Compliance

Control Mapping

Complete mapping of CITC’s 203 cloud security controls to five industry compliance frameworks. Every control traces to an established standard.

203
Total Controls
203
CITC CSB
203
NIST CSF
195
PCI DSS
194
HIPAA
203
SOC 2
167
CIS
CITC CSB CITC Cloud Security Baseline v1.0
NIST CSF NIST Cybersecurity Framework v2.0
PCI DSS Payment Card Industry Data Security Standard v4.0
HIPAA Health Insurance Portability and Accountability Act v2024
SOC 2 SOC 2 Type II Trust Services Criteria v2024
CIS CIS Benchmarks v3.0
Back to Resources
Policy ID Sev Title CITC CSB NIST CSF PCI DSS HIPAA SOC 2 CIS
Amazon Web Services (101 controls)
aws-acm-001
acm		 high ACM certificate expiring within 30 days 30.1 PR.DS-2, PR.IP-1 4.1 164.312(e)(1) CC6.1 -
aws-acm-002
acm		 low ACM certificate without transparency logging 30.2 DE.CM-1, PR.PT-1 10.2.1 164.312(b) CC7.2 -
aws-apigw-001
apigateway		 high API Gateway REST API without authorization 43.1 PR.AC-1, PR.AC-7 7.2.1, 8.3.1 164.312(d) CC6.1, CC6.2
aws-apigw-002
apigateway		 medium API Gateway without WAF association 43.2 PR.DS-5, DE.CM-1 6.6 164.312(e)(1) CC6.1, CC6.6
aws-apigw-003
apigateway		 medium API Gateway stage without access logging 43.3 DE.CM-1, PR.PT-1 10.2.1 164.312(b) CC7.2
aws-apigw-004
apigateway		 low API Gateway stage without throttling 43.4 PR.DS-4, PR.PT-4 6.5.10 164.312(a)(1) A1.2
aws-cf-001
cloudfront		 high CloudFront distribution using outdated TLS 10.3 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 2.1
aws-cf-002
cloudfront		 medium CloudFront distribution without WAF 10.4 PR.AC-5, DE.CM-1 6.4.1 164.308(a)(1) CC7.1 2.1
aws-cf-003
cloudfront		 medium CloudFront S3 origin without OAI or OAC 10.5 PR.AC-3, PR.DS-5 1.3.1 164.312(e)(1) CC6.1, CC6.6
aws-cf-004
cloudfront		 medium CloudFront distribution without response headers policy 10.6 PR.DS-2, PR.PT-4 6.5.10 164.312(e)(1) CC6.1
aws-ct-001
cloudtrail		 high CloudTrail not enabled in all regions 8.1 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 3.1
aws-ct-002
cloudtrail		 medium CloudTrail log file validation disabled 8.2 PR.DS-6, DE.CM-3 10.2.1 164.312(b) CC7.2 3.2
aws-ct-003
cloudtrail		 medium CloudTrail logs not encrypted with KMS 8.3 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 3.7
aws-ct-004
cloudtrail		 high AWS Config not enabled 8.4 DE.CM-1, ID.AM-1 10.2.1 164.312(b) CC7.2 3.5
aws-cw-001
cloudwatch		 medium No metric filter for unauthorized API calls 26.1 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 4.3
aws-cw-002
cloudwatch		 medium No metric filter for console sign-in without MFA 26.2 PR.AC-7, DE.CM-1 8.3.1 164.312(d) CC6.1 4.2
aws-cw-003
cloudwatch		 high No metric filter for root account usage 26.3 PR.AC-4, DE.CM-1 10.2.2 164.312(a)(1) CC6.1 4.3
aws-cw-004
cloudwatch		 medium No metric filter for IAM policy changes 26.4 DE.CM-1, PR.IP-1 10.2.7 164.312(b) CC7.2 4.4
aws-cw-005
cloudwatch		 medium No metric filter for CloudTrail config changes 26.5 DE.CM-1, PR.PT-1 10.5.2 164.312(b) CC7.2 4.5
aws-cw-006
cloudwatch		 medium No metric filter for console authentication failures 26.6 DE.CM-1, DE.AE-3 10.2.4 164.312(b) CC7.2 4.6
aws-cw-007
cloudwatch		 medium No metric filter for CMK disabling or deletion 26.7 DE.CM-1, PR.DS-1 10.2.7 164.312(a)(2)(iv) CC7.2 4.7
