feat(compliance): add FedRAMP 20x KSI Low compliance frameworks (#9198)

Co-authored-by: pedrooot <pedromarting3@gmail.com>
This commit is contained in:
Ethan Troy
2025-11-10 08:41:18 -05:00
committed by GitHub
parent ef4e28da03
commit 789221d901
8 changed files with 1140 additions and 3 deletions
+3 -3
View File
@@ -82,9 +82,9 @@ prowler dashboard
| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
|---|---|---|---|---|---|---|
| AWS | 576 | 82 | 38 | 10 | Official | UI, API, CLI |
| GCP | 79 | 13 | 12 | 3 | Official | UI, API, CLI |
| Azure | 162 | 19 | 12 | 4 | Official | UI, API, CLI |
| AWS | 576 | 82 | 39 | 10 | Official | UI, API, CLI |
| GCP | 79 | 13 | 13 | 3 | Official | UI, API, CLI |
| Azure | 162 | 19 | 13 | 4 | Official | UI, API, CLI |
| Kubernetes | 83 | 7 | 5 | 7 | Official | UI, API, CLI |
| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
| M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
@@ -0,0 +1,46 @@
import warnings
from dashboard.common_methods import get_section_containers_cis
warnings.filterwarnings("ignore")
def get_table(data):
aux = data[
[
"REQUIREMENTS_ID",
"REQUIREMENTS_DESCRIPTION",
"REQUIREMENTS_ATTRIBUTES_SECTION",
"CHECKID",
"STATUS",
"REGION",
"ACCOUNTID",
"RESOURCEID",
]
].copy()
# Shorten the long FedRAMP KSI descriptions for better display
ksi_short_names = {
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
}
# Replace long descriptions with short names - use contains for partial matching
if not aux.empty:
for long_desc, short_name in ksi_short_names.items():
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
long_desc, na=False, regex=False
)
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
return get_section_containers_cis(
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
)
@@ -0,0 +1,46 @@
import warnings
from dashboard.common_methods import get_section_containers_cis
warnings.filterwarnings("ignore")
def get_table(data):
aux = data[
[
"REQUIREMENTS_ID",
"REQUIREMENTS_DESCRIPTION",
"REQUIREMENTS_ATTRIBUTES_SECTION",
"CHECKID",
"STATUS",
"REGION",
"ACCOUNTID",
"RESOURCEID",
]
].copy()
# Shorten the long FedRAMP KSI descriptions for better display
ksi_short_names = {
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
}
# Replace long descriptions with short names - use contains for partial matching
if not aux.empty:
for long_desc, short_name in ksi_short_names.items():
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
long_desc, na=False, regex=False
)
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
return get_section_containers_cis(
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
)
@@ -0,0 +1,46 @@
import warnings
from dashboard.common_methods import get_section_containers_cis
warnings.filterwarnings("ignore")
def get_table(data):
aux = data[
[
"REQUIREMENTS_ID",
"REQUIREMENTS_DESCRIPTION",
"REQUIREMENTS_ATTRIBUTES_SECTION",
"CHECKID",
"STATUS",
"REGION",
"ACCOUNTID",
"RESOURCEID",
]
].copy()
# Shorten the long FedRAMP KSI descriptions for better display
ksi_short_names = {
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
}
# Replace long descriptions with short names - use contains for partial matching
if not aux.empty:
for long_desc, short_name in ksi_short_names.items():
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
long_desc, na=False, regex=False
)
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
return get_section_containers_cis(
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
)
+1
View File
@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Add multiple compliance improvements [(#9145)](https://github.com/prowler-cloud/prowler/pull/9145)
- Added validation for invalid checks, services, and categories in `load_checks_to_execute` function [(#8971)](https://github.com/prowler-cloud/prowler/pull/8971)
- NIST CSF 2.0 compliance framework for the AWS provider [(#9185)](https://github.com/prowler-cloud/prowler/pull/9185)
- Add FedRAMP 20x KSI Low for AWS, Azure and GCP [(#9198)](https://github.com/prowler-cloud/prowler/pull/9198)
### Changed
- Update AWS Direct Connect service metadata to new format [(#8855)](https://github.com/prowler-cloud/prowler/pull/8855)
