--- title: "Configuration File" --- import { VersionBadge } from "/snippets/version-badge.mdx" Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**. This file can be found in the following [path](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/config.yaml): ``` prowler/config/config.yaml ``` Additionally, you can input a custom configuration file using the `--config-file` argument. Numeric thresholds enforce hard limits. A value outside the accepted range is dropped with a warning and the check falls back to its built-in default. See [Configuration Value Limits](/developer-guide/configurable-checks#configuration-value-limits) for the exact range of every bounded option (max-days caps, percentages, counts, etc.). ## AWS ### Configurable Checks The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `acm_certificates_expiration_check` | `days_to_expire_threshold` | Integer | | `acmpca_certificate_authority_pqc_key_algorithm` | `acmpca_pqc_key_algorithms` | List of Strings | | `appstream_fleet_maximum_session_duration` | `max_session_duration_seconds` | Integer | | `appstream_fleet_session_disconnect_timeout` | `max_disconnect_timeout_in_seconds` | Integer | | `appstream_fleet_session_idle_disconnect_timeout` | `max_idle_disconnect_timeout_in_seconds` | Integer | | `autoscaling_find_secrets_ec2_launch_configuration` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_no_secrets_in_code` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_using_supported_runtimes` | `obsolete_lambda_runtimes` | Integer | | `awslambda_function_vpc_is_in_multi_azs` | `lambda_min_azs` | Integer | | `cloudformation_stack_outputs_find_secrets` | `secrets_ignore_patterns` | List of Strings | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_actions` | List of Strings | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_entropy` | Integer | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_minutes` | Integer | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_actions` | List of Strings | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_entropy` | Integer | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_minutes` | Integer | | `cloudwatch_log_group_no_secrets_in_logs` | `secrets_ignore_patterns` | List of Strings | | `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days` | Integer | | `codebuild_github_allowed_organizations` | `github_allowed_organizations` | List of Strings | | `codebuild_project_no_secrets_in_variables` | `excluded_sensitive_environment_variables` | List of Strings | | `codebuild_project_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings | | `config_recorder_all_regions_enabled` | `mute_non_default_regions` | Boolean | | `drs_job_exist` | `mute_non_default_regions` | Boolean | | `ec2_elastic_ip_shodan` | `shodan_api_key` | String | | `ec2_instance_older_than_specific_days` | `max_ec2_instance_age_in_days` | Integer | | `ec2_instance_secrets_user_data` | `secrets_ignore_patterns` | List of Strings | | `ec2_launch_template_no_secrets` | `secrets_ignore_patterns` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_instance_owners` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_interface_types` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_high_risk_ports` | List of Integer | | `ec2_securitygroup_with_many_ingress_egress_rules` | `max_security_group_rules` | Integer | | `ecs_task_definitions_no_environment_secrets` | `secrets_ignore_patterns` | List of Strings | | `ecr_repositories_scan_vulnerabilities_in_latest_image` | `ecr_repository_vulnerability_minimum_severity` | String | | `eks_cluster_uses_a_supported_version` | `eks_cluster_oldest_version_supported` | String | | `eks_control_plane_logging_all_types_enabled` | `eks_required_log_types` | List of Strings | | `elasticache_redis_cluster_backup_enabled` | `minimum_snapshot_retention_period` | Integer | | `elb_is_in_multiple_az` | `elb_min_azs` | Integer | | `elbv2_is_in_multiple_az` | `elbv2_min_azs` | Integer | | `rolesanywhere_trust_anchor_pqc_pki` | `rolesanywhere_pqc_pca_key_algorithms` | List of Strings | | `cloudfront_distributions_pqc_tls_enabled` | `cloudfront_pqc_min_protocol_versions` | List of Strings | | `apigateway_domain_name_pqc_tls_enabled` | `apigateway_pqc_tls_allowed_policies` | List of Strings | | `guardduty_is_enabled` | `mute_non_default_regions` | Boolean | | `iam_user_access_not_stale_to_sagemaker` | `max_unused_sagemaker_access_days` | Integer | | `iam_user_accesskey_unused` | `max_unused_access_keys_days` | Integer | | `iam_user_console_access_unused` | `max_console_access_days` | Integer | | `organizations_delegated_administrators` | `organizations_trusted_delegated_administrators` | List of Strings | | `organizations_scp_check_deny_regions` | `organizations_enabled_regions` | List of Strings | | `rds_instance_backup_enabled` | `check_rds_instance_replicas` | Boolean | | `securityhub_enabled` | `mute_non_default_regions` | Boolean | | `secretsmanager_secret_unused` | `max_days_secret_unused` | Integer | | `secretsmanager_secret_rotated_periodically` | `max_days_secret_unrotated` | Integer | | `ssm_document_secrets` | `secrets_ignore_patterns` | List of Strings | | `trustedadvisor_premium_support_plan_subscribed` | `verify_premium_support_plans` | Boolean | | `transfer_server_pqc_ssh_kex_enabled` | `transfer_pqc_ssh_allowed_policies` | List of Strings | | `dynamodb_table_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_bus_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_schema_registry_cross_account_access` | `trusted_account_ids` | List of Strings | | `s3_bucket_cross_account_access` | `trusted_account_ids` | List of Strings | | `ssm_documents_set_as_public` | `trusted_account_ids` | List of Strings | | `vpc_endpoint_connections_trust_boundaries` | `trusted_account_ids` | List of Strings | | `vpc_endpoint_services_allowed_principals_trust_boundaries` | `trusted_account_ids` | List of Strings | | `opensearch_service_domains_not_publicly_accessible` | `trusted_ips` | List of Strings | ### Validating Discovered Secrets By default, the secret-scanning checks run fully offline: secrets are detected but never sent anywhere. Setting `secrets_validate` to `True` additionally confirms whether each discovered secret is live by authenticating with it against the corresponding provider API. The discovered secret itself serves as the credential, so Prowler requires no additional permissions to validate it. `secrets_validate` applies to every AWS secret-scanning check listed above (those that accept `secrets_ignore_patterns`). The `--scan-secrets-validate` CLI flag is provider-wide: it also enables validation for the secret-scanning checks of other providers, such as the OpenStack metadata checks. To enable validation through the configuration file, set the value under the `aws` section: ```yaml aws: secrets_validate: True ``` To enable validation for a single scan (any provider), use Prowler CLI: ``` prowler aws --scan-secrets-validate ``` Secret validation makes outbound network calls that authenticate with each discovered secret. The credential is exercised against the provider, so the call appears in the audited account's logs and can trigger its monitoring (for example, AWS CloudTrail records the validation request). Validation stays disabled by default so that scans remain fully offline. ## Azure ### Configurable Checks The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `network_public_ip_shodan` | `shodan_api_key` | String | | `app_ensure_php_version_is_latest` | `php_latest_version` | String | | `app_ensure_python_version_is_latest` | `python_latest_version` | String | | `app_ensure_java_version_is_latest` | `java_latest_version` | String | | `sqlserver_recommended_minimal_tls_version` | `recommended_minimal_tls_versions` | List of Strings | | `vm_sufficient_daily_backup_retention_period` | `vm_backup_min_daily_retention_days` | Integer | | `vm_desired_sku_size` | `desired_vm_sku_sizes` | List of Strings | | `storage_smb_channel_encryption_with_secure_algorithm` | `recommended_smb_channel_encryption_algorithms` | List of Strings | | `defender_attack_path_notifications_properly_configured` | `defender_attack_path_minimal_risk_level` | String | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_threshold` | Float | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_minutes` | Integer | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_actions` | List of Strings | ## GCP ### Configurable Checks The following list includes all the GCP checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `compute_configuration_changes` | `compute_audit_log_lookback_days` | Integer | | `compute_instance_group_multiple_zones` | `mig_min_zones` | Integer | ## Kubernetes ### Configurable Checks The following list includes all the Kubernetes checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `audit_log_maxbackup` | `audit_log_maxbackup` | String | | `audit_log_maxsize` | `audit_log_maxsize` | String | | `audit_log_maxage` | `audit_log_maxage` | String | | `apiserver_strong_ciphers` | `apiserver_strong_ciphers` | String | | `kubelet_strong_ciphers_only` | `kubelet_strong_ciphers` | String | ## M365 ### Configurable Checks The following list includes all the Microsoft 365 checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `entra_admin_users_sign_in_frequency_enabled` | `sign_in_frequency` | Integer | | `teams_external_file_sharing_restricted` | `allowed_cloud_storage_services` | List of Strings | | `exchange_organization_mailtips_enabled` | `recommended_mailtips_large_audience_threshold` | Integer | ## GitHub ### Configurable Checks The following list includes all the GitHub checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |--------------------------------------------|---------------------------------------------|---------| | `repository_inactive_not_archived` | `inactive_not_archived_days_threshold` | Integer | ## Vercel ### Configurable Checks The following list includes all the Vercel checks with configurable variables that can be changed in the configuration YAML file: | Check Name | Value | Type | |-----------------------------------------------------|------------------------------------|-----------------| | `authentication_no_stale_tokens` | `stale_token_threshold_days` | Integer | | `authentication_token_not_expired` | `days_to_expire_threshold` | Integer | | `deployment_production_uses_stable_target` | `stable_branches` | List of Strings | | `domain_ssl_certificate_valid` | `days_to_expire_threshold` | Integer | | `project_environment_no_secrets_in_plain_type` | `secret_suffixes` | List of Strings | | `team_member_role_least_privilege` | `max_owner_percentage` | Integer | | `team_member_role_least_privilege` | `max_owners` | Integer | | `team_no_stale_invitations` | `stale_invitation_threshold_days` | Integer | ## Okta ### Configurable Checks The following list includes all the Okta checks with configurable variables that can be changed in the configuration YAML file: | Check Name | Value | Type | |---------------------------------------------------------------|------------------------------------|---------| | `application_admin_console_session_idle_timeout_15min` | `okta_admin_console_idle_timeout_max_minutes` | Integer | | `signon_global_session_idle_timeout_15min` | `okta_max_session_idle_minutes` | Integer | ## Config YAML File Structure This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider. ```yaml title="config.yaml" # AWS Configuration aws: # AWS Global Configuration # aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config mute_non_default_regions: False # If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`: # Mutelist: # Accounts: # "*": # Checks: # "*": # Regions: # - "ap-southeast-1" # - "ap-southeast-2" # Resources: # - "*" # AWS IAM Configuration # aws.iam_user_accesskey_unused --> CIS recommends 45 days max_unused_access_keys_days: 45 # aws.iam_user_console_access_unused --> CIS recommends 45 days max_console_access_days: 45 # aws.iam_user_access_not_stale_to_sagemaker --> default 90 days max_unused_sagemaker_access_days: 90 # AWS EC2 Configuration # aws.ec2_elastic_ip_shodan # TODO: create common config shodan_api_key: null # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules max_security_group_rules: 50 # aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days) max_ec2_instance_age_in_days: 180 # aws.ec2_securitygroup_allow_ingress_from_internet_to_any_port # allowed network interface types for security groups open to the Internet