazon Lightsail 8

• Ensure LightSail Disk have Automatic Backup Enabled
• Ensure Lightsail IPv4 Firewall will not allow traffic from any port
• Ensure Alarm exist for CPU Utilization for Lightsail instances
• Ensure Amazon LightSail Bucket is not publicly accessible
• Ensure alarm exist for Lightsail bucket storage

View all 8

CIS Control 1 1

• Ensure a support role has been created to manage incidents with AWS Support

CIS Control 1.4 1

• Ensure AWS Config is enabled in all regions

CIS Control 4 1

• Ensure IAM policies that allow full "*:*" administrative privileges are not created

CIS Control 4.3 2

• Ensure root account user is not used
• Ensure no root account access key exists

CIS Control 4.4 1

• Ensure IAM password policy prevents password reuse

CIS Control 4.5 2

• Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
• Ensure MFA is enabled for the "root" account

CIS Control 4.9 1

• Ensure a log metric filter and alarm exist for usage of "root" account

CIS Control 5.5 1

• Ensure a log metric filter and alarm exist for VPC changes

CIS Control 6 1

• Ensure a log metric filter and alarm exist for CloudTrail configuration changes

CIS Control 6.2 6

• Ensure CloudTrail is enabled in all regions
• Ensure CloudTrail trails are integrated with CloudWatch Logs
• Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
• Ensure a log metric filter and alarm exist for S3 bucket policy changes
• Ensure a log metric filter and alarm exist for changes to network gateways

View all 6

CIS Control 6.3 1

• Maintain current contact details

CIS Control 6.5 1

• Ensure a log metric filter and alarm exist for unauthorized API calls

CIS Control 6.7 0

CIS Control 9.2 2

• Ensure no security groups allow ingress from all IPs(0.0.0.0/0) to SSH (Port 22)
• Ensure no security groups allow ingress from all IPs to RDP Port(3389)

CIS Control 11.3 0

CIS Control 14 0

CIS Control 14.6 1

• Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CIS Control 14.9 0

CIS Control 16 11

• Ensure IAM password policy requires at least one uppercase letter
• Ensure IAM password policy require at least one lowercase letter
• Ensure IAM password policy require at least one symbol
• Ensure IAM password policy require at least one number
• Ensure IAM password policy requires minimum length of 14 or greater

View all 11

CIS Control 16.9 2

• Ensure credentials unused for 90 days or greater are disabled
• Ensure access keys are rotated every 90 days or less

CIS Control 19 2

• Ensure security contact information is registered
• Ensure a log metric filter and alarm exist for AWS Management Console Authentication failures

CIS Control 1.4 1

• Ensure a log metric filter and alarm exist for AWS Config configuration changes

CIS Control 4.5 1

• Ensure hardware MFA is enabled for the "root" account

CIS Control 4.8 1

• Ensure a log metric filter and alarm exist for security group changes

CIS Control 6 3

• Ensure CloudTrail log file validation is enabled
• Ensure CloudTrail logs are encrypted at rest using KMS CMKs
• Ensure rotation for customer created CMKs is enabled

CIS Control 6.2 1

• Ensure VPC flow logging is enabled in all VPCs

CIS Control 11.3 1

• Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

CIS Control 14.6 2

• Ensure the default security group of every VPC restricts all traffic
• Ensure routing tables for VPC peering are "least access"

CIS Control 16 1

• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

CIS Control 19 1

• Ensure IAM instance roles are used for AWS resource access from instances

1. Identity and Access Management 22

• Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
• Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
• Ensure Guest Users Are Reviewed on a Regular Basis
• 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled
• 1.5 Ensure that 'Number of methods required to reset' is set to '2'

View all 22

2. Security Center 15

• Ensure That Microsoft Defender for Servers Is Set to 'On'
• Ensure That Microsoft Defender for App Services Is Set To 'On'
• 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers
• Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' .
• Ensure That Microsoft Defender for Storage Is Set To 'On'

View all 15

3. Storage Accounts 9

• 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
• 3.2 Ensure that storage account access keys are periodically regenerated
• Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated)
• 3.4 Ensure that shared access signature tokens expire within an hour
• Ensure that 'Public access level' is disabled for storage accounts with blob containers (Automated).

