Embedded Files
Background
Background
The Cloud App and Config profile provides prescriptive guidance for configuring security options for a subset of cloud services offered by Amazon Web Services, Google Cloud Platform, and Microsoft Azure. This profile emphasizes foundational, testable, and architecture agnostic settings that are suitable for applications that process non-public data such as user data, user device data, company data, credentials, keys, or other types of confidential information. It is intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Cloud App and Config Profile Specification
Cloud App and Config Profile Specification
1 Compute
1 Compute
1.1 Establish and Maintain a Software Inventory
1.2 Ensure Authorized Software is Currently Supported
1.3 Encrypt Confidential Data in Transit
1.4 Encrypt Confidential Data at Rest
1.5 Implement and Manage a Firewall on Servers
1.6 Manage Default Accounts on Enterprise Assets and Software
1.7 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
1.8 Centralize Account Management
2 Identity and Access Management
2 Identity and Access Management
2.1 Establish and Maintain a Data Recovery Process
2.2 Designate Personnel to Manage Incident Handling
2.3 Establish and Maintain Contact Information for Reporting Security Incidents
2.4 Address Unauthorized Software
2.5 Establish and Maintain a Data Management Process
2.6 Encrypt Confidential Data at Rest
2.7 Configure Data Access Control Lists
2.8 Establish and Maintain a Secure Configuration Process
2.9 Use Unique Passwords
2.10 Disable Dormant Accounts
2.11 Restrict Administrator Privileges to Dedicated Administrator Accounts
2.12 Centralize Account Management
2.13 Establish an Access Revoking Process
2.14 Require MFA for Externally-Exposed Applications
2.15 Require MFA for Remote Network Access
2.16 Require MFA for Administrative Access
2.17 Centralize Access Control
2.18 Define and Maintain Role-Based Access Control
3 Logging and Monitoring
3 Logging and Monitoring
3.1 Establish and Maintain Detailed Enterprise Asset Inventory
3.2 Tune Security Event Alerting Thresholds
3.3 Establish and Maintain Contact Information for Reporting Security Incidents
3.4 Log Confidential Data Access
3.5 Configure Data Access Control Lists
3.6 Establish and Maintain a Secure Configuration Process
3.7 Perform Automated Operating System Patch Management
3.8 Perform Automated Vulnerability Scans of Internal Enterprise Assets
3.9 Conduct Audit Log Reviews
3.10 Collect Audit Logs
3.11 Collect Detailed Audit Logs
4 Networking
4 Networking
4.1 Encrypt Confidential Data in Transit
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3 Implement and Manage a Firewall on Servers
5 Storage
5 Storage
5.1 Establish and Maintain a Data Recovery Process
5.2 Establish and Maintain a Secure Network Architecture
5.3 Encrypt Confidential Data in Transit
5.4 Encrypt Confidential Data at Rest
5.5 Configure Data Access Control Lists
5.6 Establish and Maintain a Secure Configuration Process
5.7 Securely Manage Enterprise Assets and Software
5.8 Establish an Access Revoking Process
6 Database Services
6 Database Services
6.1 Use Standard Hardening Configuration Templates for Application Infrastructure
6.2 Allowlist Authorized Scripts
6.3 Encrypt Confidential Data in Transit
6.4 Encrypt Confidential Data at Rest
6.5 Configure Data Access Control Lists
6.6 Establish and Maintain a Secure Configuration Process
6.7 Implement and Manage a Firewall on Servers
6.8 Securely Manage Enterprise Assets and Software
6.9 Manage Default Accounts on Enterprise Assets and Software
6.10 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
6.11 Centralize Account Management
6.12 Perform Automated Application Patch Management
6.13 Collect Audit Logs
6.14 Ensure Adequate Audit Log Storage
6.15 Collect Detailed Audit Logs
See GitHub for full details
Page updated
Report abuse