@@ -0,0 +1,347 @@
{
"Framework": "FedRAMP-20x-KSI-Low",
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
"Version": "25.05C",
"Provider": "AWS",
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
"Requirements": [
{
"Id": "ksi-cmt",
"Name": "KSI-CMT: Change Management",
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
"Attributes": [
{
"ItemId": "ksi-cmt",
"Section": "Change Management",
"Service": "aws"
}
],
"Checks": [
"cloudtrail_multi_region_enabled",
"cloudtrail_log_file_validation_enabled",
"cloudtrail_s3_dataevents_read_enabled",
"cloudtrail_s3_dataevents_write_enabled",
"cloudwatch_changes_to_network_acls_alarm_configured",
"cloudwatch_changes_to_network_gateways_alarm_configured",
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"cloudwatch_changes_to_vpcs_alarm_configured",
"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled",
"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled",
"cloudwatch_log_metric_filter_aws_organizations_changes",
"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes",
"cloudwatch_log_metric_filter_policy_changes",
"cloudwatch_log_metric_filter_security_group_changes",
"config_recorder_all_regions_enabled",
"ec2_instance_managed_by_ssm",
"ec2_instance_older_than_specific_days",
"ssm_managed_compliant_patching",
"ssm_managed_instance_compliance_association_compliant",
"ssm_managed_instance_compliance_patch_compliant"
]
},
{
"Id": "ksi-cna",
"Name": "KSI-CNA: Cloud Native Architecture",
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
"Attributes": [
{
"ItemId": "ksi-cna",
"Section": "Cloud Native Architecture",
"Service": "aws"
}
],
"Checks": [
"autoscaling_group_multiple_az",
"autoscaling_group_multiple_instance_types",
"autoscaling_group_capacity_rebalance_enabled",
"dynamodb_tables_pitr_enabled",
"dynamodb_tables_deletion_protection_enabled",
"ec2_instance_imdsv2_enabled",
"ec2_networkacl_allow_ingress_any_port",
"ec2_securitygroup_default_restrict_traffic",
"ec2_securitygroup_allow_ingress_from_internet_to_any_port",
"eks_cluster_network_policy_enabled",
"eks_cluster_not_publicly_accessible",
"eks_cluster_private_nodes_enabled",
"eks_cluster_uses_a_supported_version",
"elb_cross_zone_load_balancing_enabled",
"elbv2_alb_multi_az_scheme",
"elbv2_waf_acl_attached",
"rds_instance_multi_az",
"rds_cluster_multi_az",
"vpc_subnet_auto_assign_public_ip_disabled",
"vpc_default_security_group_restricts_traffic",
"vpc_peering_connection_routing_tables_with_least_privilege"
]
},
{
"Id": "ksi-iam",
"Name": "KSI-IAM: Identity and Access Management",
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
"Attributes": [
{
"ItemId": "ksi-iam",
"Section": "Identity and Access Management",
"Service": "aws"
}
],
"Checks": [
"iam_administrator_access_with_mfa",
"iam_aws_attached_policy_no_administrative_privileges",
"iam_customer_attached_policy_no_administrative_privileges",
"iam_inline_policy_no_administrative_privileges",
"iam_no_custom_policy_permissive_role_assumption",
"iam_no_root_access_key",
"iam_password_policy_expires_passwords_within_90_days_or_less",
"iam_password_policy_lowercase",
"iam_password_policy_minimum_length_14",
"iam_password_policy_number",
"iam_password_policy_reuse_24",
"iam_password_policy_symbol",
"iam_password_policy_uppercase",
"iam_policy_attached_only_to_group_or_roles",
"iam_policy_no_full_access_to_cloudtrail",
"iam_policy_no_full_access_to_kms",
"iam_root_hardware_mfa_enabled",
"iam_root_mfa_enabled",
"iam_rotate_access_key_90_days",
"iam_user_accesskey_unused",
"iam_user_console_access_unused",
"iam_user_hardware_mfa_enabled",
"iam_user_mfa_enabled_console_access",
"iam_user_two_active_access_key",
"organizations_scp_check_deny_regions",
"organizations_opt_out_ai_services_policy"
]
},
{
"Id": "ksi-inr",
"Name": "KSI-INR: Incident Response",
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
"Attributes": [
{
"ItemId": "ksi-inr",
"Section": "Incident Response",
"Service": "aws"
}
],
"Checks": [
"guardduty_centrally_managed",
"guardduty_ec2_malware_protection_enabled",
"guardduty_eks_audit_log_enabled",
"guardduty_eks_protection_enabled",