View all 9

4. Database Services 10

• 4.1.1 Ensure that 'Auditing' is set to 'On'
• Ensure that 'Data encryption' is set to 'On' on a SQL Database
• Ensure that 'Auditing' Retention is 'greater than 90 days'
• Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
• Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

View all 10

5. Logging and Monitoring 8

• 5.1.1 Ensure that a 'Diagnostics Setting' exists for exporting activity logs
• Ensure Diagnostic Setting captures appropriate categories from the control/management plane
• 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
• Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
• 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment

View all 8

6. Networking 0

7. Virtual Machines 0

8. Other Security Considerations 0

9. AppService 2

• 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
• 9.10 Ensure FTP deployments are disabled

CIS Control 4.5 2

• Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
• Ensure MFA is enabled for the "root" account

CIS Control 6.2 3

• Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
• Ensure VPC flow logging is enabled in all VPCs
• Ensure a log metric filter and alarm exist for S3 bucket policy changes

CIS Control 6 1

• Ensure CloudTrail logs are encrypted at rest using KMS CMKs

CIS Control 14.6 1

• Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

AWS - HIPAA 10

• Check if S3 buckets have server access logging enabled
• Enable S3 buckets have Object-level logging enabled in CloudTrail
• Ensure there are no EBS Snapshots set as Public
• Ensure there are no Security Groups not being used
• Ensure Elastic Load Balancers have logging enabled

View all 10

Controls 1

• HIPAA 164.312(e)(2)(ii) - Encryption

Privacy Rule 1

• HIPAA 164.310(d)(2)(iii) - Accountability

Security Rule 27

• HIPAA 164.308(a)(3)(i) - Workforce security
• HIPAA 164.310(d)(2)(i) - Disposal
• HIPPA 164.310(d)(2)(iv) - Data backup and storage
• HIPAA 164.308(a)(3)(ii)(C) - Termination procedures
• HIPAA 164.308(a)(3)(ii)(B) - Workforce clearance procedure

View all 27

Patient Rights 9

• 164.312(a)(2)(ii) - Emergency access procedure
• 164.310(d)(2)(ii) Media re-use
• 164.310(c) - Workstation security
• 164.310(b) Workstation use
• 163.310(a)(2)(iv) - Maintenance records

View all 9

Business Associate Agreements 1

• 164.308(a)(7)(ii)(D) - Testing and revision procedures

Enforcement Rule 11

• 164.312(a)(1) - Access control
• 164.312(a)(2)(iv) - Encryption and decryption
• 164.312(e)(1) - Transmission security
• 164.312(e)(2)(i) - Integrity controls
• 164.312(e)(2)(ii) - Encryption

View all 11

Breach Notification Rule 3

• 164.308(a)(1)(ii)(C)- Sanction policy
• 164.308(a)(7)(ii)(C)- Emergency mode operation plan
• 164.308(a)(7)(ii)(E)- Applications and data criticality analysis

Your order 0

Coupons 0

Privacy policy 0

Opt-out policy 0

InfoSec 5

• Security Headers Remediation - Content Security Policy
• Why do we need to use Proxy
• WAF Recommendation - Cloudflare
• Security Header Remediation: X Frame Options
• Security Header Remediation: Referrer-Policy

Your account 2

• Integrating Azure to iCompaas
• Deleting iCompaas_Stack from AWS Account

SOC2 Controls 12

• Ensure S3 buckets have custom backup schedule configured
• Ensure EFS storage have backup schedule configured
• Ensure FSx Lustre has backup schedule configured
• Ensure FSx for Windows File System has backup schedule configured
• Ensure the RDS storage has retention enabled

View all 12

Cost Savings 9

• Cloud Resource Instance Upgrade
• Right Sizing Resource
• Deleting Orphan EBS Volumes - Instance Storage
• Database Upgrade - Consider upgrading instance class from db.r4 to db.r5
• Cache Upgrade - Consider upgrading ElastiCache instance class from cache.r4 to cache.r5

View all 9

Best Practices 3

• S3 Lifecycle Management
• Ensure S3 Bucket Replication Enabled
• Ensure S3 Bucket Inventory Configuration enabled

CyberSecurity-Topics 97

• Static Code Scanning
• Network firewalls
• Encryption
• Data Classification
• Access Control

View all 97

States 0

800-171 110

• NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• NIST 800-171 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
• NIST 800-171 3.1.3 Control the flow of CUI in accordance with approved authorizations.
• NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
• NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.

