DocumentationAPI ReferenceRelease Notes
Release Notes
Back to All

New Cloud Security Posture Risks

about 1 year ago

We have added more than 50 items to the list of security posture risks Panoptica scans for, in Google Cloud Platform, Azure, and Amazon Web Services.

GCP

  • Cloud SQL
    • Cloud SQL Instance Without SSL Encryption
    • Cloud SQL Instance Without Automatic Backup
    • Cloud SQL Instance Connection Logs Disabled
    • Cloud PostgreSQL Instance Without 'point-in-time' Recovery
    • Cloud SQL Instance Allows Network Connection From Any IP (0.0.0.0/0)
    • GCP SQL Server 'Cross DB Ownership Chaining Flag' Enabled
    • GCP SQL is Not Using Private Ip
    • GCP SQL is Not Using CMK
    • GCP SQL Without Password Policy
    • GCP Sql Instance Flag 'check_proxy_users' is Off
    • GCP SQL Instance Flag 'local_infile' is On
    • GCP SQL Instance Flag 'default_password_lifetime' is set to 0
    • GCP SQL Instance Flag 'skip_show_database' is Off
    • GCP SQL Instance Flag 'mysql_native_password_proxy_users' is Off
    • GCP SQL Instance Flag 'disconnect_on_expired_password' is Off
    • GCP SQL Instance Flag 'password_require_current' is Off
    • GCP PostgreSQL Instance Flag 'cloudsql.allow_passwordless_local_connections' is On
    • GCP PostgreSQL Instance Flag 'cloudsql.iam_authentication' is Off
  • MemoryStore
    • MemoryStore Encryption by Transit is Disabled
    • MemoryStore Connection by Direct Peering
    • MemoryStore Encryption without CMEK
    • MemoryStore AUTH is Disabled

Azure

  • MariaDB
    • Maria DB Account TLS /SSL Disabled
    • Maria DB Account is Not Using Private Endpoints
  • Cosmos DB
    • Cosmos DB Account is Not Using Virtual Network
    • Cosmos DB Account is Not Using Private Endpoints
    • Cosmos DB Account with Service Managed Encryption Key
    • Cosmos DB Account "Disabled Key Based Metadata Write Access" is Disabled
    • Cosmos DB Connection From Public Azure Data Centers Enabled
    • Cosmos DB Account Access is Allowed From All Networks
    • Cosmos DB Account Local Auth is Enabled

AWS

  • ElasticCache
    • Elasticache Encryption by Rest is disabled
    • Elasticache Encryption by Transit is disabled
    • Elasticache Access Control by AUTH Token
    • Elasticache User (Not Default) Access String Allows Access to All Keys and Commands
    • Elasticache User without Authentication
    • Elasticache User with Password Authentication Only
    • Non Default Elasticache User Not Associated With Any Group that Has High Permissions
    • Elasticache Default User is in UserGroups
    • Non Default Elasticache User Not Associated With Any Group
  • SNS
    • SNS Topic Encryption is Not Enabled
    • SNS Topics Administrative Actions Are Publicly Executable
    • SNS Topic is Encrypted With a Default Key
    • SNS Topic Policy Allows 'SNS:Publish' for All Principals Without Conditions
    • SNS Topic Data-in-Transit is Not Enforced
    • SNS Topics Are Publicly Accessible
  • SQS
    • SQS Server-Side Encryption is Not Enabled
    • SQS Policy Allows All Actions From All Principals Without a Condition
    • SQS Queue is Not Encrypted With a Customer-Managed Key
    • SQS Policy Allows Public Access
    • SQS Data-in-Transit Encryption is Not Enforced