"guardduty_eks_runtime_monitoring_enabled",
"guardduty_is_enabled",
"guardduty_lambda_protection_enabled",
"guardduty_malware_protection_enabled",
"guardduty_no_high_severity_findings",
"guardduty_rds_protection_enabled",
"guardduty_s3_protection_enabled",
"inspector2_is_enabled",
"inspector2_active_findings_exist",
"securityhub_enabled",
"sns_topics_kms_encryption_at_rest_enabled"
]
},
{
"Id": "ksi-mla",
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
"Attributes": [
{
"ItemId": "ksi-mla",
"Section": "Monitoring, Logging, and Auditing",
"Service": "aws"
}
],
"Checks": [
"apigateway_restapi_logging_enabled",
"cloudtrail_cloudwatch_logging_enabled",
"cloudtrail_kms_encryption_enabled",
"cloudtrail_log_file_validation_enabled",
"cloudtrail_multi_region_enabled",
"cloudtrail_s3_dataevents_read_enabled",
"cloudtrail_s3_dataevents_write_enabled",
"cloudwatch_log_group_kms_encryption_enabled",
"cloudwatch_log_group_retention_policy_specific_days_enabled",
"ecs_cluster_container_insights_enabled",
"eks_cluster_control_plane_audit_logging_enabled",
"elb_logging_enabled",
"elbv2_logging_enabled",
"inspector2_is_enabled",
"opensearch_service_domains_cloudwatch_logging_enabled",
"rds_instance_enhanced_monitoring_enabled",
"rds_instance_integration_cloudwatch_logs",
"redshift_cluster_audit_logging",
"s3_bucket_server_access_logging_enabled",
"vpc_flow_logs_enabled",
"wafv2_webacl_logging_enabled"
]
},
{
"Id": "ksi-piy",
"Name": "KSI-PIY: Policy and Inventory",
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
"Attributes": [
{
"ItemId": "ksi-piy",
"Section": "Policy and Inventory",
"Service": "aws"
}
],
"Checks": [
"config_recorder_all_regions_enabled",
"config_recorder_using_aws_service_role",
"ec2_instance_managed_by_ssm",
"organizations_account_part_of_organizations",
"organizations_delegated_administrators",
"organizations_scp_check_deny_regions",
"organizations_tags_policies_enabled_and_attached",
"resourceexplorer_indexes_found",
"ssm_managed_instance_compliance_association_compliant",
"trustedadvisor_premium_support_plan_subscribed"
]
},
{
"Id": "ksi-rpl",
"Name": "KSI-RPL: Recovery Planning",
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
"Attributes": [
{
"ItemId": "ksi-rpl",
"Section": "Recovery Planning",
"Service": "aws"
}
],
"Checks": [
"backup_plans_exist",
"backup_reportplans_exist",
"backup_vaults_exist",
"backup_vaults_encrypted",
"backup_recovery_point_encrypted",
"backup_recovery_point_manual_deletion_disabled",
"backup_recovery_point_minimum_retention_days",
"dlm_ebs_snapshot_lifecycle_policy_exists",
"dynamodb_tables_pitr_enabled",
"dynamodb_tables_deletion_protection_enabled",
"efs_have_backup_enabled",
"fsx_file_system_copy_tags_to_backups",
"rds_instance_backup_enabled",
"rds_instance_backup_retention_policy",
"rds_instance_deletion_protection",
"rds_cluster_deletion_protection",
"rds_snapshots_encrypted",
"redshift_cluster_automated_snapshot"
]
},
{
"Id": "ksi-svc",
"Name": "KSI-SVC: Service Configuration",
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
"Attributes": [
{
"ItemId": "ksi-svc",
"Section": "Service Configuration",
"Service": "aws"
}
],
"Checks": [
"acm_certificates_expiration_check",
"apigateway_restapi_cache_encrypted",
"cloudtrail_kms_encryption_enabled",
"dax_cluster_encryption_enabled",
"dynamodb_table_encryption_enabled",
"dynamodb_table_encryption_uses_cmks",
"ebs_volume_encryption_enabled",
"ec2_ebs_default_encryption",
"ec2_instance_ebs_optimized",
"efs_encryption_at_rest_enabled",
"eks_cluster_envelope_encryption_enabled",
"elasticache_redis_cluster_encryption_at_rest_enabled",
"elasticache_redis_cluster_encryption_at_transit_enabled",
"elbv2_ssl_listeners",
"fsx_file_system_encryption_at_rest_enabled",
"kinesis_stream_encrypted_at_rest",
"kms_cmk_rotation_enabled",
"kms_cmk_not_scheduled_for_deletion",
"kms_key_not_publicly_accessible",
"rds_instance_storage_encrypted",
"rds_instance_storage_encrypted_with_cmk",
"rds_cluster_storage_encrypted",
"redshift_cluster_encryption_at_rest",
"redshift_cluster_encryption_in_transit",
"s3_bucket_server_side_encryption_enabled",
"s3_bucket_default_encryption",