aws-cw-008
cloudwatch		 medium No metric filter for S3 bucket policy changes 26.8 DE.CM-1, PR.AC-3 10.2.7 164.312(b) CC7.2 4.8
aws-cw-009
cloudwatch		 medium No metric filter for security group changes 26.9 DE.CM-1, PR.AC-5 10.2.7 164.312(b) CC7.2 4.10
aws-cw-010
cloudwatch		 medium No metric filter for network gateway changes 26.10 DE.CM-1, PR.AC-5 10.2.7 164.312(b) CC7.2 4.12
aws-ddb-001
dynamodb		 medium DynamoDB table not encrypted with KMS 28.1 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.3
aws-ddb-002
dynamodb		 medium DynamoDB table without point-in-time recovery 28.2 PR.IP-4, PR.DS-1 12.10.1 164.308(a)(7) A1.2 -
aws-ddb-003
dynamodb		 medium DynamoDB table without deletion protection 28.3 PR.IP-1, PR.DS-3 12.10.1 164.308(a)(7) A1.2 -
aws-ec2-001
ec2		 high Security group allows SSH from anywhere 3.1 PR.AC-3, PR.AC-5 1.3.1, 1.3.2 164.312(e)(1) CC6.1, CC6.6 5.2
aws-ec2-002
ec2		 medium EC2 instance not enforcing IMDSv2 3.2 PR.AC-3, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 5.6
aws-ec2-003
ec2		 high Security group allows RDP from anywhere 3.3 PR.AC-3, PR.AC-5 1.3.1, 1.3.2 164.312(e)(1) CC6.1, CC6.6 5.3
aws-ec2-004
ec2		 medium Security group allows unrestricted egress 3.4 PR.AC-5, PR.DS-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.4
aws-ec2-005
ec2		 high EBS volume not encrypted 3.5 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.1.1
aws-ec2-006
ec2		 medium EC2 instance with public IP in private subnet 3.6 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.1
aws-ecr-001
ecr		 medium ECR image scan on push disabled 12.1 DE.CM-8, ID.RA-1 6.2.4 164.308(a)(1) CC7.1 2.1
aws-ecr-002
ecr		 medium ECR repository without lifecycle policy 12.2 PR.IP-1, PR.DS-3 2.2.1 CC6.1 2.1
aws-ecr-003
ecr		 medium ECR repository without image tag immutability 12.3 PR.DS-6, PR.IP-1 6.5.3 164.312(c)(1) CC8.1
aws-ecr-004
ecr		 medium ECR repository not using KMS encryption 12.4 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1
aws-ecs-001
ecs		 high ECS task definition with plaintext secrets 42.1 PR.DS-1, PR.DS-5 3.5.1, 8.3.4 164.312(a)(2)(iv) CC6.1
aws-ecs-002
ecs		 medium ECS task definition not using awsvpc network mode 42.2 PR.AC-5, PR.DS-5 1.3.1 164.312(e)(1) CC6.1, CC6.6
aws-ecs-003
ecs		 medium ECS service with Execute Command enabled 42.3 PR.AC-4, PR.PT-3 7.2.1 164.312(a)(1) CC6.1, CC6.3
aws-ecs-004
ecs		 low ECS cluster without Container Insights 42.4 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2
aws-ecs-005
ecs		 critical ECS task role with admin privileges 42.5 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3
aws-elb-001
elb		 high Load balancer not using HTTPS 10.1 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 2.1
aws-elb-002
elb		 medium Load balancer access logging disabled 10.2 DE.CM-1, PR.PT-1 10.2.1 164.312(b) CC7.2 2.1
aws-gd-001
guardduty		 high GuardDuty not enabled 27.1 DE.CM-1, DE.AE-2 11.4 164.312(b) CC7.2 4.15
aws-gd-002
guardduty		 medium GuardDuty S3 protection not enabled 27.4 DE.CM-1, DE.AE-2 11.4 164.312(b) CC7.2 4.15
aws-gd-003
guardduty		 medium GuardDuty EKS protection not enabled 27.5 DE.CM-1, DE.AE-2 11.4 164.312(b) CC7.2 4.15
aws-gd-004
