Closed rajlearner17 closed 2 years ago
We are unable to reproduce the error providing the run details below
~/steam-pipe/alicloud-complaince (main) ⏩ steampipe check all
Alibaba Cloud Compliance ......................................................................................................................................................... 95 / 184 [==========]
|
+ CIS v1.0.0 ..................................................................................................................................................................... 95 / 184 [==========]
|
+ 1 Identity and Access Management ............................................................................................................................................. 42 / 65 [==== ]
| |
| + 1.1 Avoid the use of the 'root' account .................................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: 34177AB9-1736-5752-B1CD-126EACD5AF8D
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.2 Ensure no root account access key exists ............................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: AE18B229-0647-5D72-9D34-67B8E4683B2A
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.3 Ensure MFA is enabled for the 'root' account ........................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: 9CAE4E45-CC93-55DB-85BF-5E3BED04C287
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password ...................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: 621CC2B9-29D5-5391-9D9D-5EEEDED7BF97
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.5 Ensure users not logged on for 90 days or longer are disabled for console logon ........................................................................................ 11 / 19 [== ]
| | |
| | OK : debu logged in 15 days ago. .............................................................................................................................................. 5982111499156037
| | ALARM: john logged in 126 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: oscar never logged in. ................................................................................................................................................... 5982111499156037
| | OK : rajeshbal logged in 16 days ago. ......................................................................................................................................... 5982111499156037
| | OK : partha logged in 1 days ago. ............................................................................................................................................. 5982111499156037
| | OK : lalit logged in 24 days ago. ............................................................................................................................................. 5982111499156037
| | OK : khushboo logged in 28 days ago. .......................................................................................................................................... 5982111499156037
| | OK : sourav logged in 1 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: david logged in 126 days ago. ............................................................................................................................................ 5982111499156037
| | ALARM: pam never logged in. ..................................................................................................................................................... 5982111499156037
| | ALARM: dwight never logged in. .................................................................................................................................................. 5982111499156037
| | ALARM: cisuser never logged in. ................................................................................................................................................. 5982111499156037
| | OK : subhajit logged in 7 days ago. ........................................................................................................................................... 5982111499156037
| | ALARM: cody logged in 126 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: michael never logged in. ................................................................................................................................................. 5982111499156037
| | ALARM: kevin never logged in. ................................................................................................................................................... 5982111499156037
| | OK : raj logged in 14 days ago. ............................................................................................................................................... 5982111499156037
| | ALARM: jim never logged in. ..................................................................................................................................................... 5982111499156037
| | ALARM: nw-steampipe never logged in. ............................................................................................................................................ 5982111499156037
| |
| + 1.6 Ensure access keys are rotated every 90 days or less ................................................................................................................... 14 / 19 [== ]
| | |
| | OK : partha LTAI5tJ24Hu51Y2UCLsyDt1u created 01-Jun-2021 (66 days). ........................................................................................................... 5982111499156037
| | ALARM: david LTAI5tL5AHdDuaVKQrR4jfhZ created 01-Apr-2021 (126 days). ........................................................................................................... 5982111499156037
| | OK : debu LTAI5tQmMTfSx9pg89kNcXzn created 05-Jul-2021 (31 days). ............................................................................................................. 5982111499156037
| | OK : cody LTAI5tCZ2c7USv4BxHUkqYLm created 19-Jul-2021 (17 days). ............................................................................................................. 5982111499156037
| | ALARM: subhajit LTAI4G1q1KCF934zSvH4WNCD created 19-Feb-2021 (167 days). ........................................................................................................ 5982111499156037
| | ALARM: dwight LTAI4FyxySVqXLsXNTJ8svo9 created 27-Jan-2021 (191 days). .......................................................................................................... 5982111499156037
| | ALARM: rajeshbal LTAI4G5FDM8JYkJkUfUvJ8pB created 18-Feb-2021 (169 days). ....................................................................................................... 5982111499156037
| | OK : khushboo LTAI5tE6NLzZDqPoNMS1c4i7 created 09-Jun-2021 (58 days). ......................................................................................................... 5982111499156037
| | OK : sourav LTAI5tQyR5XwQXdaXx8KcUSV created 07-Jul-2021 (30 days). ........................................................................................................... 5982111499156037
| | ALARM: pam LTAI4GHBBV1s8w5Kk3Jex3H8 created 27-Jan-2021 (191 days). ............................................................................................................. 5982111499156037
| | ALARM: kevin LTAI4GDtxHE67g2UujBMTUqp created 27-Jan-2021 (191 days). ........................................................................................................... 5982111499156037
| | ALARM: lalit LTAI4GC5FPDVXYns4VHjzoTp created 23-Feb-2021 (164 days). ........................................................................................................... 5982111499156037
| | ALARM: michael LTAI4GG37PzvtqL8rgogq1An created 27-Jan-2021 (191 days). ......................................................................................................... 5982111499156037
| | ALARM: oscar LTAI4GD8KPPL6N3LZ5fZ1Pyx created 27-Jan-2021 (191 days). ........................................................................................................... 5982111499156037
| | ALARM: raj LTAI4G3iPoXzR2kNmP89SV2X created 11-Mar-2021 (148 days). ............................................................................................................. 5982111499156037
| | ALARM: john LTAI4GBVEshZAjTFNf4ezv66 created 23-Feb-2021 (163 days). ............................................................................................................ 5982111499156037
| | ALARM: john LTAI4G6DoDr1V1QxPeTnTqto created 25-Feb-2021 (162 days). ............................................................................................................ 5982111499156037
| | ALARM: jim LTAI4GALdnJDMGQdpxPwXkn3 created 27-Jan-2021 (191 days). ............................................................................................................. 5982111499156037
| | ALARM: nw-steampipe LTAI4GBwJQnMs697GDp2GASK created 24-Jan-2021 (193 days). .................................................................................................... 5982111499156037
| |
