How Black Cat SSPM maps to SOC 2 Type II
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
CC1 — Control Environment
Organization demonstrates commitment to integrity and ethical values
CC2 — Communication and Information
Organization communicates quality information to achieve objectives
CC3 — Risk Assessment
Organization identifies and analyzes risks to achieving objectives
CC4 — Monitoring Activities
Organization monitors components of internal control
CC5 — Control Activities
Organization selects and develops control activities to mitigate risks
CC6 — Logical and Physical Access Controls
Organization restricts logical and physical access to assets
CC7 — System Operations
Organization manages system operations to detect and mitigate deviations
CC8 — Change Management
Organization authorizes, designs, and implements changes to infrastructure
CC9 — Risk Mitigation
Organization identifies and assesses risk from business partners
CC5.1 — Segregation of duties
Organization selects controls that segregate incompatible duties
- KMS Separation of Duties Violation (gcp)
- SA Separation of Duties Violation (gcp)
CC5.2 — Access policies and procedures
Organization implements policies for access to protected resources
- Weak Password Policy (okta)
- User 2-Step Verification Not Enforced (workspace)
- Default SA Grant Not Disabled (gcp)
CC5.3 — Monitoring controls
Organization monitors system components for anomalies
- OAuth App AI With Data Scopes (workspace)
- Sensitive Audit Event (openai)
- Usage Anomaly (openai)
CC6.1 — Logical access security
Organization implements logical access security over protected assets
- Admin Without MFA (okta)
- MFA Not Enrolled (okta)
- MFA Not Enabled (cloudflare)
- Admin Without 2-Step Verification (workspace)
- Two-Factor Enforcement Disabled (cloudflare)
- OAuth App Critical Scopes (workspace)
- OAuth App Broad Scopes (okta)
- Stale API Key (openai)
- Admin Key Sprawl (openai)
- Stale Admin Key (openai)
- Org-Level Owner Binding (gcp)
- Org-Level Editor Binding (gcp)
- External Members at Org Level (gcp)
- Cloud KMS Key Publicly Accessible (gcp)
- Secret Manager Secret Publicly Accessible (gcp)
- GKE Network Policy Disabled (gcp)
- GKE Private Cluster Disabled (gcp)
- GKE Shielded Nodes Disabled (gcp)
- GKE Database Encryption Disabled (gcp)
- BigQuery Dataset Public Access (gcp)
- Drive External Sharing Enabled (workspace)
- Drive Link Sharing Anyone (workspace)
- Drive File Public Sharing (workspace)
- Drive File Publicly Indexed (workspace)
- Drive File External Edit Access (workspace)
- Drive File Owner Is External (workspace)
- Dormant User (1password)
- Empty Vault User (1password)
- Failed Sign-in Attempt (1password)
- Failed Sign-in From Untrusted Location (1password)
- Firewall Rule Changed (1password)
- MFA Disabled (1password)
- MFA Status Unknown (1password)
- SSO Disabled (1password)
- SSO Policy Modified (1password)
- Service Account Token Created (1password)
- Sign-in From Untrusted Location (1password)
- Sign-in Without MFA (1password)
- Signing Key Changed (1password)
- Suspended User Activity (1password)
- Suspended User Not Removed (1password)
- Default Security Group Has Rules (aws)
- Default VPC In Use (aws)
- EC2 IMDSv2 Not Enforced (aws)
- EC2 Instance Has Public IP (aws)
- GuardDuty Not Enabled (aws)
- Inactive IAM Users (aws)
- KMS Key Disabled (aws)
- KMS Key Pending Deletion (aws)
- KMS Key Rotation Disabled (aws)
- Old Access Keys Not Rotated (aws)
- Overly Permissive IAM Policy (aws)
- Password Never Used (aws)
- Password Policy Expiration Too Long (aws)
- RDS Backup Retention Too Short (aws)
- RDS Publicly Accessible (aws)
- RDS Storage Not Encrypted (aws)
- Root Access Key Exists (aws)
- Root Account MFA Not Enabled (aws)
- S3 Bucket Encryption Disabled (aws)
- S3 Bucket Logging Disabled (aws)
- S3 Bucket Versioning Disabled (aws)
- Unrestricted Egress (aws)
- Unrestricted RDP Access (aws)
- Unrestricted SSH Access (aws)
- Unused Access Keys (aws)
- User MFA Not Enabled (aws)
- Weak Password Policy (aws)
- API Client Broad Access (akamai)
- API Client Credentials Near Expiry (akamai)
- API Client Inactive (akamai)
- CP Code Unused (akamai)
- Custom Role With Admin Permissions (akamai)
- Edge Hostname IPv4 Only (akamai)
- Edge Hostname Using Shared Cert (akamai)
- Group With No Contracts (akamai)
- HSTS Max-Age Too Short (akamai)
- HSTS Not Enabled (akamai)
- HTTP/2 Not Enabled (akamai)
- Origin Not Using TLS (akamai)
- Property Caching Disabled (akamai)
- Property No Origin Failover (akamai)
- Property Not Locked (akamai)
- SureRoute Not Enabled (akamai)
- TLS Version Below 1.2 (akamai)
- User Account Locked (akamai)
- User All Groups Access (akamai)
- User Inactive (akamai)
- User MFA Not Enabled (akamai)
- API Key Created By Non-User (anthropic)
- Admin Invite Pending Review (anthropic)
- Admin Redundancy Missing (anthropic)
- Archived Workspace Not Deleted (anthropic)
- Dormant Member (anthropic)
- Excessive Org Admins (anthropic)
- Excessive Workspace Admins (anthropic)
- Expired Invite Not Cleaned (anthropic)
- Inactive API Key Not Removed (anthropic)
- Managed User Review (anthropic)
- Stale API Key (anthropic)
- Stale Invite (anthropic)
- Stale Workspace (anthropic)
- Unscoped API Key (anthropic)
- Unscoped Admin (anthropic)
- Workspace Single Admin (anthropic)
- API Token Older Than 90 Days (atlassian)
- External User With Product Access (atlassian)
- Inactive User (atlassian)
- Jira Project Permissive Default Roles (atlassian)
- Session Duration Excessive (atlassian)
- Suspended User With Access (atlassian)
- Two-Step Verification Not Enforced (atlassian)
- User Dual Admin Role (atlassian)
- User With Multiple API Tokens (atlassian)
- User Without MFA (atlassian)
- App Service Auth Disabled (azure)
- App Service FTP Enabled (azure)
- App Service HTTP/2 Disabled (azure)
- App Service HTTPS Disabled (azure)
- App Service Managed Identity Disabled (azure)
- App Service Minimum TLS (azure)
- App Service Remote Debugging Enabled (azure)
- Classic Administrators (azure)
- Custom Admin Roles (azure)
- Defender App Service Disabled (azure)
- Defender Containers Disabled (azure)
- Defender Key Vault Disabled (azure)
- Defender Resource Manager Disabled (azure)
- Defender SQL Disabled (azure)