"s3_bucket_secure_transport_policy",
"sagemaker_notebook_instance_encryption_enabled",
"sns_topics_kms_encryption_at_rest_enabled",
"sqs_queue_server_side_encryption_enabled"
]
},
{
"Id": "ksi-tpr",
"Name": "KSI-TPR: Third-Party Information Resources",
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
"Attributes": [
{
"ItemId": "ksi-tpr",
"Section": "Third-Party Information Resources",
"Service": "aws"
}
],
"Checks": [
"ecr_registry_scan_images_on_push_enabled",
"ecr_repositories_lifecycle_policy_enabled",
"ecr_repositories_not_publicly_accessible",
"ecr_repositories_scan_on_push_enabled",
"ecr_repositories_scan_vulnerabilities_in_latest_image",
"ecr_repositories_tag_immutability",
"inspector2_active_findings_exist",
"inspector2_is_enabled",
"awslambda_function_using_supported_runtimes",
"ssm_managed_compliant_patching",
"trustedadvisor_premium_support_plan_subscribed",
"guardduty_no_high_severity_findings"
]
},
{
"Id": "ksi-iam-07",
"Name": "KSI-IAM-07: Account Lifecycle Management",
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
"Attributes": [
{
"ItemId": "ksi-iam-07",
"Section": "Identity and Access Management",
"Service": "aws"
}
],
"Checks": [
"iam_no_root_access_key",
"iam_policy_attached_only_to_group_or_roles",
"iam_rotate_access_key_90_days",
"iam_user_accesskey_unused",
"iam_user_console_access_unused",
"organizations_delegated_administrators"
]
},
{
"Id": "ksi-mla-07",
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
"Attributes": [
{
"ItemId": "ksi-mla-07",
"Section": "Monitoring, Logging, and Auditing",
"Service": "aws"
}
],
"Checks": [
"cloudtrail_multi_region_enabled",
"cloudwatch_log_group_retention_policy_specific_days_enabled",
"config_recorder_all_regions_enabled",
"inspector2_is_enabled",
"resourceexplorer_indexes_found"
]
}
]
}
@@ -0,0 +1,358 @@
{
"Framework": "FedRAMP-20x-KSI-Low",
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
"Version": "25.05C",
"Provider": "Azure",
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
"Requirements": [
{
"Id": "ksi-cmt",
"Name": "KSI-CMT: Change Management",
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
"Attributes": [
{
"ItemId": "ksi-cmt",
"Section": "Change Management",
"Service": "azure"
}
],
"Checks": [
"monitor_activity_log_alert_cmk_delete",
"monitor_activity_log_alert_create_policy_assignment",
"monitor_activity_log_alert_create_update_delete_network_sg",
"monitor_activity_log_alert_create_update_delete_network_sg_rule",
"monitor_activity_log_alert_create_update_delete_sql_server_fw_rule",
"monitor_activity_log_alert_create_update_nsg",
"monitor_activity_log_alert_create_update_public_ip_address",
"monitor_activity_log_alert_create_update_security_solution",
"monitor_activity_log_alert_delete_nsg",
"monitor_activity_log_alert_delete_policy_assignment",
"monitor_activity_log_alert_delete_public_ip_address",
"monitor_activity_log_alert_delete_security_solution",
"monitor_log_profile_all_categories",
"monitor_log_profile_all_regions",
"vm_agent_installed",
"vm_antimalware_solution_installed",
"vm_endpoint_protection_installed",
"vm_guest_configuration_installed",
"vm_guest_configuration_with_no_managed_identity",
"vm_guest_configuration_with_user_identity"
]
},
{
"Id": "ksi-cna",
"Name": "KSI-CNA: Cloud Native Architecture",
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
"Attributes": [
{
"ItemId": "ksi-cna",
"Section": "Cloud Native Architecture",
"Service": "azure"
}
],
"Checks": [
"aks_clusters_created_with_private_nodes",
"aks_clusters_public_access_disabled",
"aks_network_policy_enabled",
"app_function_vnet_integration_enabled",
"app_function_not_publicly_accessible",
"containerregistry_not_publicly_accessible",
"containerregistry_uses_private_link",
"cosmosdb_account_use_private_endpoints",
"cosmosdb_account_firewall_use_selected_networks",
"databricks_workspace_vnet_injection_enabled",
"keyvault_access_only_through_private_endpoints",
"keyvault_private_endpoints",
"network_bastion_host_exists",
"network_flow_logs_enabled",
"network_security_group_not_empty",
"network_sg_ssh_access_restricted",
"network_sg_rdp_access_restricted",
