Merge branch 'master' into defenderForCloud

README.md

@@ -69,6 +69,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [Instance Limit](en/aws/ec2/instance-limit.md)
         * [Managed NAT Gateway In Use](en/aws/ec2/managed-nat-gateway-in-use.md)
         * [NAT Multiple AZ](en/aws/ec2/nat-multiple-az.md)
+        * [Network Acl Has Tags](en/aws/ec2/network-acl-has-tags.md)
         * [Open All Ports Protocols](en/aws/ec2/open-all-ports-protocols.md)
         * [Open CIFS](en/aws/ec2/open-cifs.md)
         * [Open DNS](en/aws/ec2/open-dns.md)
@@ -231,8 +232,26 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
     * CDN Profiles
         * [Detect Insecure Custom Origin](en/azure/cdnprofiles/detect-insecure-custom-origin.md)
         * [Endpoint Logging Enabled](en/azure/cdnprofiles/endpoint-logging-enabled.md)
+    * Container App
+        * [Container Apps Volume Mount Configured ](en/azure/containerapps/container-apps-volume-mount-configured.md)
+        * [Container Apps Has Tags](en/azure/containerapps/container-apps-has-tags.md)
     * Container Registry
         * [ACR Admin User](en/azure/containerregistry/acr-admin-user.md)
+    * Defender
+        * [Auto Provisioning Enabled](en/azure/defender/auto-provisioning-enabled.md)
+        * [High Severity Alerts Enabled](en/azure/defender/high-severity-alerts-enabled.md)
+        * [Monitor Endpoint Protection](en/azure/defender/monitor-endpoint-protection.md)
+        * [Monitor External Accounts with Write Permissions](en/azure/defender/monitor-external-accounts-with-write-permissions.md)
+        * [Monitor IP Forwarding](en/azure/defender/monitor-ip-forwarding.md)
+        * [Monitor JIT Network Access](en/azure/defender/monitor-jit-network-access.md)
+        * [Monitor Next Generation Firewall](en/azure/defender/monitor-next-generation-firewall.md)
+        * [Monitor System Updates](en/azure/defender/monitor-system-updates.md)
+        * [Monitor Total Number of Subscription Owners](en/azure/defender/monitor-total-number-of-subscription-owners.md)
+        * [Security Configuration Monitoring](en/azure/defender/security-configuration-monitoring.md)
+        * [Security Contact Additional Email](en/azure/defender/security-contact-additional-email.md)
+        * [Security Contacts Enabled](en/azure/defender/security-contacts-enabled.md)
+        * [Security Contact Enabled for Subscription Owner](en/azure/defender/security-contact-enabled-for-subscription-owner.md)
+        * [Standard Pricing Enabled](en/azure/defender/standard-pricing-enabled.md)
     * File Service
         * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md)
     * Key Vaults
@@ -245,6 +264,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
     * Load Balancer
         * [LB HTTPS Only](en/azure/loadbalancer/lb-https-only.md)
         * [LB No Instances](en/azure/loadbalancer/lb-no-instances.md)
+        * [Public Load Balancer](en/azure/loadbalancer/public-load-balancer.md)
     * Log Alerts
         * [Network Security Groups Logging Enabled](en/azure/logalerts/network-security-groups-logging-enabled.md)
         * [Network Security Groups Rule Logging Enabled](en/azure/logalerts/network-security-groups-rule-logging-enabled.md)
@@ -313,23 +333,6 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [Send Alerts Enabled](en/azure/sqlserver/send-alerts-enabled.md)
         * [Server Auditing Enabled](en/azure/sqlserver/server-auditing-enabled.md)
         * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md)
-    * Security Center
-        * [Admin Security Alerts Enabled](en/azure/securitycenter/admin-security-alerts-enabled.md)
-        * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md)
-        * [Auto Provisioning Enabled](en/azure/securitycenter/auto-provisioning-enabled.md)
-        * [High Severity Alerts Enabled](en/azure/securitycenter/high-severity-alerts-enabled.md)
-        * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md)
-        * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md)
-        * [Monitor Endpoint Protection](en/azure/securitycenter/monitor-endpoint-protection.md)
-        * [Monitor JIT Network Access](en/azure/securitycenter/monitor-jit-network-access.md)
-        * [Monitor NSG Enabled](en/azure/securitycenter/monitor-nsg-enabled.md)
-        * [Monitor SQL Auditing](en/azure/securitycenter/monitor-sql-auditing.md)
-        * [Monitor SQL Encryption](en/azure/securitycenter/monitor-sql-encryption.md)
-        * [Monitor System Updates](en/azure/securitycenter/monitor-system-updates.md)
-        * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md)
-        * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md)
-        * [Security Contacts Enabled](en/azure/securitycenter/security-contacts-enabled.md)
-        * [Standard Pricing Enabled](en/azure/securitycenter/standard-pricing-enabled.md)
     * Storage Accounts
         * [Blob Service Encryption](en/azure/storageaccounts/blob-service-encryption.md)
         * [File Service Encryption](en/azure/storageaccounts/file-service-encryption.md)
@@ -356,6 +359,8 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [VM OS Disk Encryption](en/azure/virtualmachines/vm-os-disk-encryption.md)
     * Virtual Networks
         * [Multiple Subnets](en/azure/virtualnetworks/multiple-subnets.md)
+    * Virtual Machine Scale Set
+        * [VM Scale Set Approved Extensions](en/azure/virtualmachinescaleset/vmss-approved-extensions.md)
 * Google
     * CLB
         * [CLB CDN Enabled](en/google/clb/clb-cdn-enabled.md)
@@ -424,8 +429,11 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [Database SSL Enabled](en/google/sql/database-ssl-enabled.md)
     * Storage
         * [Bucket Logging](en/google/storage/bucket-logging.md)
+        * [Storage Bucket Retention Policy](en/google/storage/storage-bucket-retention-policy.md)
         * [Bucket Versioning](en/google/storage/bucket-versioning.md)
+        * [Bucket Lifecycle Configured](en/google/storage/bucket-lifecycle-configured.md)
         * [Storage Bucket All Users Policy](en/google/storage/storage-bucket-all-users-policy.md)
+        * [Bucket Encryption](en/google/storage/bucket-encryption.md)
     * VPC Network
         * [Default VPC In Use](en/google/vpcnetwork/default-vpc-in-use.md)
         * [Excessive Firewall Rules](en/google/vpcnetwork/excessive-firewall-rules.md)