- Defender Servers Disabled (azure)
- Defender Storage Disabled (azure)
- Guest Privileged Role (azure)
- Key Vault Key No Expiry (azure)
- Key Vault Network ACLs Allow (azure)
- Key Vault No Private Endpoint (azure)
- Key Vault Purge Protection Disabled (azure)
- Key Vault RBAC Not Enabled (azure)
- Key Vault Secret No Expiry (azure)
- Key Vault Soft Delete Disabled (azure)
- NSG All Ports Open (azure)
- NSG Permissive Outbound (azure)
- NSG UDP Open (azure)
- NSG Unrestricted RDP (azure)
- NSG Unrestricted SSH (azure)
- Network Watcher Disabled (azure)
- Owner Count Exceeded (azure)
- SQL AD Admin Not Configured (azure)
- SQL Firewall Allow Azure Services (azure)
- SQL Firewall Unrestricted (azure)
- SQL Minimum TLS (azure)
- SQL TDE Disabled (azure)
- SQL Threat Detection Disabled (azure)
- SQL Vulnerability Assessment Disabled (azure)
- Security Alert Notifications Disabled (azure)
- Security Auto-Provisioning Disabled (azure)
- Security Contact Email Missing (azure)
- Security Contact Phone Missing (azure)
- Storage Blob Soft Delete Disabled (azure)
- Storage Container Soft Delete Disabled (azure)
- Storage HTTPS Not Required (azure)
- Storage Infrastructure Encryption Disabled (azure)
- Storage Key Not Rotated (azure)
- Storage Minimum TLS (azure)
- Storage Network Default Allow (azure)
- Storage Shared Key Enabled (azure)
- Bidirectional Collaboration Whitelist (box)
- Broad Inbound Collaboration Whitelist (box)
- Excessive Admin Users (box)
- External Collaboration Not Restricted (box)
- Inactive User Account (box)
- No Collaboration Whitelist Entries (box)
- No Device Pins Configured (box)
- Platform Access Only Admin (box)
- User Exempt from Device Limits (box)
- User Exempt from Login Verification (box)
- Device Without Disk Encryption (chrome_enterprise)
- Download Restrictions Not Set (chrome_enterprise)
- Extension With Risky Permissions (chrome_enterprise)
- Incognito Mode Allowed (chrome_enterprise)
- Outdated Browser Version (chrome_enterprise)
- Password Manager Disabled (chrome_enterprise)
- Sideloaded Extension Detected (chrome_enterprise)
- Stale Browser (90+ Days Inactive) (chrome_enterprise)
- Unmanaged Browser (30+ Days Inactive) (chrome_enterprise)
- Config Policies Disabled (circleci)
- Config Policies Soft Fail (circleci)
- Forked PR Builds Enabled (circleci)
- No Groups Defined (circleci)
- OIDC Not Configured (circleci)
- Pipeline Deprecated Image (circleci)
- Schedule Non-Default Branch (circleci)
- Stale Runner (circleci)
- Unrestricted Context (circleci)
- User Checkout Key (circleci)
- Webhook Insecure URL (circleci)
- Webhook Unverified TLS (circleci)
- SSL Encryption Disabled (cloudflare)
- SSL Mode Flexible (cloudflare)
- Application Allows All IdPs (cloudflare_access)
- Application Without Policies (cloudflare_access)
- Bypass Decision Policy (cloudflare_access)
- CORS Allows All Origins (cloudflare_access)
- Expired Service Token Not Deleted (cloudflare_access)
- Group Includes Everyone (cloudflare_access)
- Group With Empty Include Rules (cloudflare_access)
- Long Session Duration (cloudflare_access)
- No MFA Requirement (cloudflare_access)
- No Purpose Justification (cloudflare_access)
- No SAML or OIDC Provider (cloudflare_access)
- One-Time PIN Only Authentication (cloudflare_access)
- Policy Allows Everyone (cloudflare_access)
- Service Token Without Expiry (cloudflare_access)
- Single Identity Provider (cloudflare_access)
- Stale Service Token (cloudflare_access)
- Admin Redundancy (datadog)
- Application Key Write Scopes (datadog)
- Dashboard Permissions Open (datadog)
- Excessive Admins (datadog)
- External Admin (datadog)
- External Admin Service Account (datadog)
- SSO Disabled (datadog)
- SSO Not Enforced (datadog)
- Service Account Custom Role (datadog)
- Unused API Key (datadog)
- Auto Upgrade Disabled (digitalocean)
- Backups Disabled (digitalocean)
- Basic Tier (digitalocean)
- Database No Maintenance Window (digitalocean)
- Database Single Node (digitalocean)
- Droplet Powered Off (digitalocean)
- Email Not Verified (digitalocean)
- HTTP Allowed (digitalocean)
- IPv6 Disabled (digitalocean)
- Insecure Backend (digitalocean)
- Kubernetes HA Disabled (digitalocean)
- Kubernetes No Registry Integration (digitalocean)
- Kubernetes SSO Not Enabled (digitalocean)
- No Backups (digitalocean)
- No Droplets Attached (digitalocean)
- No Garbage Collection (digitalocean)
- No SSL Termination (digitalocean)
- Outdated Kubernetes Version (digitalocean)
- Outdated Version (digitalocean)
- SSL Not Enforced (digitalocean)
- Surge Upgrade Disabled (digitalocean)
- Weak SSH Key (digitalocean)
- Channel Everyone Overwrite (discord)
- Content Filter Not Full (discord)
- Everyone Role Has Dangerous Permissions (discord)
- Excessive Admin Roles (discord)
- Excessive Admins (discord)
- Guild Publicly Discoverable (discord)
- Low Verification Level (discord)
- MFA Not Required for Admins (discord)
- Member Verification Gate Disabled (discord)
- NSFW Channel (discord)
- No AutoMod Rules (discord)
- No Keyword Filtering (discord)
- No Mention Spam Protection (discord)
- No Spam Protection (discord)
- Overly Permissive Channel (discord)
- Permanent Invite (discord)
- Role Can Mention Everyone (discord)
- Role Has Administrator Permission (discord)
- Role Has Dangerous Permissions (discord)
- Unlimited Use Invite (discord)
- Widget Enabled (discord)
- Bulk Recipients Enabled (docusign)
- Excessive Admins (docusign)
- Inactive User With Access (docusign)
- Long Mobile Session Timeout (docusign)
- Long Signing Session Timeout (docusign)
- Long Web Session Timeout (docusign)
- No Account Lockout (docusign)
- No IP Restrictions (docusign)
- No Password Expiration (docusign)
- No SSO Configured (docusign)
- No Signer Certificate Required (docusign)
- Overly Broad Permission Profile (docusign)
- PowerForms Enabled (docusign)
- Recipient Domain Validation Disabled (docusign)
- SSO Not Mandatory (docusign)
- Sign On Paper Enabled (docusign)
- Signer Reassignment Enabled (docusign)
- Unclaimed Domain (docusign)
- User Without Group (docusign)
- Weak Password Length (docusign)
- Weak Password Strength (docusign)
- EMM Not Required (dropbox)
- Email Not Verified (dropbox)
- Excessive Admin Users (dropbox)
- Excessive Device Sessions (dropbox)
- External Folder Join Unrestricted (dropbox)