"network_sg_open_all_ports_to_any_source",
"network_watcher_enabled",
"postgresql_flexible_server_public_network_access_disabled",
"sqlserver_public_network_access_disabled",
"storage_default_network_access_rule_set_to_deny",
"vm_availability_zones_enabled",
"vm_availability_set_deployed"
]
},
{
"Id": "ksi-iam",
"Name": "KSI-IAM: Identity and Access Management",
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
"Attributes": [
{
"ItemId": "ksi-iam",
"Section": "Identity and Access Management",
"Service": "azure"
}
],
"Checks": [
"entra_conditional_access_policy_require_mfa_for_management_api",
"entra_global_admin_in_less_than_five_users",
"entra_non_privileged_user_has_mfa",
"entra_policy_default_users_cannot_create_security_groups",
"entra_policy_ensure_default_user_cannot_create_apps",
"entra_policy_ensure_default_user_cannot_create_tenants",
"entra_policy_guest_invite_only_for_admin_roles",
"entra_policy_guest_users_access_restrictions",
"entra_policy_restricts_user_consent_for_apps",
"entra_policy_user_consent_for_verified_apps",
"entra_privileged_user_has_mfa",
"entra_security_defaults_enabled",
"entra_trusted_named_locations_exists",
"entra_user_with_vm_access_has_mfa",
"entra_users_cannot_create_microsoft_365_groups",
"iam_custom_role_has_permissions_to_administer_resource_locks",
"iam_role_user_access_admin_restricted",
"iam_subscription_roles_owner_custom_not_created",
"keyvault_rbac_enabled",
"app_function_identity_is_configured",
"app_function_identity_without_admin_privileges",
"app_ensure_auth_is_set_up",
"app_register_with_identity",
"vm_managed_identity_enabled"
]
},
{
"Id": "ksi-inr",
"Name": "KSI-INR: Incident Response",
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
"Attributes": [
{
"ItemId": "ksi-inr",
"Section": "Incident Response",
"Service": "azure"
}
],
"Checks": [
"defender_attack_path_notifications_properly_configured",
"defender_ensure_notify_alerts_severity_is_high",
"defender_ensure_notify_emails_to_owners",
"defender_additional_email_configured_with_a_security_contact",
"defender_container_images_resolved_vulnerabilities",
"defender_container_images_scan_enabled",
"defender_ensure_defender_for_app_services_is_on",
"defender_ensure_defender_for_arm_is_on",
"defender_ensure_defender_for_azure_sql_databases_is_on",
"defender_ensure_defender_for_containers_is_on",
"defender_ensure_defender_for_cosmosdb_is_on",
"defender_ensure_defender_for_databases_is_on",
"defender_ensure_defender_for_dns_is_on",
"defender_ensure_defender_for_keyvault_is_on",
"defender_ensure_defender_for_os_relational_databases_is_on",
"defender_ensure_defender_for_server_is_on",
"defender_ensure_defender_for_sql_servers_is_on",
"defender_ensure_defender_for_storage_is_on",
"defender_ensure_iot_hub_defender_is_on",
"defender_ensure_wdatp_is_enabled"
]
},
{
"Id": "ksi-mla",
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
"Attributes": [
{
"ItemId": "ksi-mla",
"Section": "Monitoring, Logging, and Auditing",
"Service": "azure"
}
],
"Checks": [
"app_function_application_insights_enabled",
"app_http_logs_enabled",
"appinsights_ensure_is_configured",
"defender_auto_provisioning_log_analytics_agent_vms_on",
"defender_auto_provisioning_vulnerabilty_assessments_machines_on",
"keyvault_logging_enabled",
"monitor_activity_log_retention_policy_set",
"monitor_diagnostic_logs_categories",
"monitor_diagnostic_setting_deployed_for_all_resources",
"monitor_diagnostic_settings_captures_proper_categories",
"monitor_log_profile_all_categories",
"monitor_log_profile_all_regions",
"monitor_log_profile_captures_all_activities",
"monitor_log_profile_retention_policy_at_least_365",
"network_flow_logs_enabled",
"network_flow_log_retention_policy_at_least_90",
"network_watcher_enabled",
"postgresql_flexible_server_audit_logs_enabled",
"postgresql_flexible_server_log_checkpoints_enabled",
"postgresql_flexible_server_log_connections_enabled",
"postgresql_flexible_server_log_disconnections_enabled",
"sqlserver_auditing_on",
"sqlserver_auditing_retention_90_days",
"storage_storage_account_logging_queue_read_write_delete_enabled"
]
},
{
"Id": "ksi-piy",
"Name": "KSI-PIY: Policy and Inventory",