| + 1.7 Ensure RAM password policy requires at least one uppercase letter ...................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Uppercase character not required. ........................................................................................................................................ 5982111499156037
| |
| + 1.8 Ensure RAM password policy requires at least one lowercase letter ...................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Lowercase character not required. ........................................................................................................................................ 5982111499156037
| |
| + 1.9 Ensure RAM password policy require at least one symbol ................................................................................................................. 0 / 1 [= ]
| | |
| | OK : Symbol required. ......................................................................................................................................................... 5982111499156037
| |
| + 1.10 Ensure RAM password policy require at least one number ................................................................................................................ 0 / 1 [= ]
| | |
| | OK : Number required. ......................................................................................................................................................... 5982111499156037
| |
| + 1.11 Ensure RAM password policy requires minimum length of 14 or greater ................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Minimum password length set to 8. ........................................................................................................................................ 5982111499156037
| |
| + 1.12 Ensure RAM password policy prevents password reuse .................................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Password reuse prevention set to 6. ...................................................................................................................................... 5982111499156037
| |
| + 1.13 Ensure RAM password policy expires passwords within 90 days or less ................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Password expiration set to 100 days. ..................................................................................................................................... 5982111499156037
| |
| + 1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour ................................................................... 0 / 1 [= ]
| | |
| | OK : Max login attempts set to 5. ............................................................................................................................................. 5982111499156037
| |
| + 1.16 Ensure RAM policies are attached only to groups or roles .............................................................................................................. 12 / 19 [== ]
| |
| OK : debu not have any direct policy attached. ................................................................................................................................ 5982111499156037
| ALARM: john have direct policy attached. ........................................................................................................................................ 5982111499156037
| ALARM: oscar have direct policy attached. ....................................................................................................................................... 5982111499156037
| ALARM: rajeshbal have direct policy attached. ................................................................................................................................... 5982111499156037
| ALARM: partha have direct policy attached. ...................................................................................................................................... 5982111499156037
| ALARM: lalit have direct policy attached. ....................................................................................................................................... 5982111499156037
| ALARM: khushboo have direct policy attached. .................................................................................................................................... 5982111499156037
| ALARM: sourav have direct policy attached. ...................................................................................................................................... 5982111499156037
| ALARM: david have direct policy attached. ....................................................................................................................................... 5982111499156037
| OK : pam not have any direct policy attached. ................................................................................................................................. 5982111499156037
| OK : dwight not have any direct policy attached. .............................................................................................................................. 5982111499156037
| OK : cisuser not have any direct policy attached. ............................................................................................................................. 5982111499156037
| ALARM: subhajit have direct policy attached. .................................................................................................................................... 5982111499156037
| ALARM: cody have direct policy attached. ........................................................................................................................................ 5982111499156037
| OK : michael not have any direct policy attached. ............................................................................................................................. 5982111499156037
| OK : kevin not have any direct policy attached. ............................................................................................................................... 5982111499156037
| ALARM: raj have direct policy attached. ......................................................................................................................................... 5982111499156037
| OK : jim not have any direct policy attached. ................................................................................................................................. 5982111499156037
| ALARM: nw-steampipe have direct policy attached. ................................................................................................................................ 5982111499156037
|
+ 2 Logging and Monitoring ..................................................................................................................................................... 6 / 39 [=== ]
| |
| + 2.1 Ensure that ActionTrail are configured to export copies of all Log entries ............................................................................................. 6 / 9 [== ]
| | |
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| |
| + 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible ............................................................................................... 0 / 9 [= ]
| | |
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. ............................................................................... ap-south-1 5982111499156037
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. ......................................................................... ap-south-1 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. ......................................................................... ap-south-1 5982111499156037
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. ........................................................................ cn-hangzhou 5982111499156037
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. .............................................................................. cn-hangzhou 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. ........................................................................ cn-hangzhou 5982111499156037
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. .......................................................................... us-east-1 5982111499156037
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. ................................................................................ us-east-1 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. .......................................................................... us-east-1 5982111499156037
| |