- Folder Link Restriction Not Enforced (dropbox)
- Group Creation Unrestricted (dropbox)
- Inactive Member Account (dropbox)
- Public Shared Links Allowed by Default (dropbox)
- Shared Folders Open to Anyone (dropbox)
- Stale Desktop Session (dropbox)
- Stale Pending Invite (dropbox)
- Stale Web Session (dropbox)
- Cloud SQL Backup Not Enabled (gcp)
- Cloud SQL Instance Has Public IP (gcp)
- Cloud SQL SSL Not Required (gcp)
- Default VPC In Use (gcp)
- Essential Contacts Coverage Incomplete (gcp)
- Firewall Rule Egress Open to World (gcp)
- Firewall Rule Exposes Dangerous Port (gcp)
- Instance Serial Port Enabled (gcp)
- Instance Uses Default Service Account (gcp)
- Shielded VM Disabled (gcp)
- Actions Allow All External (github)
- Member Without 2FA (github)
- Org 2FA Not Required (github)
- Org Default Permission Too Permissive (github)
- Public Repo Without Security Policy (github)
- Repo Branch Protection Disabled (github)
- Repo Dependabot Disabled (github)
- Repo Secret Scanning Disabled (github)
- Stale Organization Member (github)
- Webhook Insecure URL (github)
- Active Runner Offline (gitlab)
- Deactivated Member Not Removed (gitlab)
- Group 2FA Grace Period Too Long (gitlab)
- Group 2FA Not Enforced (gitlab)
- Group Membership Unlocked (gitlab)
- Group No IP Restriction (gitlab)
- Integration Insecure URL (gitlab)
- Member Without 2FA (gitlab)
- No Compliance Framework (gitlab)
- Pending Invitation Not Accepted (gitlab)
- Project Branch Protection Disabled (gitlab)
- Project Container Scanning Disabled (gitlab)
- Project Discussions Not Required (gitlab)
- Project Force Push Allowed (gitlab)
- Project Merge Approvals Disabled (gitlab)
- Project No Code Owner Approval (gitlab)
- Shared Runner Not Locked (gitlab)
- Email-Only User Access (google_ads)
- Excessive Admin Users (google_ads)
- Stale Pending Invitation (google_ads)
- Stale User Access (google_ads)
- Admin Without Recent Activity (grafana)
- Basic Auth Enabled With SSO (grafana)
- Broad Mute Timing (grafana)
- Community Plugin (grafana)
- Data Source Basic Auth (grafana)
- Data Source TLS Skip Verify (grafana)
- Data Source With Credentials (grafana)
- Direct Access Data Source (grafana)
- Disabled Service Account With Tokens (grafana)
- Dormant User (grafana)
- Excessive Admins (grafana)
- External Contact Point (grafana)
- No Alert Rules Configured (grafana)
- Non-Expiring Service Account Token (grafana)
- Outdated Plugin (grafana)
- SSO Disabled (grafana)
- Service Account Admin Role (grafana)
- Single SSO Provider (grafana)
- Unsigned Plugin (grafana)
- Access Policy Without IP Restriction (grafana_cloud)
- Cloud Wildcard Access Policy (grafana_cloud)
- Dormant Cloud Token (grafana_cloud)
- Excessive Cloud Admins (grafana_cloud)
- Excessive Tokens Per Policy (grafana_cloud)
- Non-Expiring Cloud Token (grafana_cloud)
- Overly Permissive Access Policy (grafana_cloud)
- Recently Created Token Without Use (grafana_cloud)
- Token With Wildcard Policy (grafana_cloud)
- Excessive Admins (incidentio)
- Single Account Owner (incidentio)
- User No Slack Linked (incidentio)
- User Without Base Role (incidentio)
- Workflow Accesses Private Data (incidentio)
- Admin Dormant (lastpass)
- Admin Never Logged In (lastpass)
- Admin Stale Master Password (lastpass)
- Admin Without MFA (lastpass)
- Critically Low Shared Folder Score (lastpass)
- Disabled Account Not Removed (lastpass)
- Dormant Account (lastpass)
- Empty Vault User (lastpass)
- Excessive Shared Folder Admins (lastpass)
- Low Shared Folder Security Score (lastpass)
- MFA Not Enabled (lastpass)
- Master Password Never Changed (lastpass)
- Never Logged In Account (lastpass)
- Shared Folder All Admin (lastpass)
- Shared Folder Excessive Users (lastpass)
- Shared Folder No Read-Only Users (lastpass)
- Shared Folder Single Admin (lastpass)
- Stale Master Password (lastpass)
- Very Weak Master Password (lastpass)
- Weak Master Password (lastpass)
- ActiveSync Does Not Block Unmanaged Devices (m365)
- ActiveSync Integration Enabled for OWA (m365)
- Admin Consent Requests Disabled (m365)
- Admin Malware Notifications Disabled (m365)
- Anti-Phishing First Contact Tip Disabled (m365)
- Anti-Phishing Spoof Detection Weak (m365)
- App Certificate Credentials Expiring Soon (m365)
- App Expired Certificate Credentials (m365)
- App Expired Password Credentials (m365)
- App Long-Lived Certificate Credentials (m365)
- App Long-Lived Password Credentials (m365)
- App Password Credentials Expiring Soon (m365)
- App Using Password Credentials (m365)
- Auth Methods Migration Incomplete (m365)
- Blocked File Type Action Not Quarantine (m365)
- CA Block High Risk Users Missing (m365)
- CA Block Risky Sign-ins Missing (m365)
- CA Compliant Devices Not Required (m365)
- CA Device Code Flow Not Blocked (m365)
- CA Legacy Auth Not Blocked (m365)
- CA MFA Not Enforced (m365)
- CA Session Duration Not Set (m365)
- Common Attachment Types Filter Disabled (m365)
- Common Attachment Types Missing (m365)
- Comprehensive Spam Marking Disabled (m365)
- Connection Filter Not Configured (m365)
- Copilot License Assigned (m365)
- Copilot License on Guest User (m365)
- Custom Banned Passwords Not Enforced (m365)
- Customer Lockbox Not Enabled (m365)
- DMARC Record Missing (m365)
- Direct File Access on Public Computers (m365)
- Distribution List Hidden From GAL (m365)
- Excessive Global Administrators (m365)
- External Recipient Mail Tips Disabled (m365)
- External Users With Admin Role (m365)
- Global Admin Not Cloud-Only (m365)
- Global Admin Redundancy Missing (m365)
- Group Naming Convention Not Configured (m365)
- Guest Access to Groups Not Restricted (m365)
- Guest Email OTP Not Enabled (m365)
- Guest Group Privileges Not Restricted (m365)
- Guest Invitation Not Restricted (m365)
- Guest User Permissions Not Restricted (m365)
- Guest Users Present (m365)
- High Confidence Spam Not Quarantined (m365)
- Inbound Spam Bulk Threshold Too High (m365)
- Lockout Duration Too Short (m365)
- M365 Group Creation Not Restricted (m365)
- MFA Registration Not Restricted (m365)
- MFA Suspicious Activity Reporting Disabled (m365)
- MSOL PowerShell Not Blocked (m365)
- Mail Tips Not Fully Enabled (m365)
- Mailbox Move Enabled for Org Relationships (m365)
- Mailbox SMTP Auth Not Disabled (m365)