guardduty		 medium GuardDuty RDS protection not enabled 27.6 DE.CM-1, DE.AE-2 11.4 164.312(b) CC7.2 4.15
aws-iam-001
iam		 critical IAM policy with wildcard actions 2.1 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 1.16
aws-iam-002
iam		 high IAM user without MFA 2.2 PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 1.10
aws-iam-003
iam		 critical Root account used in last 30 days 2.3 PR.AC-1, PR.AC-4 8.6.1 164.312(d) CC6.1, CC6.2 1.7
aws-iam-004
iam		 medium IAM access key not rotated 2.4 PR.AC-1, PR.AC-7 8.3.4 164.312(d) CC6.1 1.14
aws-iam-005
iam		 medium IAM password policy too weak 2.5 PR.AC-1, PR.AC-7 8.3.6 164.312(d) CC6.1, CC6.2 1.8
aws-iam-006
iam		 high IAM role allows cross-account assume without external ID 2.6 PR.AC-3, PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 1.15
aws-iam-007
iam		 high IAM policy attached directly to user 2.7 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 1.15
aws-iam-008
iam		 medium IAM user with unused credentials (90+ days) 2.8 PR.AC-1, PR.AC-4 8.1.4 164.312(a)(1) CC6.1 1.12
aws-iam-009
iam		 high IAM user with console access but no MFA 2.9 PR.AC-7, PR.AC-1 8.3.1 164.312(d) CC6.1 1.10
aws-iam-010
iam		 medium IAM user with multiple active access keys 2.10 PR.AC-1, PR.IP-1 8.2.4 164.312(a)(1) CC6.1 1.13
aws-kms-001
kms		 medium KMS key automatic rotation disabled 9.1 PR.AC-7, PR.DS-1 3.6.4 164.312(a)(2)(iv) CC6.1 3.8
aws-kms-002
kms		 high KMS key policy allows public access 9.2 PR.AC-3, PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 3.8
aws-lambda-001
lambda		 high Lambda function with overly permissive role 11.1 PR.AC-4, PR.PT-3 7.2.1 164.312(a)(1) CC6.1, CC6.3 2.1
aws-lambda-002
lambda		 medium Lambda function not in VPC 11.2 PR.AC-5, PR.PT-3 1.3.1 164.312(e)(1) CC6.1, CC6.6 2.1
aws-lambda-003
lambda		 medium Lambda environment variables not encrypted with KMS 11.3 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.1.1
aws-lambda-004
lambda		 medium Lambda function without dead letter queue 11.4 PR.DS-4, DE.AE-5 12.10.1 164.308(a)(7) A1.2
aws-lambda-005
lambda		 high Lambda function using deprecated runtime 11.5 PR.IP-12, ID.RA-1 6.3.3 164.308(a)(5)(ii)(A) CC7.1
aws-orphan-001
ec2		 medium Unattached EBS volume 46.1 ID.AM-1, PR.DS-3 CC6.1
aws-orphan-002
ec2		 low Unused Elastic IP address 46.2 ID.AM-1 CC6.1
aws-orphan-003
ec2		 low Unused security group 46.3 ID.AM-1, PR.AC-5 CC6.1
aws-orphan-004
iam		 low Unattached IAM policy 46.4 ID.AM-1, PR.AC-1 CC6.1
aws-orphan-005
iam		 high IAM user with no active access keys and no console access 46.5 PR.AC-1, PR.AC-6 8.1.4 164.312(a)(2)(i) CC6.1, CC6.2 1.12
aws-orphan-006
ec2		 low Unattached network interface 46.6 ID.AM-1 CC6.1
aws-rds-001
rds		 critical RDS instance publicly accessible 7.1 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 2.3.1
aws-rds-002
rds		 high RDS instance not encrypted at rest 7.2 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.3.1
aws-rds-003
rds		 medium RDS automated backups disabled 7.3 PR.IP-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
aws-rds-004
rds		 medium RDS Multi-AZ not enabled 7.4 PR.DS-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
aws-rds-005