| + 2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service ......................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.4 Ensure Log Service is enabled for Container Service for Kubernetes ..................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.5 Ensure virtual network flow log service is enabled ..................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.6 Ensure Anti-DDoS access and security log service is enabled ............................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.7 Ensure Web Application Firewall access and security log service is enabled ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.8 Ensure Cloud Firewall access and security log analysis is enabled ...................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.9 Ensure Security Center Network, Host and Security log analysis is enabled .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.10 Ensure log monitoring and alerts are set up for RAM Role changes ...................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.12 Ensure log monitoring and alerts are set up for VPC network route changes ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.13 Ensure log monitoring and alerts are set up for VPC changes ........................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.14 Ensure log monitoring and alerts are set up for OSS permission changes ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.15 Ensure log monitoring and alerts are set up for RDS instance configuration changes .................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA .............................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.18 Ensure a log monitoring and alerts are set up for usage of 'root' account ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.19 Ensure a log monitoring and alerts are set up for Management Console authentication failures .......................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of customer created CMKs ...................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes ........................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.22 Ensure a log monitoring and alerts are set up for security group changes .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.23 Ensure that Logstore data retention period is set 365 days or greater ................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 3 Networking ................................................................................................................................................................. 0 / 3 [= ]
| |
| + 3.1 Ensure legacy networks does not exist .................................................................................................................................. 0 / 0 [ ]
| | |
| + 3.2 Ensure that SSH access is restricted from the internet ................................................................................................................. 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 3.3 Ensure VPC flow logging is enabled in all VPCs ......................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 3.4 Ensure routing tables for VPC peering are 'least access' ............................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 3.5 Ensure the security group are configured with fine grained rules ....................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 4 Virtual Machines ........................................................................................................................................................... 1 / 2 [== ]
| |
| + 4.1 Ensure that 'Unattached disks' are encrypted ........................................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: test1 encryption disabled. ..................................................................................................................................... us-east-1 5982111499156037
| |
| + 4.2 Ensure that 'Virtual Machine’s disk' are encrypted ..................................................................................................................... 0 / 0 [ ]
| | |
| + 4.3 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 ...................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 .................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 4.5 Ensure that the latest OS Patches for all Virtual Machines are applied ................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 5 Storage .................................................................................................................................................................... 45 / 63 [==== ]
| |
| + 5.1 Ensure that OSS bucket is not anonymously or publicly accessible ....................................................................................................... 1 / 12 [== ]
| | |
| | OK : test-ap-south-1 not publicly accessible. ...................................................................................................................... ap-south-1 5982111499156037
| | OK : turbottest2670 not publicly accessible. ........................................................................................................................ us-east-1 5982111499156037
| | OK : nw-test-3 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | OK : turbottest60503 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : canonical-test not publicly accessible. ........................................................................................................................ us-east-1 5982111499156037
| | OK : turbottest45802 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : turbottest39313 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : turbottest96253 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : kms-bucket not publicly accessible. ........................................................................................................................... cn-beijing 5982111499156037
| | OK : cis-test2 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | OK : nw-test-1 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | ALARM: cis-test-mar12 publicly accessible. ............................................................................................................................ us-east-1 5982111499156037
| |
| + 5.2 Ensure that there are no publicly accessible objects in storage buckets ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.3 Ensure that logging is enabled for OSS buckets ......................................................................................................................... 10 / 12 [== ]
| | |
| | ALARM: test-ap-south-1 logging disabled. ............................................................................................................................. ap-south-1 5982111499156037
| | ALARM: turbottest45802 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: turbottest39313 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: turbottest60503 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: nw-test-3 logging disabled. .................................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest2670 logging disabled. ............................................................................................................................... us-east-1 5982111499156037
| | ALARM: canonical-test logging disabled. ............................................................................................................................... us-east-1 5982111499156037
| | OK : cis-test2 logging enabled. ..................................................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-1 logging disabled. .................................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest96253 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | OK : cis-test-mar12 logging enabled. ................................................................................................................................ us-east-1 5982111499156037
| | ALARM: kms-bucket logging disabled. .................................................................................................................................. cn-beijing 5982111499156037
| |
| + 5.4 Ensure that 'Secure transfer required' is set to 'Enabled' ............................................................................................................. 11 / 12 [== ]
| | |
| | OK : test-ap-south-1 bucket policy enforces HTTPS. ................................................................................................................. ap-south-1 5982111499156037
| | ALARM: turbottest2670 bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-3 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest60503 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: canonical-test bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest45802 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest39313 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest96253 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: kms-bucket bucket policy does not enforce HTTPS. .............................................................................................................. cn-beijing 5982111499156037
| | ALARM: cis-test2 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: nw-test-1 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: cis-test-mar12 bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| |
| + 5.5 Ensure that the shared URL signature expires within an hour ............................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.6 Ensure that URL signature is allowed only over https ................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.8 Ensure server-side encryption is set to 'Encrypt with Service Key' ..................................................................................................... 11 / 12 [== ]