- Mobile Device Allows Non-Provisionable (m365)
- Multi-Tenant App Without Verified Publisher (m365)
- No File Types Blocked in OWA (m365)
- No MIME Types Blocked in OWA (m365)
- OAuth App AI With Data Scopes (m365)
- OWA Clickjacking Protection Not Set (m365)
- OWA Session Timeout Disabled (m365)
- On-Send Add-ins Enabled in OWA (m365)
- Outbound Spam Notification Disabled (m365)
- Outbound Spam Thresholds Not Configured (m365)
- Password Expiration Policy Enabled (m365)
- Password Lockout Threshold Too High (m365)
- Password Protection Mode Audit Only (m365)
- Password Protection On-Prem Disabled (m365)
- Remote Domain Auto-Reply Enabled (m365)
- Remote Domain Delivery Reports Enabled (m365)
- Remote Domain NDR Enabled (m365)
- Remote Domain TNEF Enabled (m365)
- Remote Domain Trusted Inbound Enabled (m365)
- Remote Domain Trusted Outbound Enabled (m365)
- Risk-Based Consent Not Configured (m365)
- S/MIME Buffer Encryption Not Enabled (m365)
- S/MIME CRL Timeout Too Long (m365)
- S/MIME Cert Chain With Root Not Included (m365)
- S/MIME Cert Chain Without Root Not Included (m365)
- S/MIME Clear Signing Not Enabled (m365)
- S/MIME Encryption Algorithms Not Configured (m365)
- S/MIME Encryption Not Enforced (m365)
- S/MIME Signing Not Enforced (m365)
- S/MIME Triple-Wrap Not Enabled (m365)
- SMTP Auth Not Disabled Globally (m365)
- SP Certificate Credentials Expiring Soon (m365)
- SP Expired Certificate Credentials (m365)
- SP Expired Password Credentials (m365)
- SP Long-Lived Certificate Credentials (m365)
- SP Long-Lived Password Credentials (m365)
- SP Password Credentials Expiring Soon (m365)
- SP Using Password Credentials (m365)
- SPF Hard Fail Not Enabled (m365)
- SPF Record Missing (m365)
- Self-Service Sign Up Enabled (m365)
- Self-Service Subscriptions Enabled (m365)
- Sensitivity Labels Not Configured (m365)
- Shared Mailbox Sign-In Enabled (m365)
- Suspicious Outbound Copy Not Enabled (m365)
- TAP Character Length Too Short (m365)
- TAP Enabled for All Users (m365)
- TAP Global Policy Enabled (m365)
- TAP Maximum Lifetime Too Long (m365)
- TAP Not One-Time Use (m365)
- Transport Rule Deletes Messages (m365)
- Transport Rule Disabled (m365)
- Transport Rule Includes BCC (m365)
- Transport Rule Processes External Sender (m365)
- Unknown File Types Not Blocked (m365)
- Unverified Domain (m365)
- Unverified Federated Domain (m365)
- User Consent to Apps Not Restricted (m365)
- Users Can Create Security Groups (m365)
- Users Can Create Tenants (m365)
- Users Can Install Outlook Add-ins (m365)
- Users Can Register Applications (m365)
- WAC Viewing on Public Computers (m365)
- Weak Authentication Factors Enabled (m365)
- Zero-Hour Auto Purge Disabled (m365)
- Bot Without Description (notion)
- Broad Integration Capabilities (notion)
- Guest User Sprawl (notion)
- Inactive Member (notion)
- Member Without Email (notion)
- Stale Integration (notion)
- Unrestricted Integration (notion)
- API Credential Never Used (ovhcloud)
- API Credential No Expiry (ovhcloud)
- API Credential No IP Restriction (ovhcloud)
- API Credential OVH Support Access (ovhcloud)
- API Credential Overly Permissive (ovhcloud)
- Cloud Project Suspended (ovhcloud)
- Developer Mode Enabled (ovhcloud)
- Excessive OAuth2 Clients (ovhcloud)
- IAM Policy Excessive Identities (ovhcloud)
- IAM Policy No Identities (ovhcloud)
- IAM Policy Wildcard Actions (ovhcloud)
- IAM Policy Wildcard Resources (ovhcloud)
- Identity User Disabled Not Removed (ovhcloud)
- Identity User MFA Not Enabled (ovhcloud)
- Identity User No Group (ovhcloud)
- Identity User Password Never Changed (ovhcloud)
- Instance In Shelved State (ovhcloud)
- Instance Rescue Mode (ovhcloud)
- Instance Using Default Image (ovhcloud)
- MFA Not Enabled (ovhcloud)
- No IP Restrictions (ovhcloud)
- OAuth2 Client No Description (ovhcloud)
- Only SMS MFA Enabled (ovhcloud)
- SSH Key Size Too Small (ovhcloud)
- Storage Container No Lifecycle (ovhcloud)
- Storage Container Permissive CORS (ovhcloud)
- Storage Container Public (ovhcloud)
- Storage Container Versioning Disabled (ovhcloud)
- Weak SSH Key Algorithm (ovhcloud)
- Access Policy Default Not Deny (okta)
- App Not Using Federated Auth (okta)
- App With Individual User Assignments (okta)
- Dormant Super Admins (okta)
- OAuth App AI With Broad Access (okta)
- Phishing Resistant Auth Policies (okta)
- Phishing Resistant MFA Factors (okta)
- Session Idle Timeout Too Long (okta)
- Session Lifetime Too Long (okta)
- Session MFA Not Required (okta)
- Super Admin API Tokens (okta)
- Weak Account Lockout (okta)
- API Key Non-User Owner (openai)
- Active Project Without Users (openai)
- Admin Key Non-User Owner (openai)
- Disabled User Not Removed (openai)
- Disproportionate Output Tokens (openai)
- Excessive API Request Volume (openai)
- Excessive Project API Keys (openai)
- Excessive Service Accounts (openai)
- Orphaned Service Account (openai)
- Owner Redundancy Missing (openai)
- Project With Only Service Accounts (openai)
- Project Without Rate Limits (openai)
- Stale Service Account (openai)
- Advanced Permissions Disabled (pagerduty)
- Excessive Admins (pagerduty)
- Extension Disabled (pagerduty)
- SSO Disabled (pagerduty)
- Single Account Owner (pagerduty)
- Unassigned User (pagerduty)
- Webhook External URL (pagerduty)
- Webhook Inactive (pagerduty)
- API Access Review (salesforce)
- Admin Without MFA (salesforce)
- Excessive Modify All Data (salesforce)
- Frozen Active User (salesforce)
- High Failed Logins (salesforce)
- Inactive Admin (salesforce)
- No Clickjack Protection (salesforce)
- Permission Set Modify All Data (salesforce)
- Public Sharing Model (salesforce)
- Session Timeout Too Long (salesforce)
- User Without MFA (salesforce)
- Weak Password Policy (salesforce)
- Data Scrubber Defaults Disabled (sentry)
- Data Scrubber Disabled (sentry)
- Default Role Not Member (sentry)
- Dormant User (sentry)
- Excessive Admins (sentry)
- Old Pending Invite (sentry)
- SSO Disabled (sentry)
- Excessive API Scopes (shopify)
- Excessive Admins (shopify)
- Staff MFA Disabled (shopify)
- Staff Unrestricted Permissions (shopify)
- Analytics Not Admin Only (slack)
- App Management Unrestricted (slack)
- Desktop Session Unlimited (slack)
- Excessive Admins (slack)
- Excessive Owners (slack)