rds		 high RDS instance using default port 7.5 PR.AC-3, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 2.3.1
aws-s3-001
s3		 high S3 bucket missing public access block 1.1 PR.AC-3, PR.DS-1 1.3.1 164.312(e)(1) CC6.1 2.1.1
aws-s3-002
s3		 medium S3 bucket versioning disabled 1.2 PR.DS-1, PR.IP-4 12.10.1 164.308(a)(7) A1.2 2.1.2
aws-s3-003
s3		 high S3 bucket without default encryption 1.3 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.1.1
aws-s3-004
s3		 medium S3 bucket access logging disabled 1.4 DE.CM-1, PR.PT-1 10.2.1 164.312(b) CC7.2 3.5
aws-s3-005
s3		 high S3 bucket policy allows cross-account access 1.5 PR.AC-3, PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 2.1.2
aws-s3-006
s3		 high S3 account-level public access block not enabled 1.6 PR.AC-3, PR.DS-1 1.3.1 164.312(e)(1) CC6.1 2.1.4
aws-s3-007
s3		 medium S3 bucket without MFA delete protection 1.7 PR.AC-4, PR.DS-1 8.3.1 164.312(d) CC6.1 2.1.3
aws-sh-001
securityhub		 high Security Hub not enabled 27.2 DE.CM-1, DE.AE-2 11.4 164.312(b) CC7.2 4.16
aws-sh-002
securityhub		 medium Security Hub without CIS standard subscription 27.3 DE.CM-1, ID.GV-3 11.4 164.312(b) CC7.2 4.16
aws-sm-001
secretsmanager		 medium Secret not rotated in 90 days 9.3 PR.AC-1, PR.AC-7 8.3.4 164.312(a)(2)(iv) CC6.1 1.14
aws-sns-001
sns		 medium SNS topic not encrypted 29.1 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 -
aws-sns-002
sns		 high SNS topic allows public access 29.2 PR.AC-3, PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 -
aws-sqs-001
sqs		 high SQS queue without server-side encryption 41.1 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1
aws-sqs-002
sqs		 high SQS queue policy allows public access 41.2 PR.AC-3, PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3
aws-sqs-003
sqs		 medium SQS queue without dead letter queue 41.3 PR.DS-4, DE.AE-5 12.10.1 164.308(a)(7) A1.2
aws-sqs-004
sqs		 low SQS queue using SSE-SQS instead of SSE-KMS 41.4 PR.DS-1 3.5.1 164.312(a)(2)(iv) CC6.1
aws-vpc-001
vpc		 medium VPC flow logs not enabled 4.1 DE.CM-1 10.2.1 164.312(b) CC7.2 3.9
aws-vpc-002
vpc		 medium Default VPC in use 4.2 PR.AC-5, PR.IP-1 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.1
aws-vpc-003
vpc		 medium Network ACL allows unrestricted inbound 4.3 PR.AC-5, DE.CM-1 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.1
aws-vpc-004
ec2		 high EBS encryption by default not enabled 4.4 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 2.2.1
aws-vpc-005
vpc		 medium VPC endpoint with unrestricted policy 4.5 PR.AC-3, PR.AC-5 7.2.1 164.312(a)(1) CC6.1, CC6.3 5.5
cross-eks-001
iam		 critical EKS node role with admin privileges 6.1 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 1.16
cross-eks-002
eks		 high EKS cluster endpoint publicly accessible 6.2 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.1
cross-eks-003
eks		 high EKS secrets not encrypted with KMS 6.3 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 3.8
cross-eks-004
eks		 medium EKS audit logging not fully enabled 6.4 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 3.1
Microsoft Azure (83 controls)
azure-acr-001
containerregistry		 high Container registry admin user enabled 20.1 PR.AC-1, PR.AC-4 8.3.1 164.312(d) CC6.1, CC6.2 7.1
azure-acr-002