View all 110

800-53 0

800-172 0

2.0 96

• CMMC 2.0 AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
• CMMC 2.0 AC.1.002 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
• CMMC 2.0 AC.1.003 Verify and control/limit connections to and use of external information systems.
• CMMC 2.0 AC.1.004 Control Public Information Control information posted or processed on publicly accessible information systems.
• CMMC 2.0 AC.2.016 Control CUI Flow Control the flow of CUI in accordance with approved authorizations.

View all 96

GCP Knowledge Bases 89

• 1.1 Ensure Corporate Login Credentials Are Used (Manual)
• 1.2 Ensure Multi-Factor Authentication is Enabled for All Non-Service Accounts (Manual)
• 1.3 Ensure Security Key Enforcement is Enabled for All Admin Accounts (Manual)
• 1.4 Ensure Only GCP-Managed Service Account Keys Are Used for Each Service Account (Automated)
• 1.5 Ensure Service Accounts Do Not Have Admin Privileges (Automated)

View all 89

CIS Control 5 8

• 5.1.1 Ensure EBS Volume Encryption is Enabled in All Regions (Automated)
• 5.1.2 Ensure CIFS Access is Restricted to Trusted Networks to Prevent Unauthorized Access (Manual)
• 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Remote Server Administration Ports (Automated)
• 5.3 Ensure No Security Groups Allow Ingress from 0.0.0.0/0 to Remote Server Administration Ports (Automated)
• 5.4 Ensure No Security Groups Allow Ingress from ::/0 to Remote Server Administration Ports (Automated)

View all 8

CIS Control 2 9

• 2.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS
• 2.2.3 Ensure that RDS instances are not publicly accessible
• 2.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances
• 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances
• 2.1.4 Ensure that S3 is configured with 'Block Public Access' enabled

View all 9

CIS Control 1 22

• 1.22 Restrict Access to AWSCloudShellFullAccess (Manual)
• 1.1 Maintain Current Contact Details (Manual)
• 1.21 Ensure IAM Users Are Managed Centrally via Identity Federation or AWS Organizations in Multi-Account Environments (Manual)
• 1.11 Do Not Create Access Keys During Initial Setup for IAM Users with a Console Password (Manual)
• 1.2 Ensure Security Contact Information is Registered (Manual)

View all 22

CIS Control 4 16

• 4.16 Ensure AWS Security Hub is Enabled (Automated)
• 4.15 Ensure AWS Organizations Changes are Monitored (Manual)
• 4.14 Ensure VPC Changes are Monitored (Manual)
• 4.13 Ensure Route Table Changes are Monitored (Manual)
• 4.12 Ensure Changes to Network Gateways are Monitored (Manual)

View all 16

CIS Control 3 8

• 3.2 Ensure CloudTrail Log File Validation is Enabled (Automated)
• 3.3 Ensure AWS Config is Enabled in All Regions (Automated)
• 3.4 Ensure Server Access Logging is Enabled on the CloudTrail S3 Bucket (Automated)
• 3.5 Ensure CloudTrail Logs Are Encrypted at Rest Using KMS CMKs (Automated)
• 3.6 Ensure Rotation for Customer-Created Symmetric CMKs Is Enabled (Automated)

View all 8

AWS New Checks 470

• GuardDuty EKS Runtime Monitoring should be enabled
• EFS Access Points Should Enforce a User Identity
• Check if GuardDuty Lambda Protection is enabled
• GuardDuty EKS Audit Log Monitoring Enabled
• EFS Should Not Have Policies Allowing Unrestricted Access Within VPC

View all 470

Azure microsoft CIS 139

• Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
• Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
• Ensure Public Network Access is Disabled (Automated)
• Ensure Network Access Rules are Set to Deny-by-Default (Automated)
• Ensure Private Endpoints are Used to Access {Service} (Automated)

View all 139

AWS Compute Services Benchmark v1.1.0 68

• Ensure Consistent Naming Convention is Used for Organizational AMI
• Ensure Amazon Machine Images (AMIs) Are Encrypted
• Ensure Only Approved Amazon Machine Images (AMIs) Are Used
• Ensure Images (AMI) Are Not Older Than 90 Days
• Ensure Images Are Not Publicly Available