| | |
| | ALARM: test-ap-south-1 not encrypted with Service Key. ............................................................................................................... ap-south-1 5982111499156037
| | ALARM: turbottest2670 not encrypted with Service Key. ................................................................................................................. us-east-1 5982111499156037
| | ALARM: nw-test-3 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest60503 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | OK : canonical-test encrypted with Service Key. ..................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest45802 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest39313 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest96253 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: kms-bucket not encrypted with Service Key. .................................................................................................................... cn-beijing 5982111499156037
| | ALARM: cis-test2 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-1 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: cis-test-mar12 not encrypted with Service Key. ................................................................................................................. us-east-1 5982111499156037
| |
| + 5.9 Ensure server-side encryption is set to 'Encrypt with BYOK' ............................................................................................................ 12 / 12 [= ]
| |
| ALARM: test-ap-south-1 not encrypted with BYOK. ...................................................................................................................... ap-south-1 5982111499156037
| ALARM: turbottest2670 not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
| ALARM: nw-test-3 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: turbottest60503 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: canonical-test not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
| ALARM: turbottest45802 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: turbottest39313 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: turbottest96253 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: kms-bucket not encrypted with BYOK. ........................................................................................................................... cn-beijing 5982111499156037
| ALARM: cis-test2 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: nw-test-1 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: cis-test-mar12 not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
|
+ 6 Relational Database Services ............................................................................................................................................... 0 / 0 [ ]
| |
| + 6.1 Ensure that RDS instance requires all incoming connections to use SSL .................................................................................................. 0 / 0 [ ]
| | |
| + 6.2 Ensure that RDS Instances are not open to the world .................................................................................................................... 0 / 0 [ ]
| | |
| + 6.3 Ensure that 'Auditing' is set to 'On' for applicable database instances ................................................................................................ 0 / 0 [ ]
| | |
| + 6.4 Ensure that 'Auditing' Retention is 'greater than 6 months' ............................................................................................................ 0 / 0 [ ]
| | |
| + 6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance .............................................................................................. 0 / 0 [ ]
| | |
| + 6.7 Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database .............................................................................................. 0 / 0 [ ]
| | |
| + 6.8 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server ............................................................................. 0 / 0 [ ]
| | |
| + 6.9 Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server .................................................................................... 0 / 0 [ ]
| |
+ 7 Kubernetes Engine .......................................................................................................................................................... 0 / 5 [= ]
| |
| + 7.1 Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters ................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.4 Ensure Cluster Check triggered at least once per week for Kubernetes Clusters .......................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.5 Ensure Kubernetes web UI / Dashboard is not enabled .................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.6 Ensure Basic Authentication is not enabled on Kubernetes Engine ........................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.7 Ensure Network policy is enabled on Kubernetes Engine Clusters ......................................................................................................... 0 / 0 [ ]
| | |
| + 7.8 Ensure ENI multiple IP mode support for Kubernetes Cluster ............................................................................................................. 0 / 0 [ ]
| | |
| + 7.9 Ensure Kubernetes Cluster is created with Private cluster enabled ...................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8 Security Center ............................................................................................................................................................ 1 / 7 [== ]
|
+ 8.1 Ensure that Security Center is Advanced or Enterprise Edition .......................................................................................................... 1 / 1 [= ]
| |
| ALARM: Security Center Enterprise or Advanced edition disabled. ..................................................................................................... cn-hangzhou 5982111499156037
|
+ 8.3 Ensure that Automatic Quarantine is enabled ............................................................................................................................ 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.4 Ensure that Webshell detection is enabled on all web servers ........................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.5 Ensure that notification is enabled on all high risk items ............................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.6 Ensure that Config Assessment is granted with privilege ................................................................................................................ 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.7 Ensure that scheduled vulnerability scan is enabled on all servers ..................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.8 Ensure that Asset Fingerprint automatically collects asset fingerprint data ............................................................................................ 0 / 1 [= ]
|
INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
Alibaba Cloud Compliance ......................................................................................................................................................... 95 / 184 [==========]
|
+ CIS v1.0.0 ..................................................................................................................................................................... 95 / 184 [==========]
|
+ 1 Identity and Access Management ............................................................................................................................................. 42 / 65 [==== ]
| |
| + 1.1 Avoid the use of the 'root' account .................................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: D268F24D-659C-575E-BD49-ACC46CFD6449
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.2 Ensure no root account access key exists ............................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: C7E2CFD9-63AE-5FCB-A668-4BE6CAEE82B4
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.3 Ensure MFA is enabled for the 'root' account ........................................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: 91D7A65D-4E2B-5A4E-A3F0-0048DC9A64AB
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password ...................................................................... 1 / 1 [= ]
| | |
| | ERROR: SDKError:
Code: Expired.CredentialReport
Message: code: 410, The credential report has been expired. request id: C7EF8BCA-0BA0-55D5-9BF8-D29E43BC58F4
Data: {"Code":"Expired.CredentialReport","HostId":"ims.aliyuncs.com","Message":"The credential report has been expired.","Recommend":"https://error-center.aliyun.com/status/search?Key…
| |
| + 1.5 Ensure users not logged on for 90 days or longer are disabled for console logon ........................................................................................ 11 / 19 [== ]