containerregistry		 medium Container registry public network access enabled 20.2 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 7.1
azure-acr-003
containerregistry		 medium Container registry without customer-managed encryption 20.3 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 7.1
azure-agw-001
appgateway		 high Application Gateway WAF not in prevention mode 45.1 PR.DS-5, DE.CM-1 6.6 164.312(e)(1) CC6.1, CC6.6
azure-agw-002
appgateway		 high Application Gateway TLS policy not enforcing minimum 1.2 45.2 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7
azure-agw-003
appgateway		 medium Application Gateway diagnostics not enabled 45.3 DE.CM-1, PR.PT-1 10.2.1 164.312(b) CC7.2
azure-aks-001
aks		 critical AKS cluster without RBAC 21.1 PR.AC-4, PR.AC-1 7.2.1 164.312(a)(1) CC6.1, CC6.3 7.1
azure-aks-002
aks		 high AKS cluster without Azure AD integration 21.2 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 7.1
azure-aks-003
aks		 medium AKS cluster API server publicly accessible 21.3 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 7.1
azure-aks-004
aks		 medium AKS cluster without network policy 21.4 PR.AC-5, PR.DS-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 7.1
azure-aks-005
aks		 high AKS cluster with local accounts enabled 21.5 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 7.1
azure-appservice-001
appservice		 high App Service not enforcing HTTPS 19.1 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 9.1
azure-appservice-002
appservice		 high App Service without managed identity 19.2 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 9.1
azure-appservice-003
appservice		 medium App Service not enforcing TLS 1.2 19.3 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 9.1
azure-appservice-004
appservice		 critical App Service with remote debugging enabled 19.4 PR.AC-3, DE.CM-1 2.2.1 164.312(a)(1) CC6.1 9.1
azure-appservice-005
appservice		 medium App Service without authentication 19.5 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 9.1
azure-appservice-006
appservice		 medium App Service FTP/FTPS not restricted 19.6 PR.DS-2, PR.AC-3 4.2.1 164.312(e)(1) CC6.7 9.1
azure-cosmosdb-001
cosmosdb		 high Cosmos DB public network access enabled 22.1 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 4.1
azure-cosmosdb-002
cosmosdb		 medium Cosmos DB without network restrictions 22.2 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 4.1
azure-cosmosdb-003
cosmosdb		 medium Cosmos DB without automatic failover 22.3 PR.IP-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
azure-cosmosdb-004
cosmosdb		 medium Cosmos DB key-based authentication not disabled 22.4 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 4.1
azure-defender-001
defender		 high Defender for Cloud plan not enabled 24.1 DE.CM-1, DE.AE-3, DE.DP-4 6.2.4 164.308(a)(1) CC7.1 2.1
azure-defender-002
defender		 high Defender for SQL Servers not enabled 24.2 DE.CM-1, DE.AE-3 6.2.4 164.308(a)(1) CC7.1 2.1.2
azure-defender-003
defender		 high Defender for App Services not enabled 24.3 DE.CM-1, DE.AE-3 6.2.4 164.308(a)(1) CC7.1 2.1.3
azure-defender-004
defender		 high Defender for Storage not enabled 24.4 DE.CM-1, DE.AE-3 6.2.4 164.308(a)(1) CC7.1 2.1.4