- External Admin (slack)
- Guest Multi Channel (slack)
- Guest Slash Commands (slack)
- App Approval Not Required (slack)
- Invite Approval Disabled (slack)
- MFA Not Required (slack)
- Marketplace Apps Not Required (slack)
- Mobile Session Unlimited (slack)
- Owner Redundancy (slack)
- Public Channel Creation Unrestricted (slack)
- SSO Disabled (slack)
- SSO Display Name Change Allowed (slack)
- SSO Email Change Allowed (slack)
- SSO Not Enforced (slack)
- Shared Channels Unrestricted (slack)
- Slack Connect DM Unrestricted (slack)
- TLS Email Invites Disabled (slack)
- User No MFA (slack)
- ACCOUNTADMIN Default Role (snowflake)
- ACCOUNTADMIN Excessive Grants (snowflake)
- Authentication Policy No MFA (snowflake)
- Data Rekeying Disabled (snowflake)
- Disabled User With Active Grants (snowflake)
- Dormant User (snowflake)
- Excessive Admin Roles (snowflake)
- Low Data Retention (snowflake)
- MFA Not Enabled (snowflake)
- No Account Resource Monitor (snowflake)
- No SCIM Configured (snowflake)
- No SSO Configured (snowflake)
- No Separation Of Duties (snowflake)
- OAuth Integration Permissive (snowflake)
- Password Only Auth (snowflake)
- Resource Monitor Notify Only (snowflake)
- SSO Login Page Disabled (snowflake)
- Service Account Password Auth (snowflake)
- User Not Disabled (snowflake)
- Warehouse No Auto Resume (snowflake)
- Warehouse No Auto Suspend (snowflake)
- Warehouse No Resource Monitor (snowflake)
- Warehouse Oversized (snowflake)
- Weak Password Policy (snowflake)
- Anonymous Meeting Join Enabled (teams)
- Excessive Team Owners (teams)
- Guest Access Overly Permissive (teams)
- Guest Members in Team (teams)
- Lobby Bypass for Everyone (teams)
- Admin Action MFA Not Enforced (teleport)
- Application Has TLS Verification Disabled (teleport)
- Auth Connector Has Broad Claim Mapping (teleport)
- Auth Connector Has No Role Mappings (teleport)
- Auth Connector Maps Claims to Admin Role (teleport)
- Cluster MFA Disabled (teleport)
- Database Configured Without TLS (teleport)
- Device Trust Disabled (teleport)
- Expired Certificate Disconnect Disabled (teleport)
- GitHub Connector Maps All Teams (teleport)
- Local Auth Enabled With SSO (teleport)
- Local User Has No MFA Device (teleport)
- Local User Has No SSO Identity (teleport)
- No Client Idle Timeout Configured (teleport)
- Node Running Outdated Teleport Version (teleport)
- Passwordless Without Hardware Key Policy (teleport)
- Role Allows Impersonation (teleport)
- Role Does Not Require Session MFA (teleport)
- Role Enables SSH Agent Forwarding (teleport)
- Role Has Broad Admin RBAC Rules (teleport)
- Role Has Unlimited Session TTL (teleport)
- Role Has Wildcard App Labels (teleport)
- Role Has Wildcard Database Labels (teleport)
- Role Has Wildcard Kubernetes Labels (teleport)
- Role Has Wildcard Node Labels (teleport)
- Session MFA Not Enforced (teleport)
- TOTP Without WebAuthn (teleport)
- Token Grants Admin Role (teleport)
- Token Grants Auth System Role (teleport)
- Token Has No Expiry (teleport)
- Token Uses Static Join Method (teleport)
- Trusted Cluster Has Broad Role Map (teleport)
- Trusted Cluster Is Disabled (teleport)
- User Account Is Locked (teleport)
- User Has Admin Role (teleport)
- User Has Excessive Roles (teleport)
- User Uses Only TOTP for MFA (teleport)
- Organization 2FA Not Enforced (terraform_cloud)
- Organization Default Execution Mode Local (terraform_cloud)
- Organization Force Delete Allowed (terraform_cloud)
- Organization SAML Not Enabled (terraform_cloud)
- Organization Session Timeout Too Long (terraform_cloud)
- Team Excessive Permissions (terraform_cloud)
- Team Secret Visibility (terraform_cloud)
- Team Workspace Admin Access (terraform_cloud)
- User 2FA Not Enabled (terraform_cloud)
- User Pending Invitation (terraform_cloud)
- Variable Not Marked Sensitive (terraform_cloud)
- Variable Plaintext Credentials (terraform_cloud)
- Variable Set Global Scope (terraform_cloud)
- Variable Set Priority Override (terraform_cloud)
- Workspace Drift Detection Disabled (terraform_cloud)
- Workspace Global Remote State (terraform_cloud)
- Workspace No VCS Connection (terraform_cloud)
- Workspace Outdated Terraform Version (terraform_cloud)
- Access Group Empty (vercel)
- Auto Join Enabled (vercel)
- Deployment Protection Disabled (vercel)
- Domain Expiring Soon (vercel)
- Excessive Members (vercel)
- Excessive Owners (vercel)
- Fork Protection Disabled (vercel)
- Insecure Log Drain (vercel)
- Member Unconfirmed (vercel)
- No Target Restriction (vercel)
- Non-SSO Member (vercel)
- Overly Broad Access (vercel)
- Overprivileged Integration (vercel)
- Project No Deployment Protection (vercel)
- SSL Not Verified (vercel)
- SSO Not Enforced (vercel)
- Stale Integration (vercel)
- Strict Deployment Protection Disabled (vercel)
- Token No Expiration (vercel)
- Token Overprivileged (vercel)
- Token Stale (vercel)
- API Client No IP Restriction (workato)
- API Endpoint Inactive (workato)
- API Platform Client Excessive Keys (workato)
- Broken Connection (workato)
- Excessive API Clients (workato)
- Excessive Admins (workato)
- Inactive Member (workato)
- No Custom Roles (workato)
- Overprivileged Member (workato)
- Recipe Excessive Application Integrations (workato)
- Stale Connection (workato)
- Workspace Recipe Limit (workato)
- Workspace Single Admin (workato)
- Admin 2-Step Verification Not Enforced (workspace)
- Admin With App Password (workspace)
- Automatic Email Forwarding Enabled (workspace)
- DKIM Not Configured (workspace)
- Delegated Admin Without 2-Step Verification (workspace)
- Domain Not Verified (workspace)
- Dormant Users (workspace)
- Gemini Not Licensed (workspace)
- Group Spam Moderation Disabled (workspace)
- IMAP Access Enabled (workspace)
- Never Logged In Users (workspace)
- OAuth App With Restricted Scopes (workspace)
- POP Access Enabled (workspace)
- S/MIME Not Configured (workspace)
- Shared Drive Folder Sharing Unrestricted (workspace)
- Shared Drive No Admin Restrictions (workspace)
- User With App Password (workspace)
- User Without 2-Step Verification (workspace)
- Admin Without MFA (zoom)
- Chat File Transfer Enabled (zoom)
- Cloud Recording No Auto-Delete (zoom)
- Excessive Admins (zoom)
- Inactive User (zoom)
- Local Recording Enabled (zoom)