View all 68

CIS AWS Benchmarks 63

• 1.1 Maintain current contact details (Manual)
• 1.2 Ensure security contact information is registered (Manual)
• 1.3 Ensure no 'root' user account access key exists (Automated)
• 1.4 Ensure MFA is enabled for the 'root' user account (Automated)
• 1.5 Ensure hardware MFA is enabled for the 'root' user account (Manual)

View all 63

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark 46

• Enable Audit Logs
• Ensure Audit Logs are Collected and Managed
• Ensure that the kubeconfig file permissions are set to 644 or More Restrictive
• Ensure that the kubelet kubeconfig file ownership is set to root:root
• Ensure that the kubelet configuration file has permissions set to 644 or More Restrictive

View all 46

CIS Docker Benchmark 116

• Ensure a Separate Partition for Containers Has Been Created
• Ensure Only Trusted Users Are Allowed to Control Docker Daemon
• Ensure Auditing is Configured for the Docker Daemon
• Ensure Auditing is Configured for Docker Files and Directories - /run/containerd
• Ensure Auditing is Configured for Docker Files and Directories - /var/lib/docker

View all 116

CIS AWS Database Services Benchmark v1.0.0 61

• Ensure Amazon VPC (Virtual Private Cloud) has been created
• Ensure the Use of Security Groups
• Ensure Data at Rest is Encrypted
• Ensure Data in Transit is Encrypted
• Ensure IAM Roles and Policies are Created

View all 61

CIS AWS Storage Services 56

• AWS Storage Backups
• Ensure Securing AWS Backups
• Ensure to Create Backup Template and Name
• Ensure to Create AWS IAM Policies
• Ensure to Create IAM Roles for Backup

View all 56

CIS Kubernetes Benchmark 129

• Ensure that the API Server Pod Specification File Permissions Are Set to 600 or More Restrictive
• Ensure that the API server pod specification file ownership is set to root:root
• Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
• Ensure that the controller manager pod specification file ownership is set to root:root
• Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive

View all 129

Azure Kubernetes Service (AKS) Benchmark 48

• Enable Audit Logs
• Ensure that the kubeconfig file permissions are set to 644 or more restrictive
• Ensure that the kubelet kubeconfig file ownership is set to root:root
• Ensure that the azure.json file has permissions set to 644 or more restrictive
• Ensure that the azure.json file ownership is set to root:root

View all 48

CIS Azure compute Services 22

• Ensure ‘HTTPS Only’ is Enabled for Azure App Services
• Ensure App Service Authentication is set up for apps in Azure App Service
• Ensure ‘FTP State’ is Set to ‘FTPS Only’ or ‘Disabled’ for Azure App Services
• Ensure Web App is using the latest version of TLS encryption
• Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

View all 22

Azure Database Services Benchmark 28

• Enable Microsoft Entra Authentication for Azure SQL Servers to Centralize Identity and Access Management
• Enforce SSL-Only Access for Azure Cache for Redis to Secure Data in Transit
• Set Minimum TLS Version to 1.2 or Higher for Secure Azure Services
• Implement and Periodically Review Access Policies for Azure Cache for Redis to Enforce RBAC and Least Privilege
• Enable System Assigned Managed Identity on Azure Cache for Redis to Enhance Secure Access

View all 28

Azure Storage Services Benchmark 64

• Ensure 'Allowed Protocols' for Shared Access Signature (SAS) Tokens Are Restricted to HTTPS Only for Secrets and Keys
• Ensure that shared access signature (SAS) tokens expire within an hour for Secrets and Keys
• Ensure stored access policies (SAP) are used when generating shared access signature (SAS) tokens
• Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
• Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts

View all 64

CIS GitHub Benchmark v1.0.0 117

• Ensure Track All Code Changes Using a Version Control System
• Ensure Trace Code Changes to Their Corresponding Tasks or Issues
• Ensure Enforce Two-Person Code Change Approval with Strong Authentication
• Ensure Invalidate Prior Approvals Upon Code Change Updates
• Ensure Restrict Permissions for Dismissing Code Review Approvals

View all 117

CIS_Amazon_Linux_2_Benchmarks 290

• Ensure Audit Logging of Network Environment Modification Events
• Ensure Audit Logging of Privileged Command Usage
• Ensure Audit Logging of Unsuccessful File Access Attempts
• Ensure Audit Logging of User and Group Modification Events
• Ensure Audit Logging of Discretionary Access Control Permission Modifications

View all 290