azure-defender-005
defender		 high Defender for Containers not enabled 24.5 DE.CM-1, DE.AE-3 6.2.4 164.308(a)(1) CC7.1 2.1.6
azure-disk-001
compute		 high Disk not encrypted with customer-managed key 15.2 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 7.1
azure-entraid-001
entraid		 critical MFA not enforced for all users 36.1 PR.AC-7 8.3.1 164.312(d) CC6.1 1.1.1
azure-entraid-002
entraid		 high Security defaults not enabled 36.2 PR.AC-7, PR.AC-3 8.3.1 164.312(d) CC6.1 1.1.2
azure-entraid-003
entraid		 high Legacy authentication not blocked 36.3 PR.AC-7, PR.AC-3 8.3.1 164.312(d) CC6.1 1.1.3
azure-entraid-004
entraid		 medium No sign-in risk-based Conditional Access policy 36.4 DE.CM-1, PR.AC-7 8.3.1 164.312(d) CC6.1 1.2.3
azure-entraid-005
entraid		 medium No user risk-based Conditional Access policy 36.5 DE.CM-1, PR.AC-7 8.3.1 164.312(d) CC6.1 1.2.4
azure-entraid-006
entraid		 medium Guest user access not restricted 36.6 PR.AC-4, PR.AC-1 7.1.1 164.312(a)(1) CC6.3 1.3
azure-entraid-007
entraid		 medium Self-service password reset not enabled 36.7 PR.AC-1, PR.IP-11 8.2.4 164.312(d) CC6.1 1.4
azure-entraid-008
entraid		 high Password hash sync not enabled for hybrid identity 36.8 PR.AC-1, DE.CM-1 8.3.1 164.312(d) CC6.1 1.5
azure-entraid-009
entraid		 medium Users can consent to apps accessing company data 36.9 PR.AC-4, PR.DS-5 7.1.1 164.312(a)(1) CC6.3 1.11
azure-entraid-010
entraid		 high Privileged Identity Management not enabled 36.10 PR.AC-4, PR.AC-1 7.1.1 164.312(a)(1) CC6.1 1.14
azure-func-001
functions		 high Azure Function app not enforcing HTTPS 44.1 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 9.2
azure-func-002
functions		 medium Azure Function app without managed identity 44.2 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 9.5
azure-func-003
functions		 high Azure Function app not enforcing minimum TLS 1.2 44.3 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 9.3
azure-func-004
functions		 medium Azure Function app with remote debugging enabled 44.4 PR.AC-3, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 9.8
azure-kv-001
keyvault		 high Key Vault without soft delete 17.1 PR.DS-1, PR.IP-4 3.5.1 164.312(a)(2)(iv) CC6.1 8.1
azure-kv-002
keyvault		 high Key Vault without purge protection 17.2 PR.DS-1, PR.IP-4 3.5.1 164.312(a)(2)(iv) CC6.1 8.1
azure-kv-003
keyvault		 medium Key Vault not using RBAC authorization 17.3 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 8.1
azure-kv-004
keyvault		 high Key Vault network not restricted 17.4 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 8.1
azure-monitor-001
monitor		 medium Activity log not exported 18.1 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.1
azure-monitor-002
monitor		 medium Diagnostic settings not configured for storage accounts 37.1 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.1.1
azure-monitor-003
monitor		 high Diagnostic settings not configured for Key Vault 37.2 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.1.2
azure-monitor-004
monitor		 medium Log Analytics workspace retention less than 90 days 37.3 DE.AE-3, PR.IP-4 10.7.1 164.312(b) CC7.2 5.1.3
azure-monitor-005
monitor		 medium No activity log alert for creating policy assignment 37.4 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.2.1