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
"Attributes": [
{
"ItemId": "ksi-piy",
"Section": "Policy and Inventory",
"Service": "azure"
}
],
"Checks": [
"policy_ensure_asc_for_aks_is_enabled",
"policy_ensure_asc_for_app_services_is_enabled",
"policy_ensure_asc_for_azure_sql_is_enabled",
"policy_ensure_asc_for_key_vault_is_enabled",
"policy_ensure_asc_for_servers_is_enabled",
"policy_ensure_asc_for_sql_servers_is_enabled",
"policy_ensure_asc_for_storage_is_enabled",
"policy_ensure_allowed_extensions_are_installed",
"policy_ensure_allowed_locations_is_enabled",
"policy_ensure_allowed_resource_types_is_enabled",
"policy_ensure_audit_diagnostic_log_enabled_for_all_services",
"policy_ensure_not_allowed_resource_types_is_enabled",
"vm_guest_configuration_installed",
"vm_guest_configuration_with_no_managed_identity",
"vm_guest_configuration_with_user_identity"
]
},
{
"Id": "ksi-rpl",
"Name": "KSI-RPL: Recovery Planning",
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
"Attributes": [
{
"ItemId": "ksi-rpl",
"Section": "Recovery Planning",
"Service": "azure"
}
],
"Checks": [
"mysql_flexible_server_geo_redundant_backup_enabled",
"mysql_flexible_server_retain_backup_35_days",
"postgresql_flexible_server_geo_redundant_backup_enabled",
"postgresql_flexible_server_backup_retention_period_35_days",
"recovery_services_vault_uses_private_link",
"recovery_services_vault_uses_private_link_for_backup",
"sqlserver_database_long_term_geo_redundant_backup",
"sqlserver_database_retention_policy_exceeds_90_days",
"storage_default_storage_account_encrypted_with_cmk_not_stored_in_storage_account",
"storage_geo_redundant_enabled",
"storage_infrastructure_encryption_is_enabled",
"storage_soft_delete_containers_enabled",
"storage_soft_delete_enabled",
"vm_backup_enabled",
"vm_sufficient_daily_backup_retention_period"
]
},
{
"Id": "ksi-svc",
"Name": "KSI-SVC: Service Configuration",
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
"Attributes": [
{
"ItemId": "ksi-svc",
"Section": "Service Configuration",
"Service": "azure"
}
],
"Checks": [
"app_client_certificates_on",
"app_ensure_http_is_redirected_to_https",
"app_minimum_tls_version_12",
"containerregistry_admin_user_disabled",
"cosmosdb_account_use_aad_and_rbac",
"databricks_workspace_cmk_encryption_enabled",
"keyvault_key_expiration_set_in_non_rbac",
"keyvault_key_rotation_enabled",
"keyvault_non_rbac_secret_expiration_set",
"mysql_flexible_server_encrypted_at_rest_using_cmk",
"mysql_flexible_server_encrypted_in_transit",
"mysql_flexible_server_minimum_tls_version_tls12",
"postgresql_flexible_server_encrypted_at_rest_using_cmk",
"postgresql_flexible_server_encrypted_in_transit",
"postgresql_flexible_server_minimum_tls_version_tls12",
"sqlserver_advanced_data_security_enabled",
"sqlserver_database_encryption_with_cmk",
"sqlserver_database_tde_encryption_enabled",
"sqlserver_minimum_tls_version_12",
"storage_secure_transfer_required_enabled",
"storage_default_storage_account_encrypted_with_cmk",
"storage_infrastructure_encryption_is_enabled",
"storage_storage_account_encrypted_with_cmk",
"storage_storage_account_minimum_tls_version_tls12",
"vm_encrypted_at_host",
"vm_data_disks_encrypted_with_cmk",
"vm_managed_disks_encrypted_with_cmk",
"vm_os_disk_are_encrypted_with_cmk",
"vm_temporary_disks_and_cache_encrypted"
]
},
{
"Id": "ksi-tpr",
"Name": "KSI-TPR: Third-Party Information Resources",
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
"Attributes": [
{
"ItemId": "ksi-tpr",
"Section": "Third-Party Information Resources",
"Service": "azure"
}
],
"Checks": [
"app_ensure_java_version_is_latest",
"app_ensure_php_version_is_latest",
"app_ensure_python_version_is_latest",
"app_function_latest_runtime_version",
"defender_container_images_resolved_vulnerabilities",
"defender_container_images_scan_enabled",
"defender_ensure_system_updates_are_applied",
"vm_agent_installed",
"vm_antimalware_solution_installed",
"vm_endpoint_protection_installed",
"vm_os_update_system_updates",
"vm_security_patch_assessment"
]
},
{
"Id": "ksi-iam-07",
"Name": "KSI-IAM-07: Account Lifecycle Management",