| | |
| | OK : khushboo logged in 28 days ago. .......................................................................................................................................... 5982111499156037
| | ALARM: pam never logged in. ..................................................................................................................................................... 5982111499156037
| | ALARM: cody logged in 126 days ago. ............................................................................................................................................. 5982111499156037
| | OK : raj logged in 14 days ago. ............................................................................................................................................... 5982111499156037
| | OK : debu logged in 15 days ago. .............................................................................................................................................. 5982111499156037
| | OK : partha logged in 1 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: michael never logged in. ................................................................................................................................................. 5982111499156037
| | ALARM: cisuser never logged in. ................................................................................................................................................. 5982111499156037
| | ALARM: kevin never logged in. ................................................................................................................................................... 5982111499156037
| | OK : sourav logged in 1 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: dwight never logged in. .................................................................................................................................................. 5982111499156037
| | ALARM: oscar never logged in. ................................................................................................................................................... 5982111499156037
| | OK : rajeshbal logged in 16 days ago. ......................................................................................................................................... 5982111499156037
| | OK : subhajit logged in 7 days ago. ........................................................................................................................................... 5982111499156037
| | ALARM: john logged in 126 days ago. ............................................................................................................................................. 5982111499156037
| | OK : lalit logged in 24 days ago. ............................................................................................................................................. 5982111499156037
| | ALARM: nw-steampipe never logged in. ............................................................................................................................................ 5982111499156037
| | ALARM: jim never logged in. ..................................................................................................................................................... 5982111499156037
| | ALARM: david logged in 126 days ago. ............................................................................................................................................ 5982111499156037
| |
| + 1.6 Ensure access keys are rotated every 90 days or less ................................................................................................................... 14 / 19 [== ]
| | |
| | OK : partha LTAI5tJ24Hu51Y2UCLsyDt1u created 01-Jun-2021 (66 days). ........................................................................................................... 5982111499156037
| | OK : khushboo LTAI5tE6NLzZDqPoNMS1c4i7 created 09-Jun-2021 (58 days). ......................................................................................................... 5982111499156037
| | ALARM: lalit LTAI4GC5FPDVXYns4VHjzoTp created 23-Feb-2021 (164 days). ........................................................................................................... 5982111499156037
| | ALARM: nw-steampipe LTAI4GBwJQnMs697GDp2GASK created 24-Jan-2021 (193 days). .................................................................................................... 5982111499156037
| | ALARM: subhajit LTAI4G1q1KCF934zSvH4WNCD created 19-Feb-2021 (167 days). ........................................................................................................ 5982111499156037
| | OK : cody LTAI5tCZ2c7USv4BxHUkqYLm created 19-Jul-2021 (17 days). ............................................................................................................. 5982111499156037
| | ALARM: raj LTAI4G3iPoXzR2kNmP89SV2X created 11-Mar-2021 (148 days). ............................................................................................................. 5982111499156037
| | ALARM: rajeshbal LTAI4G5FDM8JYkJkUfUvJ8pB created 18-Feb-2021 (169 days). ....................................................................................................... 5982111499156037
| | OK : debu LTAI5tQmMTfSx9pg89kNcXzn created 05-Jul-2021 (31 days). ............................................................................................................. 5982111499156037
| | ALARM: oscar LTAI4GD8KPPL6N3LZ5fZ1Pyx created 27-Jan-2021 (191 days). ........................................................................................................... 5982111499156037
| | ALARM: kevin LTAI4GDtxHE67g2UujBMTUqp created 27-Jan-2021 (191 days). ........................................................................................................... 5982111499156037
| | ALARM: dwight LTAI4FyxySVqXLsXNTJ8svo9 created 27-Jan-2021 (191 days). .......................................................................................................... 5982111499156037
| | ALARM: pam LTAI4GHBBV1s8w5Kk3Jex3H8 created 27-Jan-2021 (191 days). ............................................................................................................. 5982111499156037
| | ALARM: john LTAI4GBVEshZAjTFNf4ezv66 created 23-Feb-2021 (163 days). ............................................................................................................ 5982111499156037
| | ALARM: john LTAI4G6DoDr1V1QxPeTnTqto created 25-Feb-2021 (162 days). ............................................................................................................ 5982111499156037
| | OK : sourav LTAI5tQyR5XwQXdaXx8KcUSV created 07-Jul-2021 (30 days). ........................................................................................................... 5982111499156037
| | ALARM: jim LTAI4GALdnJDMGQdpxPwXkn3 created 27-Jan-2021 (191 days). ............................................................................................................. 5982111499156037
| | ALARM: david LTAI5tL5AHdDuaVKQrR4jfhZ created 01-Apr-2021 (126 days). ........................................................................................................... 5982111499156037
| | ALARM: michael LTAI4GG37PzvtqL8rgogq1An created 27-Jan-2021 (191 days). ......................................................................................................... 5982111499156037
| |
| + 1.7 Ensure RAM password policy requires at least one uppercase letter ...................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Uppercase character not required. ........................................................................................................................................ 5982111499156037
| |
| + 1.8 Ensure RAM password policy requires at least one lowercase letter ...................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Lowercase character not required. ........................................................................................................................................ 5982111499156037
| |
| + 1.9 Ensure RAM password policy require at least one symbol ................................................................................................................. 0 / 1 [= ]
| | |
| | OK : Symbol required. ......................................................................................................................................................... 5982111499156037
| |
| + 1.10 Ensure RAM password policy require at least one number ................................................................................................................ 0 / 1 [= ]
| | |
| | OK : Number required. ......................................................................................................................................................... 5982111499156037
| |
| + 1.11 Ensure RAM password policy requires minimum length of 14 or greater ................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Minimum password length set to 8. ........................................................................................................................................ 5982111499156037