azure-monitor-006
monitor		 medium No activity log alert for deleting security solutions 37.5 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.2.5
azure-monitor-007
monitor		 medium No activity log alert for creating or updating NSG 37.6 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 5.2.2
azure-mysql-001
mysql		 high MySQL public network access enabled 40.1 PR.AC-3, PR.DS-5 1.3.1 164.312(e)(1) CC6.1 4.4.1
azure-mysql-002
mysql		 medium MySQL without geo-redundant backup 40.2 PR.IP-4, PR.DS-1 12.10.1 164.308(a)(7) A1.2 4.4.2
azure-mysql-003
mysql		 high MySQL without SSL enforcement 40.3 PR.DS-2, PR.DS-5 4.1.1 164.312(e)(1) CC6.1 4.4.3
azure-nsg-001
network		 high NSG allows SSH from anywhere 14.1 PR.AC-3, PR.AC-5 1.3.1, 1.3.2 164.312(e)(1) CC6.1, CC6.6 6.1
azure-nsg-002
network		 high NSG allows RDP from anywhere 14.2 PR.AC-3, PR.AC-5 1.3.1, 1.3.2 164.312(e)(1) CC6.1, CC6.6 6.2
azure-nsg-003
network		 critical NSG allows all inbound traffic 14.3 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 6.1
azure-nw-001
networkwatcher		 medium Network Watcher not enabled for region 25.1 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 6.1
azure-nw-002
networkwatcher		 medium NSG flow log not enabled 25.2 DE.CM-1, DE.AE-3 10.2.1 164.312(b) CC7.2 6.1
azure-nw-003
networkwatcher		 low NSG flow log retention too short 25.3 DE.AE-3, PR.IP-4 10.2.1 164.312(b) CC7.2 6.1
azure-orphan-001
compute		 medium Unattached managed disk 47.1 ID.AM-1, PR.DS-3 CC6.1
azure-orphan-002
network		 low Unused public IP address 47.2 ID.AM-1 CC6.1
azure-orphan-003
network		 low Unattached network interface 47.3 ID.AM-1 CC6.1
azure-pg-001
postgresql		 high PostgreSQL public network access enabled 23.1 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 4.1
azure-pg-002
postgresql		 medium PostgreSQL without geo-redundant backup 23.2 PR.IP-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
azure-pg-003
postgresql		 medium PostgreSQL without high availability 23.3 PR.IP-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
azure-sql-001
sql		 high SQL Server public network access enabled 16.1 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 4.1
azure-sql-002
sql		 medium SQL Server not enforcing TLS 1.2 16.2 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 4.1
azure-sql-003
sql		 high SQL Server without Azure AD-only authentication 16.3 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 4.1
azure-sql-004
sql		 critical SQL firewall allows all internet traffic 16.4 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 4.1
azure-sql-005
sql		 medium Database without geo-redundant backup 16.5 PR.IP-4, RC.RP-1 12.10.1 164.308(a)(7) A1.2
azure-storage-001
storage		 high Storage account allows blob public access 13.1 PR.AC-3, PR.DS-1 1.3.1 164.312(e)(1) CC6.1 3.1
azure-storage-002
storage		 high Storage account not enforcing HTTPS 13.2 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 3.1
azure-storage-003
storage		 medium Storage account not enforcing TLS 1.2 13.3 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 3.1
azure-storage-004
storage		 medium Storage account not using customer-managed key encryption 13.4 PR.DS-1, PR.DS-5 3.5.1 164.312(a)(2)(iv) CC6.1 3.2