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
"Attributes": [
{
"ItemId": "ksi-iam-07",
"Section": "Identity and Access Management",
"Service": "azure"
}
],
"Checks": [
"entra_non_privileged_user_has_mfa",
"entra_privileged_user_has_mfa",
"entra_user_with_vm_access_has_mfa",
"iam_custom_role_has_permissions_to_administer_resource_locks",
"iam_role_user_access_admin_restricted",
"app_function_identity_is_configured",
"vm_managed_identity_enabled"
]
},
{
"Id": "ksi-mla-07",
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
"Attributes": [
{
"ItemId": "ksi-mla-07",
"Section": "Monitoring, Logging, and Auditing",
"Service": "azure"
}
],
"Checks": [
"monitor_log_profile_all_categories",
"monitor_log_profile_all_regions",
"monitor_log_profile_captures_all_activities",
"monitor_diagnostic_setting_deployed_for_all_resources",
"network_watcher_enabled"
]
}
]
}
@@ -0,0 +1,293 @@
{
"Framework": "FedRAMP-20x-KSI-Low",
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
"Version": "25.05C",
"Provider": "GCP",
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
"Requirements": [
{
"Id": "ksi-cmt",
"Name": "KSI-CMT: Change Management",
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
"Attributes": [
{
"ItemId": "ksi-cmt",
"Section": "Change Management",
"Service": "gcp"
}
],
"Checks": [
"iam_audit_logs_enabled",
"iam_cloud_asset_inventory_enabled",
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
"compute_instance_serial_ports_in_use",
"compute_project_os_login_enabled"
]
},
{
"Id": "ksi-cna",
"Name": "KSI-CNA: Cloud Native Architecture",
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
"Attributes": [
{
"ItemId": "ksi-cna",
"Section": "Cloud Native Architecture",
"Service": "gcp"
}
],
"Checks": [
"cloudsql_instance_private_ip_assignment",
"cloudsql_instance_public_access",
"cloudsql_instance_public_ip",
"cloudstorage_bucket_uniform_bucket_level_access",
"compute_firewall_rdp_access_from_the_internet_allowed",
"compute_firewall_ssh_access_from_the_internet_allowed",
"compute_instance_block_project_wide_ssh_keys_disabled",
"compute_instance_confidential_computing_enabled",
"compute_instance_ip_forwarding_is_enabled",
"compute_instance_public_ip",
"compute_instance_shielded_vm_enabled",
"compute_loadbalancer_logging_enabled",
"compute_network_default_in_use",
"compute_network_dns_logging_enabled",
"compute_network_not_legacy",
"compute_subnet_flow_logs_enabled",
"gke_cluster_no_default_service_account"
]
},
{
"Id": "ksi-iam",
"Name": "KSI-IAM: Identity and Access Management",
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
"Attributes": [
{
"ItemId": "ksi-iam",
"Section": "Identity and Access Management",
"Service": "gcp"
}
],
"Checks": [
"apikeys_api_restrictions_configured",
"apikeys_key_exists",
"apikeys_key_rotated_in_90_days",
"compute_instance_default_service_account_in_use",
"compute_instance_default_service_account_in_use_with_full_api_access",
"iam_no_service_roles_at_project_level",
"iam_role_kms_enforce_separation_of_duties",
"iam_role_sa_enforce_separation_of_duties",
"iam_sa_no_administrative_privileges",
"iam_sa_no_user_managed_keys",
"iam_sa_user_managed_key_rotate_90_days",
"iam_sa_user_managed_key_unused",
"iam_service_account_unused"
]
},
{
"Id": "ksi-inr",
"Name": "KSI-INR: Incident Response",
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
"Attributes": [
{
"ItemId": "ksi-inr",
"Section": "Incident Response",
"Service": "gcp"
}
],
"Checks": [
"iam_organization_essential_contacts_configured",
"iam_account_access_approval_enabled",
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled"
]
},
{
"Id": "ksi-mla",
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
"Attributes": [
{
"ItemId": "ksi-mla",
"Section": "Monitoring, Logging, and Auditing",
"Service": "gcp"
}
],
"Checks": [
"cloudsql_instance_postgres_enable_pgaudit_flag",
"cloudsql_instance_postgres_log_connections_flag",
"cloudsql_instance_postgres_log_disconnections_flag",
"cloudsql_instance_postgres_log_error_verbosity_flag",
"cloudsql_instance_postgres_log_min_duration_statement_flag",
"cloudsql_instance_postgres_log_min_error_statement_flag",