| |
| + 1.12 Ensure RAM password policy prevents password reuse .................................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Password reuse prevention set to 6. ...................................................................................................................................... 5982111499156037
| |
| + 1.13 Ensure RAM password policy expires passwords within 90 days or less ................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: Password expiration set to 100 days. ..................................................................................................................................... 5982111499156037
| |
| + 1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour ................................................................... 0 / 1 [= ]
| | |
| | OK : Max login attempts set to 5. ............................................................................................................................................. 5982111499156037
| |
| + 1.16 Ensure RAM policies are attached only to groups or roles .............................................................................................................. 12 / 19 [== ]
| |
| ALARM: khushboo have direct policy attached. .................................................................................................................................... 5982111499156037
| OK : pam not have any direct policy attached. ................................................................................................................................. 5982111499156037
| ALARM: cody have direct policy attached. ........................................................................................................................................ 5982111499156037
| ALARM: raj have direct policy attached. ......................................................................................................................................... 5982111499156037
| OK : debu not have any direct policy attached. ................................................................................................................................ 5982111499156037
| ALARM: partha have direct policy attached. ...................................................................................................................................... 5982111499156037
| OK : michael not have any direct policy attached. ............................................................................................................................. 5982111499156037
| OK : cisuser not have any direct policy attached. ............................................................................................................................. 5982111499156037
| OK : kevin not have any direct policy attached. ............................................................................................................................... 5982111499156037
| ALARM: sourav have direct policy attached. ...................................................................................................................................... 5982111499156037
| OK : dwight not have any direct policy attached. .............................................................................................................................. 5982111499156037
| ALARM: oscar have direct policy attached. ....................................................................................................................................... 5982111499156037
| ALARM: rajeshbal have direct policy attached. ................................................................................................................................... 5982111499156037
| ALARM: subhajit have direct policy attached. .................................................................................................................................... 5982111499156037
| ALARM: john have direct policy attached. ........................................................................................................................................ 5982111499156037
| ALARM: lalit have direct policy attached. ....................................................................................................................................... 5982111499156037
| ALARM: nw-steampipe have direct policy attached. ................................................................................................................................ 5982111499156037
| OK : jim not have any direct policy attached. ................................................................................................................................. 5982111499156037
| ALARM: david have direct policy attached. ....................................................................................................................................... 5982111499156037
|
+ 2 Logging and Monitoring ..................................................................................................................................................... 6 / 39 [=== ]
| |
| + 2.1 Ensure that ActionTrail are configured to export copies of all Log entries ............................................................................................. 6 / 9 [== ]
| | |
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ........................................................................................................ ap-south-1 5982111499156037
| | OK : is configured to export copies of all log entries ............................................................................................................ ap-south-1 5982111499156037
| | ALARM: is not configured to export copies of all log entries ......................................................................................................... us-east-1 5982111499156037
| |
| + 2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible ............................................................................................... 0 / 9 [= ]
| | |
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. ......................................................................... ap-south-1 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. ......................................................................... ap-south-1 5982111499156037
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. ............................................................................... ap-south-1 5982111499156037
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. .............................................................................. cn-hangzhou 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. ........................................................................ cn-hangzhou 5982111499156037
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. ........................................................................ cn-hangzhou 5982111499156037
| | OK : oss bucket nw-test-3 used to store ActionTrail logs is not publicly accessible. ................................................................................ us-east-1 5982111499156037
| | OK : oss bucket turbottest60503 used to store ActionTrail logs is not publicly accessible. .......................................................................... us-east-1 5982111499156037
| | OK : oss bucket test-ap-south-1 used to store ActionTrail logs is not publicly accessible. .......................................................................... us-east-1 5982111499156037
| |
| + 2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service ......................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.4 Ensure Log Service is enabled for Container Service for Kubernetes ..................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.5 Ensure virtual network flow log service is enabled ..................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.6 Ensure Anti-DDoS access and security log service is enabled ............................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.7 Ensure Web Application Firewall access and security log service is enabled ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.8 Ensure Cloud Firewall access and security log analysis is enabled ...................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.9 Ensure Security Center Network, Host and Security log analysis is enabled .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.10 Ensure log monitoring and alerts are set up for RAM Role changes ...................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.12 Ensure log monitoring and alerts are set up for VPC network route changes ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.13 Ensure log monitoring and alerts are set up for VPC changes ........................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.14 Ensure log monitoring and alerts are set up for OSS permission changes ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.15 Ensure log monitoring and alerts are set up for RDS instance configuration changes .................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA .............................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.18 Ensure a log monitoring and alerts are set up for usage of 'root' account ............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.19 Ensure a log monitoring and alerts are set up for Management Console authentication failures .......................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of customer created CMKs ...................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes ........................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.22 Ensure a log monitoring and alerts are set up for security group changes .............................................................................................. 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 2.23 Ensure that Logstore data retention period is set 365 days or greater ................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 3 Networking ................................................................................................................................................................. 0 / 3 [= ]