en/aws/comprehend/amazon-comprehend-volume-encryption.md → en/aws/AI&ML/amazon-comprehend-volume-encryption.md

@@ -1,14 +1,14 @@
 [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
 
-# AWS / Comprehend / Amazon Comprehend Volume Encryption
+# AWS / AI & ML / Amazon Comprehend Volume Encryption
 
 ## Quick Info
 
 | | |
 |-|-|
 | **Plugin Title** | Amazon Comprehend Volume Encryption |
 | **Cloud** | AWS |
-| **Category** | Comprehend |
+| **Category** | AI & ML |
 | **Description** | Ensures the Comprehend service is using encryption for all volumes storing data at rest. |
 | **More Info** | Comprehend supports using KMS keys to encrypt data at rest, which should be enabled. |
 | **AWS Link** | https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html |

en/aws/sagemaker/notebook-data-encrypted.md → en/aws/AI&ML/notebook-data-encrypted.md

@@ -1,14 +1,14 @@
 [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
 
-# AWS / SageMaker / Notebook Data Encrypted
+# AWS / AI & ML / Notebook Data Encrypted
 
 ## Quick Info
 
 | | |
 |-|-|
 | **Plugin Title** | Notebook Data Encrypted |
 | **Cloud** | AWS |
-| **Category** | SageMaker |
+| **Category** | AI & ML |
 | **Description** | Ensure Notebook data is encrypted |
 | **More Info** | An optional encryption key can be supplied during Notebook Instance creation. |
 | **AWS Link** | https://docs.aws.amazon.com/sagemaker/latest/dg/API_CreateNotebookInstance.html#API_CreateNotebookInstance_RequestSyntax |

en/aws/sagemaker/notebook-direct-internet-access.md → en/aws/AI&ML/notebook-direct-internet-access.md

@@ -1,14 +1,14 @@
 [![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
 
-# AWS / SageMaker / Notebook Direct Internet Access
+# AWS / AI & ML / Notebook Direct Internet Access
 