- No Meeting Password Required (zoom)
- SSO Not Enforced (zoom)
- Unauthenticated Join Allowed (zoom)
- User Without MFA (zoom)
- Waiting Room Disabled (zoom)
- Weak Password Policy (zoom)
- Access Policy Combines Write and Delete Scopes (grafana_cloud)
- Access Policy With No Realm Binding (grafana_cloud)
- Access Policy With No Scopes (grafana_cloud)
- Account Owner MFA Disabled (shopify)
- Account With No Admin Users (google_ads)
- Account With Single Admin User (google_ads)
- Admin Without 2FA (sentry)
- API Platform Client Static Auth Token (workato)
- API Token Generic Label (atlassian)
- API Token No Label (atlassian)
- Application Key Has No Scopes (datadog)
- Browser Without Organizational Unit Assignment (chrome_enterprise)
- Connection Never Authorized (workato)
- Developer API Client with Admin Role (workato)
- Member Without 2FA (sentry)
- No Password History (salesforce)
- Password Never Expires (salesforce)
- Service Account Admin Privileges (datadog)
- Short Lockout Interval (salesforce)
- Single Cloud Admin (grafana_cloud)
- Unauthenticated Write Checkouts Scope (shopify)
- Unverified User (datadog)
- Weak Max Login Attempts (salesforce)
- Write Fulfillments Scope (shopify)
- Write Inventory Scope (shopify)
- Write Payment Gateways Scope (shopify)
- Write Price Rules Scope (shopify)
- Write Script Tags Scope (shopify)
- Write Themes Scope (shopify)
- Write-Scoped Access Policy Without IP Restriction (grafana_cloud)
CC6.2 — Access provisioning
Prior to granting access, authorized users are registered and authenticated
- Overly Permissive IAM Binding (gcp)
- SA Impersonation Role Binding (gcp)
- Privileged Service Account Binding (gcp)
- External Account Member (cloudflare)
- OAuth App With Restricted Scopes Widely Authorized (workspace)
- Deactivated Member Not Removed (sentry)
- Disabled User Present (datadog)
- Collaborator Group No Description (workato)
- Empty Collaborator Group (workato)
- Expired Invitation Not Removed (sentry)
- External Users Policy Disabled (atlassian)
- Inactive Admin (sentry)
- Inactive Admin Member (workato)
- Large Collaborator Group (workato)
- Long-Term Inactive Member (sentry)
- Permission Set Manage Malicious Files (salesforce)
- Permission Set Manage Users Wide (salesforce)
- Profile Manage Malicious Files (salesforce)
- Profile Manage Users (salesforce)
- Recently Added Admin Member (grafana_cloud)
- Staff No Permissions (shopify)
- Stale Admin Invitation (google_ads)
- Stale Read-Only Invitation (google_ads)
- User Account Closed (atlassian)
- User Has Custom Roles But No Base Role (incidentio)
- User Never Logged In (salesforce)
CC6.3 — Access management
Organization manages access credentials for infrastructure and software
- Dormant Accounts (okta)
- Super Admin Count Excessive (okta)
- Super Admin Count Excessive (workspace)
- Super Admin Count Excessive (cloudflare)
- Super Admin Redundancy Missing (okta)
- Super Admin Redundancy Missing (workspace)
- Super Admin Redundancy Missing (cloudflare)
- Excessive Project Owners (gcp)
- Owner Role Group Assignment (gcp)
- OAuth App Inactive With Grants (okta)
- Excessive Organization Owners (openai)
- Inactive User (openai)
- GKE Legacy ABAC Enabled (gcp)
- GKE Workload Identity Disabled (gcp)
- GKE Master Authorized Networks Disabled (gcp)
- Cloud Function Default Service Account (gcp)
- Instance Uses Full Cloud-Platform API Scope (gcp)
- Instance Does Not Block Project-Wide SSH Keys (gcp)
- OS Login Disabled on Instance (gcp)
- Drive File Excessive Permissions (workspace)
- Drive File Stale External Sharing (workspace)
- Drive File Broad Internal Sharing (workspace)
- Drive User Excessive External Sharing (workspace)
- Drive Shared Drive Creation Unrestricted (workspace)
- Access Policy Uses Org-Wide Realm (grafana_cloud)
- Alerts Member Write Enabled (sentry)
- API Key Exceeds Maximum Age (datadog)
- API Platform Client No Active Keys (workato)
- API Platform Client No Key Rotation (workato)
- Dashboard Read-Only Without Role Restriction (datadog)
- Events Member Admin Disabled (sentry)
- External User Access (datadog)
- No Custom Project Roles (workato)
- Org Admin Product Access (atlassian)
- Orphaned Access Policy (grafana_cloud)
- Orphaned Extension With Zero Installs (chrome_enterprise)
- Permission Set View All Data (salesforce)
- Profile View All Data (salesforce)
- Self-Granted User Access (google_ads)
- Shadow IT Extension Widely Deployed (chrome_enterprise)
- Stale Email-Only User Access (google_ads)
- Stale Extension Request (chrome_enterprise)
- Stale Standard User Access (google_ads)
- Token Never Used After 30 Days (grafana_cloud)
- User With Excessive Custom Roles (incidentio)
- Write-Capable Token Inactive for 30 Days (grafana_cloud)
CC6.6 — External threats
Organization implements controls to restrict access from outside system boundaries
- Public Firewall Rule (gcp)
- WAF Disabled (cloudflare)
- DNS DNSSEC Disabled (gcp)
- DNS DNSSEC RSASHA1 Key-Signing Key (gcp)
- DNS DNSSEC RSASHA1 Zone-Signing Key (gcp)
- SSL Policy Weak TLS Version (gcp)
- Cloud Function Public Ingress (gcp)
- Cloud Run Service Public Ingress (gcp)
- IP Forwarding Enabled on Instance (gcp)
- Cloud SQL Authorized Networks Open to World (gcp)
- Legacy VPC Network In Use (gcp)
- Drive Sharing Outside Organization (workspace)
- Drive External Shared Drives Allowed (workspace)
- Drive Shared Drive Has External Members (workspace)
- Drive File Shared With Personal Email (workspace)
- Drive File Shared With External Domain (workspace)
- Drive File External Commenter Access (workspace)
- Account Protection Disabled (akamai)
- Bot Management Disabled (akamai)
- DNSSEC Not Enabled (akamai)
- Geo Firewall Not Configured (akamai)
- IP Firewall Not Configured (akamai)
- Primary Zone No Secondary (akamai)
- Rate Control Threshold Too Permissive (akamai)
- Rate Controls Disabled (akamai)
- SOA Serial Stale (akamai)
- Slow POST Protection Disabled (akamai)
- TSIG Not Enabled (akamai)
- WAF In Alert-Only Mode (akamai)
- WAF Policy Alert-Only Mode (akamai)
- WAF Policy Excessive Exceptions (akamai)
- Zone Transfer Unrestricted (akamai)
- Safe Browsing Disabled (chrome_enterprise)
- Allows All Inbound (digitalocean)
- Allows All Outbound (digitalocean)
- Default VPC Used (digitalocean)
- No Firewall (digitalocean)