| |
| + 3.1 Ensure legacy networks does not exist .................................................................................................................................. 0 / 0 [ ]
| | |
| + 3.2 Ensure that SSH access is restricted from the internet ................................................................................................................. 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 3.3 Ensure VPC flow logging is enabled in all VPCs ......................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 3.4 Ensure routing tables for VPC peering are 'least access' ............................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 3.5 Ensure the security group are configured with fine grained rules ....................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 4 Virtual Machines ........................................................................................................................................................... 1 / 2 [== ]
| |
| + 4.1 Ensure that 'Unattached disks' are encrypted ........................................................................................................................... 1 / 1 [= ]
| | |
| | ALARM: test1 encryption disabled. ..................................................................................................................................... us-east-1 5982111499156037
| |
| + 4.2 Ensure that 'Virtual Machine’s disk' are encrypted ..................................................................................................................... 0 / 0 [ ]
| | |
| + 4.3 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 ...................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 .................................................................................................... 1 / 1 [= ]
| | |
| | ERROR: column a.region_id does not exist
| |
| + 4.5 Ensure that the latest OS Patches for all Virtual Machines are applied ................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 5 Storage .................................................................................................................................................................... 45 / 63 [==== ]
| |
| + 5.1 Ensure that OSS bucket is not anonymously or publicly accessible ....................................................................................................... 1 / 12 [== ]
| | |
| | OK : test-ap-south-1 not publicly accessible. ...................................................................................................................... ap-south-1 5982111499156037
| | OK : kms-bucket not publicly accessible. ........................................................................................................................... cn-beijing 5982111499156037
| | OK : turbottest39313 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : nw-test-3 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | OK : turbottest60503 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : turbottest45802 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : cis-test2 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | OK : turbottest2670 not publicly accessible. ........................................................................................................................ us-east-1 5982111499156037
| | OK : turbottest96253 not publicly accessible. ....................................................................................................................... us-east-1 5982111499156037
| | OK : canonical-test not publicly accessible. ........................................................................................................................ us-east-1 5982111499156037
| | OK : nw-test-1 not publicly accessible. ............................................................................................................................. us-east-1 5982111499156037
| | ALARM: cis-test-mar12 publicly accessible. ............................................................................................................................ us-east-1 5982111499156037
| |
| + 5.2 Ensure that there are no publicly accessible objects in storage buckets ................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.3 Ensure that logging is enabled for OSS buckets ......................................................................................................................... 10 / 12 [== ]
| | |
| | ALARM: test-ap-south-1 logging disabled. ............................................................................................................................. ap-south-1 5982111499156037
| | ALARM: turbottest60503 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: nw-test-1 logging disabled. .................................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest39313 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | OK : cis-test-mar12 logging enabled. ................................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest45802 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: turbottest2670 logging disabled. ............................................................................................................................... us-east-1 5982111499156037
| | OK : cis-test2 logging enabled. ..................................................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-3 logging disabled. .................................................................................................................................... us-east-1 5982111499156037
| | ALARM: canonical-test logging disabled. ............................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest96253 logging disabled. .............................................................................................................................. us-east-1 5982111499156037
| | ALARM: kms-bucket logging disabled. .................................................................................................................................. cn-beijing 5982111499156037
| |
| + 5.4 Ensure that 'Secure transfer required' is set to 'Enabled' ............................................................................................................. 11 / 12 [== ]
| | |
| | OK : test-ap-south-1 bucket policy enforces HTTPS. ................................................................................................................. ap-south-1 5982111499156037
| | ALARM: kms-bucket bucket policy does not enforce HTTPS. .............................................................................................................. cn-beijing 5982111499156037
| | ALARM: turbottest39313 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-3 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest60503 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest45802 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: cis-test2 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest2670 bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest96253 bucket policy does not enforce HTTPS. .......................................................................................................... us-east-1 5982111499156037
| | ALARM: canonical-test bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-1 bucket policy does not enforce HTTPS. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: cis-test-mar12 bucket policy does not enforce HTTPS. ........................................................................................................... us-east-1 5982111499156037
| |
| + 5.5 Ensure that the shared URL signature expires within an hour ............................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.6 Ensure that URL signature is allowed only over https ................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 5.8 Ensure server-side encryption is set to 'Encrypt with Service Key' ..................................................................................................... 11 / 12 [== ]