azure-storage-005
storage		 medium Storage account blob soft delete not enabled 13.5 PR.IP-4, PR.DS-1 12.10.1 164.308(a)(7) A1.2 3.11
azure-storage-006
storage		 medium Storage account without private endpoint 13.6 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 3.10
azure-vm-001
compute		 high VM without managed identity 15.1 PR.AC-1, PR.AC-7 8.3.1 164.312(d) CC6.1, CC6.2 7.1
azure-vm-002
compute		 high VM without endpoint protection 15.3 DE.CM-4, PR.DS-5 5.1.1 164.308(a)(5) CC6.8 7.6
azure-vm-003
compute		 medium VM without backup enabled 15.4 PR.IP-4, PR.DS-1 12.10.1 164.308(a)(7) A1.2 7.7
azure-vm-004
compute		 medium VM without just-in-time access 15.5 PR.AC-3, PR.AC-4 1.3.1 164.312(a)(1) CC6.1 7.2
azure-vnet-001
network		 medium VNet without DDoS protection 14.4 PR.DS-4, DE.CM-1 1.3.1 164.312(e)(1) CC6.1, CC6.6 6.1
Kubernetes (19 controls)
k8s-ing-001
ingress		 high Ingress without TLS configuration 5.15 PR.DS-2, PR.DS-5 4.2.1 164.312(e)(1) CC6.7 5.3.1
k8s-ing-002
ingress		 medium Service of type LoadBalancer without restrictions 5.16 PR.AC-3, PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.3.1
k8s-net-001
networkpolicies		 medium Namespace without network policy 5.4 PR.AC-5 1.3.1 164.312(e)(1) CC6.1, CC6.6 5.3.2
k8s-pod-001
pods		 critical Privileged container detected 5.2 PR.AC-4, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 5.2.1
k8s-pod-002
pods		 high Container running as root 5.3 PR.AC-4 2.2.1 164.312(a)(1) CC6.1 5.2.6
k8s-pod-003
pods		 high Container using host network 5.5 PR.AC-5, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 5.2.4
k8s-pod-004
pods		 high Container using hostPID or hostIPC 5.6 PR.AC-4, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 5.2.2
k8s-pod-005
pods		 medium Container without resource limits 5.7 PR.DS-4, PR.IP-1 2.2.1 164.312(a)(1) CC6.1 5.2.7
k8s-pod-006
pods		 medium Container with writable root filesystem 5.8 PR.PT-3, PR.DS-5 2.2.1 164.312(a)(1) CC6.1 5.2.8
k8s-pod-007
pods		 medium Container using latest tag 5.9 PR.IP-1, PR.DS-6 2.2.1 164.312(a)(1) CC6.1 5.2.9
k8s-pod-008
pods		 high Container with dangerous Linux capabilities 5.17 PR.AC-4, PR.PT-3 2.2.1 164.312(a)(1) CC6.1 5.2.8
k8s-pod-009
pods		 medium Container does not disable privilege escalation 5.18 PR.AC-4 2.2.1 164.312(a)(1) CC6.1 5.2.5
k8s-pod-010
pods		 medium Container without seccomp profile 5.19 PR.PT-3, PR.AC-4 2.2.1 164.312(a)(1) CC6.1 5.7.2
k8s-rbac-001
rbac		 high Excessive cluster-admin bindings 5.1 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 5.1.1
k8s-rbac-002
rbac		 high ClusterRole with wildcard resource access 5.10 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 5.1.3
k8s-rbac-003
rbac		 medium ServiceAccount token auto-mounted 5.11 PR.AC-4, PR.AC-7 3.5.1, 8.3.4 164.312(a)(2)(iv) CC6.1 5.1.5
k8s-rbac-004
rbac		 medium Pod using default service account 5.12 PR.AC-4 7.2.1 164.312(a)(1) CC6.1, CC6.3 5.1.5
k8s-sec-001
secrets		 high Secret exposed as environment variable 5.13 PR.DS-1, PR.DS-5 3.5.1, 8.3.4 164.312(a)(2)(iv) CC6.1 5.4.1
k8s-sec-002
secrets		 critical Hardcoded credentials in pod spec 5.14 PR.AC-1, PR.DS-5 3.5.1, 8.3.4 164.312(a)(2)(iv) CC6.1 5.4.1