 ## Quick Info
 
 | | |
 |-|-|
 | **Plugin Title** | Notebook Direct Internet Access |
 | **Cloud** | AWS |
-| **Category** | SageMaker |
+| **Category** | AI & ML |
 | **Description** | Ensure Notebook Instance is not publicly available. |
 | **More Info** | SageMaker notebooks should not be exposed to the Internet. Public availability can be configured via the DirectInternetAccess attribute. |
 | **AWS Link** | https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-additional-considerations.html#appendix-notebook-and-internet-access |

en/aws/acm/acm-certificate-validation.md

@@ -15,10 +15,9 @@
 | **Recommended Action** | Configure ACM managed certificates to use DNS validation. |
 
 ## Detailed Remediation Steps
-
-1. Log into the AWS console and navigate to the ACM service page.
-2. Click into each certificate that has been requested.
-3. Expand the domains associated with the certificate.
-4. Ensure each domain listed has DNS validation configured. If DNS validation is used, DNS records will be listed for the domain.
+1. Log in to the AWS console and search for "Certificate Manager".</br> <img src="/resources/aws/acm/acm-certificate-validation/step1.png"/>
+2. Click into each certificate that has been requested. </br> <img src="/resources/aws/acm/acm-certificate-validation/step2.png"/>
+3. Expand the domains associated with the certificate.</br> <img src="/resources/aws/acm/acm-certificate-validation/step3.png"/>
+4. Ensure each domain listed has DNS validation configured. If DNS validation is used, DNS records will be listed for the domain and the type will be CNAME.</br> <img src="/resources/aws/acm/acm-certificate-validation/step4.png"/>
 5. Ensure that the records provided by AWS are configured and valid within your DNS provider (such as Route 53).
-6. If DNS validation is not used, request a new certificate for the same domains using DNS validation and update the downstream services to use this new certificate. Once done, delete the old certificate to ensure it can no longer be used.
+6. If DNS validation is not used, request a new certificate for the same domains using DNS validation and update the downstream services to use this new certificate. Once done, delete the old certificate to ensure it can no longer be used.</br> <img src="/resources/aws/acm/acm-certificate-validation/step6.png"/>

en/aws/autoscaling/asg-multiple-az.md

@@ -15,11 +15,13 @@
 | **Recommended Action** | Modify the autoscaling instance to enable scaling across multiple availability zones. |
 
 ## Detailed Remediation Steps
-1. Log into the AWS Management Console and choose the desired region where the Auto Scaling Group is hosted.
-2. In the left navigation panel, scroll down and choose Auto Scaling Group(s) option and select the Auto Scaling Group(s) that needs to be modified.</br> <img src="/resources/aws/autoscaling/asg-multiple-az/step2.png"/>
-3. Select the Details tab and check the Availability Zone(s). If Availability Zone(s) value is set to a single availability zone (e.g. us-east-1b), it cannot launch instances to multiple Availability Zone(s) hence if one Availability Zone becomes unavailable, Amazon EC2 Auto Scaling cannot launch instances in another one to atone.</br><img src="/resources/aws/autoscaling/asg-multiple-az/step3.png"/>
-4. Select the Auto Scaling Group and go to "Actions" Option.</br><img src="/resources/aws/autoscaling/asg-multiple-az/step4.png"/>
-5. Select the option to "Edit" the configuration and choose the "Launch Configuration" Option.</br><img src="/resources/aws/autoscaling/asg-multiple-az/Step5.png"/>
-6. Edit the Subnet(s) and add the Subnet(s) to make the Auto Scaling Group available to Multiple Availability Zone(s).</br><img src="/resources/aws/autoscaling/asg-multiple-az/step6.png"/>
-7. Save the changes. Go to "Details" option and now Availability Zone(s) have multiple regions and subnets as well.</br><img src="/resources/aws/autoscaling/asg-multiple-az/step7.png"/>
-8. Repeat the steps number 2 and 3 to establish any other Auto Scaling Group hosted in multiple Availability Zone(s) or not. 
+1. Log in to the AWS Management Console and Search for "EC2" to reach EC2 dashboard.</br><img src="/resources/aws/autoscaling/asg-multiple-az/step1.png"/>
+2. In the left navigation panel, scroll down and choose Auto Scaling Groups option under "Auto Scaling".</br> <img src="/resources/aws/autoscaling/asg-multiple-az/step2.png"/>
+3. Select the Auto Scaling Group(s) that needs to be modified.</br> <img src="/resources/aws/autoscaling/asg-multiple-az/step3.png"/>
+4. Scroll down to select the "Details" tab and check the Availability Zone(s). </br> <img src="/resources/aws/autoscaling/asg-multiple-az/step4.png"/>
+5. If Availability Zone(s) value under "Network" is set to a single availability zone (e.g. us-east-1b), then it cannot launch instances to multiple Availability Zone(s). /br><img src="/resources/aws/autoscaling/asg-multiple-az/Step5.png"/>
+6. Select the Auto Scaling Group and click on "Edit".</br><img src="/resources/aws/autoscaling/asg-multiple-az/step6.png"/>
+7. In the Edit Web-ASG page scroll down to "Network" and from the dropdown select the desired multiple availability zones one by one and add the Subnet(s) to make the Auto Scaling Group available to Multiple Availability Zone(s).</br><img src="/resources/aws/autoscaling/asg-multiple-az/step7.png"/>
+8. Scroll down to the end of the page and click "Update" to save the changes. </br><img src="/resources/aws/autoscaling/asg-multiple-az/step8.png"/>
+9. Go to "Details" tab and under "Network" check if the Availability Zone(s) shows multiple regions and subnets as well.</br><img src="/resources/aws/autoscaling/asg-multiple-az/step9.png"/>
+11. Repeat the steps number 2 to 9 to check whether other Auto Scaling Group(s) are hosted in multiple Availability Zone(s) or not. 