| | |
| | ALARM: test-ap-south-1 not encrypted with Service Key. ............................................................................................................... ap-south-1 5982111499156037
| | ALARM: kms-bucket not encrypted with Service Key. .................................................................................................................... cn-beijing 5982111499156037
| | ALARM: turbottest39313 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: nw-test-3 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest60503 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: turbottest45802 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | ALARM: cis-test2 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: turbottest2670 not encrypted with Service Key. ................................................................................................................. us-east-1 5982111499156037
| | ALARM: turbottest96253 not encrypted with Service Key. ................................................................................................................ us-east-1 5982111499156037
| | OK : canonical-test encrypted with Service Key. ..................................................................................................................... us-east-1 5982111499156037
| | ALARM: nw-test-1 not encrypted with Service Key. ...................................................................................................................... us-east-1 5982111499156037
| | ALARM: cis-test-mar12 not encrypted with Service Key. ................................................................................................................. us-east-1 5982111499156037
| |
| + 5.9 Ensure server-side encryption is set to 'Encrypt with BYOK' ............................................................................................................ 12 / 12 [= ]
| |
| ALARM: test-ap-south-1 not encrypted with BYOK. ...................................................................................................................... ap-south-1 5982111499156037
| ALARM: kms-bucket not encrypted with BYOK. ........................................................................................................................... cn-beijing 5982111499156037
| ALARM: turbottest39313 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: nw-test-3 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: turbottest60503 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: turbottest45802 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: cis-test2 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: turbottest2670 not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
| ALARM: turbottest96253 not encrypted with BYOK. ....................................................................................................................... us-east-1 5982111499156037
| ALARM: canonical-test not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
| ALARM: nw-test-1 not encrypted with BYOK. ............................................................................................................................. us-east-1 5982111499156037
| ALARM: cis-test-mar12 not encrypted with BYOK. ........................................................................................................................ us-east-1 5982111499156037
|
+ 6 Relational Database Services ............................................................................................................................................... 0 / 0 [ ]
| |
| + 6.1 Ensure that RDS instance requires all incoming connections to use SSL .................................................................................................. 0 / 0 [ ]
| | |
| + 6.2 Ensure that RDS Instances are not open to the world .................................................................................................................... 0 / 0 [ ]
| | |
| + 6.3 Ensure that 'Auditing' is set to 'On' for applicable database instances ................................................................................................ 0 / 0 [ ]
| | |
| + 6.4 Ensure that 'Auditing' Retention is 'greater than 6 months' ............................................................................................................ 0 / 0 [ ]
| | |
| + 6.5 Ensure that 'TDE' is set to 'Enabled' on for applicable database instance .............................................................................................. 0 / 0 [ ]
| | |
| + 6.7 Ensure parameter 'log_connections' is set to 'ON' for PostgreSQL Database .............................................................................................. 0 / 0 [ ]
| | |
| + 6.8 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server ............................................................................. 0 / 0 [ ]
| | |
| + 6.9 Ensure server parameter 'log_duration is set to 'ON' for PostgreSQL Database Server .................................................................................... 0 / 0 [ ]
| |
+ 7 Kubernetes Engine .......................................................................................................................................................... 0 / 5 [= ]
| |
| + 7.1 Ensure Log Service is set to 'Enabled' on Kubernetes Engine Clusters ................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.4 Ensure Cluster Check triggered at least once per week for Kubernetes Clusters .......................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.5 Ensure Kubernetes web UI / Dashboard is not enabled .................................................................................................................... 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.6 Ensure Basic Authentication is not enabled on Kubernetes Engine ........................................................................................................ 0 / 1 [= ]
| | |
| | INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
| |
| + 7.7 Ensure Network policy is enabled on Kubernetes Engine Clusters ......................................................................................................... 0 / 0 [ ]
| | |
| + 7.8 Ensure ENI multiple IP mode support for Kubernetes Cluster ............................................................................................................. 0 / 0 [ ]
| | |
| + 7.9 Ensure Kubernetes Cluster is created with Private cluster enabled ...................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8 Security Center ............................................................................................................................................................ 1 / 7 [== ]
|
+ 8.1 Ensure that Security Center is Advanced or Enterprise Edition .......................................................................................................... 1 / 1 [= ]
| |
| ALARM: Security Center Enterprise or Advanced edition disabled. ..................................................................................................... cn-hangzhou 5982111499156037
|
+ 8.3 Ensure that Automatic Quarantine is enabled ............................................................................................................................ 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.4 Ensure that Webshell detection is enabled on all web servers ........................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.5 Ensure that notification is enabled on all high risk items ............................................................................................................. 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.6 Ensure that Config Assessment is granted with privilege ................................................................................................................ 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.7 Ensure that scheduled vulnerability scan is enabled on all servers ..................................................................................................... 0 / 1 [= ]
| |
| INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
|
+ 8.8 Ensure that Asset Fingerprint automatically collects asset fingerprint data ............................................................................................ 0 / 1 [= ]
|
INFO : Manual verification required. ............................................................................................................................................ 5982111499156037
Marking this closed will be revisited based on the reproduction of the issue.
Describe the bug
select * from alicloud_oss_bucket
renders result, however the query below results authentication ERRORError: Post "https://sts.ap-south-1.aliyuncs.com/?AccessKeyId=XzR2kNmP....
Steampipe version (
steampipe -v
) Example: v0.3.0Plugin version (
steampipe plugin list
) Example: v0.5.0To reproduce Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior A clear and concise description of what you expected to happen.
Additional context Add any other context about the problem here.