- No VPC (digitalocean)
- Publicly Accessible (digitalocean)
- SSH Open To All (digitalocean)
- IP Allowlist Disabled (incidentio)
- Instance Has Public IP (ovhcloud)
- Integration No Network Policy (snowflake)
- Network Policy No Blocklist (snowflake)
- Network Policy Wildcard (snowflake)
- No Network Policy (snowflake)
- No Network Restrictions Configured (teleport)
- Overly Broad Network Allow Rule (teleport)
- Agent Pool Organization Scoped (terraform_cloud)
- Notification No HMAC Token (terraform_cloud)
- Run Task Advisory Enforcement (terraform_cloud)
- Run Task No HMAC Key (terraform_cloud)
- SSH Key Present (terraform_cloud)
- VCS Connection Organization Scoped (terraform_cloud)
- CSRF Protection Disabled (salesforce)
- IP Allowlist Enabled With No Rules (incidentio)
- Webhook Private Destination (shopify)
CC6.7 — Data transmission protection
Organization restricts the transmission of data to authorized parties
- Always Use HTTPS Disabled (cloudflare)
- TLS Mode Not Strict (cloudflare)
- TLS 1.3 Disabled (cloudflare)
- Minimum TLS Version Weak (cloudflare)
- HSTS Disabled (cloudflare)
- Drive Publish to Web Allowed (workspace)
- Drive File Link Sharing Enabled (workspace)
- Drive File Org-Wide Link Sharing (workspace)
- Vault Exported (1password)
- S3 Bucket Policy Public (aws)
- S3 Bucket Public Access Not Blocked (aws)
- Confluence Space Anonymous Access (atlassian)
- Confluence Space Public Links (atlassian)
- Jira Project Public Access (atlassian)
- Storage Public Blob Access (azure)
- Excessive Env Vars (circleci)
- Pipeline Hardcoded Secrets (circleci)
- Dashboard Public Sharing (datadog)
- Dashboard Public URL (datadog)
- Plain Text Env Var (digitalocean)
- Group Forking Allowed Outside (gitlab)
- Group Public Visibility (gitlab)
- Group Sharing Outside Organization (gitlab)
- Group Sharing Unlocked (gitlab)
- Public Project (gitlab)
- Active External Data Link (google_ads)
- Overly Permissive Dashboard (grafana)
- Overly Permissive Folder (grafana)
- Public Dashboard (grafana)
- Public Status Page (incidentio)
- Default Calendar Sharing Too Permissive (m365)
- Default Group Access Public (m365)
- Default Sharing Policy Allows External (m365)
- Distribution Group Open Join Policy (m365)
- Distribution List Allows External Senders (m365)
- External Forwarding on Mailbox (m365)
- Forwarding Address Configured (m365)
- Forwarding SMTP to External (m365)
- Guest Access to Group Content Not Restricted (m365)
- LinkedIn Integration Enabled in OWA (m365)
- Mailbox Delivers to Both Mailbox and Forward (m365)
- Mobile Contact Sync Enabled in OWA (m365)
- Organization Sharing Enabled (m365)
- Outbound Spam External Forwarding Allowed (m365)
- Public Microsoft 365 Group (m365)
- Remote Domain Auto-Forwarding Allowed (m365)
- Sharing Policy Allows External Domains (m365)
- Transport Rule Forwards Outside Org (m365)
- Transport Rule Redirects Externally (m365)
- Export Enabled (notion)
- External Guest Access (notion)
- Guest Invitations Enabled (notion)
- Public Sharing Enabled (notion)
- Publicly Shared Database (notion)
- Publicly Shared Page (notion)
- Stale Public Page (notion)
- Debug Files Access (sentry)
- Enhanced Privacy Disabled (sentry)
- Event Attachments Access (sentry)
- Open Membership (sentry)
- Shared Issues Enabled (sentry)
- Password Protection Disabled (shopify)
- Webhook External Destination (shopify)
- Webhook Using HTTP (shopify)
- Public File Sharing (slack)
- No Storage Integration Required (snowflake)
- Outbound Share Review (snowflake)
- Share Listing Unrestricted (snowflake)
- Share To Many Accounts (snowflake)
- Unload To Inline URL (snowflake)
- Unload To Internal Stages (snowflake)
- External Messaging Enabled (teams)
- External Shared Channel (teams)
- Public Team (teams)
- Unrestricted External Federation (teams)
- Auto Expose System Environment Variables (vercel)
- Directory Listing Enabled (vercel)
- Exposed to Preview (vercel)
- IP Visibility Enabled (vercel)
- Plain Text Secret (vercel)
- Public Source (vercel)
- Sensitive Env Var Policy Disabled (vercel)
- Group Allows External Posting (workspace)
- Group Allows Open Join (workspace)
- Group Contact Owner Anyone (workspace)
- Group Discoverable by Anyone (workspace)
- Group Domain-Wide Membership Visibility (workspace)
- Group Public Conversations (workspace)
- Mail Delegation Enabled (workspace)
- Shared Drive Allows External Users (workspace)
- Shared Drive Allows Non-Members (workspace)
- Shared Drive Has External Members (workspace)
- Shared Drive No Download Restriction (workspace)
- Confluence Space Externally Shared (atlassian)
- Data Residency Policy Disabled (atlassian)
- External Access Read Write (salesforce)
- HTTPS Not Required (salesforce)
- Jira Project Externally Shared (atlassian)
- Connection to Sensitive Provider (workato)
- Recipe Integrates with Sensitive Application (workato)
- Unauthenticated Read Customers Scope (shopify)
- Webhook XML Format (shopify)
- Workflow Unconstrained on All Incidents (incidentio)
- Write Customers Read Payment Scope (shopify)
CC6.8 — Malicious software prevention
Organization implements controls to prevent or detect malicious software
- Browser Integrity Check Disabled (cloudflare)
- Admin-Forced Extension With Risky Permissions (chrome_enterprise)
- Browser Running on Unsupported OS (chrome_enterprise)
- Device Running Outdated OS (Telemetry) (chrome_enterprise)
- Widely Deployed Extension With Risky Permissions (chrome_enterprise)
CC7.1 — Vulnerability management
Organization detects and monitors for vulnerabilities in system components
- Old Service Account Keys (gcp)
- User Managed Service Account Keys (gcp)
- Automatic HTTPS Rewrites Disabled (cloudflare)
- Opportunistic Encryption Disabled (cloudflare)
- Unrestricted API Key (gcp)
- Stale API Key (gcp)
- SA Key Creation Not Disabled (gcp)
- SA Key Upload Not Disabled (gcp)
- Cloud KMS Key Rotation Period Exceeds 90 Days (gcp)
- Cloud KMS Encryption Key Has No Rotation Schedule (gcp)
- Cloud KMS Key Primary Version Not Active (gcp)
- Cloud KMS Key Uses Software Protection Level (gcp)
- Secret Manager Secret Has No Rotation (gcp)
- Secret Manager Secret Has No Versioning (gcp)
- GKE Logging Disabled (gcp)
- GKE Intranode Visibility Disabled (gcp)