"cloudsql_instance_postgres_log_min_messages_flag",
"cloudsql_instance_postgres_log_statement_flag",
"cloudsql_instance_sqlserver_trace_flag",
"cloudstorage_bucket_log_retention_policy_lock",
"compute_loadbalancer_logging_enabled",
"compute_network_dns_logging_enabled",
"compute_subnet_flow_logs_enabled",
"iam_audit_logs_enabled",
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
"logging_sink_created"
]
},
{
"Id": "ksi-piy",
"Name": "KSI-PIY: Policy and Inventory",
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
"Attributes": [
{
"ItemId": "ksi-piy",
"Section": "Policy and Inventory",
"Service": "gcp"
}
],
"Checks": [
"iam_cloud_asset_inventory_enabled",
"iam_organization_essential_contacts_configured",
"iam_audit_logs_enabled",
"compute_project_os_login_enabled",
"compute_instance_serial_ports_in_use",
"compute_instance_block_project_wide_ssh_keys_disabled",
"logging_sink_created"
]
},
{
"Id": "ksi-rpl",
"Name": "KSI-RPL: Recovery Planning",
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
"Attributes": [
{
"ItemId": "ksi-rpl",
"Section": "Recovery Planning",
"Service": "gcp"
}
],
"Checks": [
"cloudsql_instance_automated_backups",
"cloudstorage_bucket_log_retention_policy_lock",
"cloudstorage_bucket_versioning_enabled",
"cloudstorage_bucket_lifecycle_management_enabled"
]
},
{
"Id": "ksi-svc",
"Name": "KSI-SVC: Service Configuration",
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
"Attributes": [
{
"ItemId": "ksi-svc",
"Section": "Service Configuration",
"Service": "gcp"
}
],
"Checks": [
"bigquery_dataset_cmk_encryption",
"bigquery_table_cmk_encryption",
"cloudsql_instance_mysql_local_infile_flag",
"cloudsql_instance_mysql_skip_show_database_flag",
"cloudsql_instance_postgres_enable_pgaudit_flag",
"cloudsql_instance_postgres_log_connections_flag",
"cloudsql_instance_postgres_log_disconnections_flag",
"cloudsql_instance_postgres_log_error_verbosity_flag",
"cloudsql_instance_postgres_log_min_duration_statement_flag",
"cloudsql_instance_postgres_log_min_error_statement_flag",
"cloudsql_instance_postgres_log_min_messages_flag",
"cloudsql_instance_postgres_log_statement_flag",
"cloudsql_instance_sqlserver_contained_database_authentication_flag",
"cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag",
"cloudsql_instance_sqlserver_external_scripts_enabled_flag",
"cloudsql_instance_sqlserver_remote_access_flag",
"cloudsql_instance_sqlserver_trace_flag",
"cloudsql_instance_sqlserver_user_connections_flag",
"cloudsql_instance_sqlserver_user_options_flag",
"cloudsql_instance_ssl_connections",
"compute_instance_encryption_with_csek_enabled",
"compute_instance_shielded_vm_enabled",
"dataproc_encrypted_with_cmks_disabled",
"dns_dnssec_disabled",
"dns_rsasha1_in_use_to_key_sign_in_dnssec",
"dns_rsasha1_in_use_to_zone_sign_in_dnssec",
"kms_key_not_publicly_accessible",
"kms_key_rotation_enabled"
]
},
{
"Id": "ksi-tpr",
"Name": "KSI-TPR: Third-Party Information Resources",
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
"Attributes": [
{
"ItemId": "ksi-tpr",
"Section": "Third-Party Information Resources",
"Service": "gcp"
}
],
"Checks": [
"artifacts_container_analysis_enabled",
"gcr_container_scanning_enabled",
"compute_public_address_shodan",
"cloudsql_instance_automated_backups",
"iam_sa_user_managed_key_rotate_90_days",
"iam_service_account_unused"
]
},
{
"Id": "ksi-iam-07",
"Name": "KSI-IAM-07: Account Lifecycle Management",
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
"Attributes": [
{
"ItemId": "ksi-iam-07",
"Section": "Identity and Access Management",
"Service": "gcp"
}
],
"Checks": [
"apikeys_key_rotated_in_90_days",
"iam_sa_user_managed_key_rotate_90_days",
"iam_sa_user_managed_key_unused",
"iam_service_account_unused",
"compute_instance_default_service_account_in_use"
]
},
{
"Id": "ksi-mla-07",
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
"Attributes": [
{
"ItemId": "ksi-mla-07",
"Section": "Monitoring, Logging, and Auditing",
"Service": "gcp"
}
],
"Checks": [
"iam_audit_logs_enabled",
"iam_cloud_asset_inventory_enabled",
"logging_sink_created",
"compute_subnet_flow_logs_enabled",
"compute_network_dns_logging_enabled"
]
}
]
}