DocumentationAPI ReferenceRelease Notes
Release Notes
Back to All

New Cloud Security Posture Risks

10 months ago

We have added more than 50 items to the list of security posture risks Panoptica scans for, in Google Cloud Platform, Azure, and Amazon Web Services.

GCP

  • Cloud SQL
    • Cloud SQL Instance Without SSL Encryption
    • Cloud SQL Instance Without Automatic Backup
    • Cloud SQL Instance Connection Logs Disabled
    • Cloud PostgreSQL Instance Without 'point-in-time' Recovery
    • Cloud SQL Instance Allows Network Connection From Any IP (0.0.0.0/0)
    • GCP SQL Server 'Cross DB Ownership Chaining Flag' Enabled
    • GCP SQL is Not Using Private Ip
    • GCP SQL is Not Using CMK
    • GCP SQL Without Password Policy
    • GCP Sql Instance Flag 'check_proxy_users' is Off
    • GCP SQL Instance Flag 'local_infile' is On
    • GCP SQL Instance Flag 'default_password_lifetime' is set to 0
    • GCP SQL Instance Flag 'skip_show_database' is Off
    • GCP SQL Instance Flag 'mysql_native_password_proxy_users' is Off
    • GCP SQL Instance Flag 'disconnect_on_expired_password' is Off
    • GCP SQL Instance Flag 'password_require_current' is Off
    • GCP PostgreSQL Instance Flag 'cloudsql.allow_passwordless_local_connections' is On
    • GCP PostgreSQL Instance Flag 'cloudsql.iam_authentication' is Off
  • MemoryStore
    • MemoryStore Encryption by Transit is Disabled
    • MemoryStore Connection by Direct Peering
    • MemoryStore Encryption without CMEK
    • MemoryStore AUTH is Disabled

Azure

  • MariaDB
    • Maria DB Account TLS /SSL Disabled
    • Maria DB Account is Not Using Private Endpoints
  • Cosmos DB
    • Cosmos DB Account is Not Using Virtual Network
    • Cosmos DB Account is Not Using Private Endpoints
    • Cosmos DB Account with Service Managed Encryption Key
    • Cosmos DB Account "Disabled Key Based Metadata Write Access" is Disabled
    • Cosmos DB Connection From Public Azure Data Centers Enabled
    • Cosmos DB Account Access is Allowed From All Networks
    • Cosmos DB Account Local Auth is Enabled

AWS

  • ElasticCache
    • Elasticache Encryption by Rest is disabled
    • Elasticache Encryption by Transit is disabled
    • Elasticache Access Control by AUTH Token
    • Elasticache User (Not Default) Access String Allows Access to All Keys and Commands
    • Elasticache User without Authentication
    • Elasticache User with Password Authentication Only
    • Non Default Elasticache User Not Associated With Any Group that Has High Permissions
    • Elasticache Default User is in UserGroups
    • Non Default Elasticache User Not Associated With Any Group
  • SNS
    • SNS Topic Encryption is Not Enabled
    • SNS Topics Administrative Actions Are Publicly Executable
    • SNS Topic is Encrypted With a Default Key
    • SNS Topic Policy Allows 'SNS:Publish' for All Principals Without Conditions
    • SNS Topic Data-in-Transit is Not Enforced
    • SNS Topics Are Publicly Accessible
  • SQS
    • SQS Server-Side Encryption is Not Enabled
    • SQS Policy Allows All Actions From All Principals Without a Condition
    • SQS Queue is Not Encrypted With a Customer-Managed Key
    • SQS Policy Allows Public Access
    • SQS Data-in-Transit Encryption is Not Enforced