- Non-Stable Browser Channel In Use (chrome_enterprise)
- Suspended Account in MCC Hierarchy (google_ads)
CC7.2 — Anomaly monitoring
Organization monitors system components for anomalies indicative of threats
- SSO Not Configured (workspace)
- SSO Not Configured (cloudflare)
- SSO Not Configured (atlassian)
- Cloud Logging Sink Missing (gcp)
- Log Metric for Project Ownership Missing (gcp)
- Log Metric for Audit Config Changes Missing (gcp)
- Log Metric for Custom Role Changes Missing (gcp)
- Alert Policy Disabled (gcp)
- Alert Policy Has No Notification Channels (gcp)
- Log Metric Project Ownership Alert Missing (gcp)
- Log Metric Audit Config Alert Missing (gcp)
- Log Metric Custom Role Alert Missing (gcp)
- DNS Logging Disabled (gcp)
- PostgreSQL log_connections Not Enabled (gcp)
- PostgreSQL log_disconnections Not Enabled (gcp)
- PostgreSQL log_min_messages Below WARNING (gcp)
- PostgreSQL log_min_error_statement Above ERROR (gcp)
- PostgreSQL log_min_duration_statement Not Disabled (gcp)
- PostgreSQL pgaudit Extension Not Enabled (gcp)
- MySQL skip_show_database Not Enabled (gcp)
- MySQL local_infile Enabled (gcp)
- Master Password Changed (1password)
- AWS Config Not Recording (aws)
- CloudTrail Data Events Disabled (aws)
- CloudTrail Log Validation Disabled (aws)
- CloudTrail Not Logging (aws)
- CloudTrail Not Multi-Region (aws)
- VPC Flow Logs Disabled (aws)
- Alert Disabled (azure)
- Alert NSG Create Missing (azure)
- Alert NSG Delete Missing (azure)
- Alert Policy Assignment Missing (azure)
- Alert SQL Firewall Missing (azure)
- Alert Security Solution Create Missing (azure)
- Alert Security Solution Delete Missing (azure)
- App Service Logging Disabled (azure)
- Diagnostic Retention Short (azure)
- Key Vault Diagnostic Logging Disabled (azure)
- NSG Flow Logs Disabled (azure)
- SQL Audit Retention Short (azure)
- SQL Auditing Disabled (azure)
- Modifiable Retention Policy (box)
- No Indefinite Retention Policies (box)
- No Retention Policies Defined (box)
- Permanent Delete Disposition Action (box)
- Retired Retention Policy (box)
- Short Retention Period (box)
- Audit Log Retention Period (datadog)
- Audit Logging Disabled (datadog)
- Monitoring Disabled (digitalocean)
- Office Add-in Disabled (dropbox)
- Suspended Member Not Removed (dropbox)
- Subnet Flow Logs Disabled (gcp)
- Global Mailbox Auditing Disabled (m365)
- Mailbox Audit Bypass Configured (m365)
- Mailbox Auditing Disabled (m365)
- Non-Shared Mailbox Audit Bypass (m365)
- Shared Mailbox Sent-As Not Audited (m365)
- Shared Mailbox Sent-On-Behalf Not Audited (m365)
- Unified Audit Log Not Enabled (m365)
- User Mailbox Auditing Disabled (m365)
- Audit Log Using Local Filesystem Storage (teleport)
- Proxy Host Key Checks Disabled (teleport)
- Role Disables Session Recording (teleport)
- Session Recording Disabled (teleport)
- Session Recording in Async Mode (teleport)
- Session Recording in Proxy Mode (teleport)
- No Log Drain (vercel)
- Alert Route No Conditions (incidentio)
- Alert Route No Escalation Path (incidentio)
- Alert Route No Grouping (incidentio)
- Audit Retention Below Critical Threshold (datadog)
- Browser Flagged as Needing Attention (chrome_enterprise)
- Escalation Path No Current Responders (incidentio)
- Escalation Path No Team Assignment (incidentio)
- Escalation Path Shallow (incidentio)
- Log Drain Disabled (vercel)
- Schedule Missing Timezone (incidentio)
- Schedule No Holiday Configuration (incidentio)
- Schedule No Team Assignment (incidentio)
- Workflow Has No Steps (incidentio)
CC7.3 — Security evaluation
Organization evaluates security events to determine impact
- Alert Source Auto-Resolve Timeout Too Long (incidentio)
CC8.1 — Change authorization
Organization authorizes, designs, develops, configures and tests changes
- Public Storage Bucket (gcp)
- Bucket Versioning Disabled (gcp)
- Bucket Uniform Access Disabled (gcp)
- GKE Release Channel Not Set (gcp)
- GKE Node Pool Auto-Upgrade Disabled (gcp)
- GKE Binary Authorization Disabled (gcp)
- Cloud Function Plaintext Secrets in Environment (gcp)
- Access Policy Without Display Name (grafana_cloud)
- Active Workflow Never Updated (incidentio)
- Canceled Account in MCC Hierarchy (google_ads)
- Profile Author Apex (salesforce)
- Recent Admin Role Change (google_ads)
CC9.1 — Risk identification
Organization identifies, selects, and develops risk mitigation activities
- Group Allows External Members (workspace)
- Drive External Sharing Enabled (workspace)
- Drive File Public Sharing (workspace)
- Drive File Publicly Indexed (workspace)
- Workspace Trial Expired (workato)
CC1.1 — Integrity and ethical values
Organization demonstrates commitment to integrity and ethical values
- Recent Sensitive Change (google_ads)
- Alert Source Unowned (incidentio)
- App No Description (slack)
- Archive Channel Unrestricted (slack)
- Default Channels Excessive (slack)
- Display Name Not Validated (slack)
- Everyone Notify General (slack)
- Inactive Channel (slack)
- Message Edit Unrestricted (slack)
- New User Notification Disabled (slack)
- Notify Channel Unrestricted (slack)
- Public Channel Retention Limited (slack)
- Remove Private Channel Unrestricted (slack)
- Remove Public Channel Unrestricted (slack)
- Slackbot Responses Unrestricted (slack)
- User Groups Unrestricted (slack)
- Workflow Creation Unrestricted (slack)
- Channel Without Moderation (teams)
- Large Team Without Moderation (teams)
- Meeting Recording Disabled (teams)
- Message Edit Delete Unrestricted (teams)
- Team Without Description (teams)
- Policy Set Empty (terraform_cloud)
- Policy Set Not Global (terraform_cloud)
- Policy Set Overridable (terraform_cloud)
- Sentinel Policy Advisory Only (terraform_cloud)
- Workspace Auto Apply Enabled (terraform_cloud)
- Workspace Destroy Plan Allowed (terraform_cloud)
CC2.1 — Information quality
Organization communicates information necessary to support internal control
- Security Contact Missing (gcp)
CC3.1 — Risk identification
Organization specifies objectives to enable identification of risks
CC3.2 — Risk analysis
Organization identifies risks and analyzes relevance and significance
CC4.1 — Monitoring effectiveness
Organization evaluates and communicates internal control deficiencies
- Audit Logging Not Enabled (gcp)
- Data Access Logs Incomplete (gcp)