en/aws/cloudfront/cloudfront-https-only.md

@@ -15,13 +15,11 @@
 | **Recommended Action** | Remove HTTP-only listeners from distributions. |
 
 ## Detailed Remediation Steps
-1. Log into the AWS Management Console.
+1. Log in to the AWS Management Console.
 2. Select the "Services" option and search for CloudFront. </br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step2.png"/>
-3. Select the "CloudFront Distribution" that needs to be verified.</br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step3.png"/>
-4. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page. </br><img src="/resources/aws/cloudfront/cloudfront-https-only/step4.png"/>
-5. Click the "Behaviors" button from the top menu to get into the "Behaviors" configuration page and select the "Behavior" which needs to be verified.</br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step5.png"/>
-6. Click the "Edit" button from the "Behaviors" tab on the menu.</br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step6.png"/>
-7. On the Default Cache Behavior Settings, verify the "Viewer Protocol Policy" and if "HTTP and HTTPS" is selected than CloudFront allows viewers to access your web content using either HTTP or HTTPS. </br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step7.png"/>
-8. On the "Viewer Protocol Policy" choose "Redirect HTTP to HTTPS" to redirect all HTTP requests to HTTPS.</br><img src="/resources/aws/cloudfront/cloudfront-https-only/step8.png"/>
-9. On the "Viewer Protocol Policy" choose "HTTPS Only" so CloudFront allows viewers to access your content only if they're using HTTPS.</br><img src="/resources/aws/cloudfront/cloudfront-https-only/step9.png"/>
-10. Repeat the steps number 5 , 6 and 7 to verify if any other CloudFront Distribution is using HTTP-only listeners.</br>
+3. Select the "CloudFront Distribution" that needs to be verified and click on it to open its configuration settings.</br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step3.png"/>
+4. Click the "Behaviors" tab, select the "Behavior" which needs to be verified and click "Edit" </br><img src="/resources/aws/cloudfront/cloudfront-https-only/step4.png"/>
+5. On the Edit Behavior page scroll down to "Viewer" Settings, verify the "Viewer Protocol Policy" and if "HTTP and HTTPS" is selected than CloudFront allows viewers to access your web content using either HTTP or HTTPS. </br> <img src="/resources/aws/cloudfront/cloudfront-https-only/step5.png"/>
+6. To redirect all HTTP traffic to HTTPS under the "Viewer Protocol Policy" choose "Redirect HTTP to HTTPS" to redirect all HTTP requests to HTTPS.</br><img src="/resources/aws/cloudfront/cloudfront-https-only/step6.png"/>
+7. If you want to drop all HTTP traffic then under the "Viewer Protocol Policy" choose "HTTPS Only" so CloudFront allows viewers to access your content only if they're using HTTPS.</br><img src="/resources/aws/cloudfront/cloudfront-https-only/step7.png"/>
+8. Repeat steps number 3 to 7 for all other CloudFront Distributions using HTTP-only listeners.</br>