ec2_allowed_interface_types: [ "api_gateway_managed", "vpc_endpoint", ] # allowed network interface owners for security groups open to the Internet ec2_allowed_instance_owners: [ "amazon-elb" ] # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports ec2_high_risk_ports: [ 25, 110, 135, 143, 445, 3000, 4333, 5000, 5500, 8080, 8088, ] # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries) # AWS SSM Configuration (ssm_documents_set_as_public) # AWS S3 Configuration (s3_bucket_cross_account_access) # AWS EventBridge Configuration (eventbridge_schema_registry_cross_account_access, eventbridge_bus_cross_account_access) # AWS DynamoDB Configuration (dynamodb_table_cross_account_access) # Single account environment: No action required. The AWS account number will be automatically added by the checks. # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g. # trusted_account_ids : ["123456789012", "098765432109", "678901234567"] trusted_account_ids: [] # AWS Cloudwatch Configuration # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days log_group_retention_days: 365 # AWS AppStream Session Configuration # aws.appstream_fleet_session_idle_disconnect_timeout max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes # aws.appstream_fleet_session_disconnect_timeout max_disconnect_timeout_in_seconds: 300 # 5 Minutes # aws.appstream_fleet_maximum_session_duration max_session_duration_seconds: 36000 # 10 Hours # AWS Lambda Configuration # aws.awslambda_function_using_supported_runtimes obsolete_lambda_runtimes: [ "java8", "go1.x", "provided", "python3.6", "python2.7", "python3.7", "nodejs4.3", "nodejs4.3-edge", "nodejs6.10", "nodejs", "nodejs8.10", "nodejs10.x", "nodejs12.x", "nodejs14.x", "dotnet5.0", "dotnetcore1.0", "dotnetcore2.0", "dotnetcore2.1", "dotnetcore3.1", "ruby2.5", "ruby2.7", ] # AWS Organizations # aws.organizations_scp_check_deny_regions # aws.organizations_enabled_regions: [ # "eu-central-1", # "eu-west-1", # "us-east-1" # ] organizations_enabled_regions: [] organizations_trusted_delegated_administrators: [] # AWS ECR # aws.ecr_repositories_scan_vulnerabilities_in_latest_image # CRITICAL # HIGH # MEDIUM ecr_repository_vulnerability_minimum_severity: "MEDIUM" # AWS Trusted Advisor # aws.trustedadvisor_premium_support_plan_subscribed verify_premium_support_plans: True # AWS CloudTrail Configuration # aws.cloudtrail_threat_detection_privilege_escalation threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%) threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours) threat_detection_privilege_escalation_actions: [ "AddPermission", "AddRoleToInstanceProfile", "AddUserToGroup", "AssociateAccessPolicy", "AssumeRole", "AttachGroupPolicy", "AttachRolePolicy", "AttachUserPolicy", "ChangePassword", "CreateAccessEntry", "CreateAccessKey", "CreateDevEndpoint", "CreateEventSourceMapping", "CreateFunction", "CreateGroup", "CreateJob", "CreateKeyPair", "CreateLoginProfile", "CreatePipeline", "CreatePolicyVersion", "CreateRole", "CreateStack", "DeleteRolePermissionsBoundary", "DeleteRolePolicy", "DeleteUserPermissionsBoundary", "DeleteUserPolicy", "DetachRolePolicy", "DetachUserPolicy", "GetCredentialsForIdentity", "GetId", "GetPolicyVersion", "GetUserPolicy", "Invoke", "ModifyInstanceAttribute", "PassRole", "PutGroupPolicy", "PutPipelineDefinition", "PutRolePermissionsBoundary", "PutRolePolicy", "PutUserPermissionsBoundary", "PutUserPolicy", "ReplaceIamInstanceProfileAssociation", "RunInstances", "SetDefaultPolicyVersion", "UpdateAccessKey", "UpdateAssumeRolePolicy", "UpdateDevEndpoint", "UpdateEventSourceMapping", "UpdateFunctionCode", "UpdateJob", "UpdateLoginProfile", ] # aws.cloudtrail_threat_detection_enumeration threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%) threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours) threat_detection_enumeration_actions: [ "DescribeAccessEntry", "DescribeAccountAttributes", "DescribeAvailabilityZones", "DescribeBundleTasks", "DescribeCarrierGateways", "DescribeClientVpnRoutes", "DescribeCluster", "DescribeDhcpOptions", "DescribeFlowLogs", "DescribeImages", "DescribeInstanceAttribute", "DescribeInstanceInformation", "DescribeInstanceTypes", "DescribeInstances", "DescribeInstances", "DescribeKeyPairs", "DescribeLogGroups", "DescribeLogStreams", "DescribeOrganization", "DescribeRegions", "DescribeSecurityGroups", "DescribeSnapshotAttribute", "DescribeSnapshotTierStatus", "DescribeSubscriptionFilters", "DescribeTransitGatewayMulticastDomains", "DescribeVolumes", "DescribeVolumesModifications", "DescribeVpcEndpointConnectionNotifications", "DescribeVpcs", "GetAccount", "GetAccountAuthorizationDetails", "GetAccountSendingEnabled", "GetBucketAcl", "GetBucketLogging", "GetBucketPolicy", "GetBucketReplication", "GetBucketVersioning", "GetCallerIdentity", "GetCertificate", "GetConsoleScreenshot", "GetCostAndUsage", "GetDetector", "GetEbsDefaultKmsKeyId", "GetEbsEncryptionByDefault", "GetFindings", "GetFlowLogsIntegrationTemplate", "GetIdentityVerificationAttributes", "GetInstances", "GetIntrospectionSchema", "GetLaunchTemplateData", "GetLaunchTemplateData", "GetLogRecord", "GetParameters", "GetPolicyVersion", "GetPublicAccessBlock", "GetQueryResults", "GetRegions", "GetSMSAttributes", "GetSMSSandboxAccountStatus", "GetSendQuota", "GetTransitGatewayRouteTableAssociations", "GetUserPolicy", "HeadObject", "ListAccessKeys", "ListAccounts", "ListAllMyBuckets", "ListAssociatedAccessPolicies", "ListAttachedUserPolicies", "ListClusters", "ListDetectors", "ListDomains", "ListFindings", "ListHostedZones", "ListIPSets", "ListIdentities", "ListInstanceProfiles", "ListObjects", "ListOrganizationalUnitsForParent", "ListOriginationNumbers", "ListPolicyVersions", "ListRoles", "ListRoles", "ListRules", "ListServiceQuotas", "ListSubscriptions", "ListTargetsByRule", "ListTopics", "ListUsers", "LookupEvents", "Search", ] # aws.cloudtrail_threat_detection_llm_jacking threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%) threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours) threat_detection_llm_jacking_actions: [ "PutUseCaseForModelAccess", # Submits a use case for model access, providing justification (Write). "PutFoundationModelEntitlement", # Grants entitlement for accessing a foundation model (Write). "PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write). "CreateFoundationModelAgreement", # Creates a new agreement to use a foundation model (Write). "InvokeModel", # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read). "InvokeModelWithResponseStream", # Invokes a Bedrock model for inference with real-time token streaming (Read). "GetUseCaseForModelAccess", # Retrieves an existing use case for model access (Read). "GetModelInvocationLoggingConfiguration", # Fetches the logging configuration for model invocations (Read). "GetFoundationModelAvailability", # Checks the availability of a foundation model for use (Read). "ListFoundationModelAgreementOffers", # Lists available agreement offers for accessing foundation models (List). "ListFoundationModels", # Lists the available foundation models in Bedrock (List). "ListProvisionedModelThroughputs", # Lists the provisioned throughput for previously created models (List). ] # AWS RDS Configuration # aws.rds_instance_backup_enabled # Whether to check RDS instance replicas or not check_rds_instance_replicas: False # AWS ACM Configuration # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 # AWS EKS Configuration # aws.eks_control_plane_logging_all_types_enabled # EKS control plane logging types that must be enabled eks_required_log_types: [ "api", "audit", "authenticator", "controllerManager", "scheduler", ] # aws.eks_cluster_uses_a_supported_version # EKS clusters must be version 1.28 or higher eks_cluster_oldest_version_supported: "1.28" # AWS CodeBuild Configuration # aws.codebuild_project_no_secrets_in_variables # CodeBuild sensitive variables that are excluded from the check excluded_sensitive_environment_variables: [ ] # Azure Configuration azure: # Azure Network Configuration # azure.network_public_ip_shodan # TODO: create common config shodan_api_key: null # Azure App Service # azure.app_ensure_php_version_is_latest php_latest_version: "8.2" # azure.app_ensure_python_version_is_latest python_latest_version: "3.12" # azure.app_ensure_java_version_is_latest java_latest_version: "17" # Azure SQL Server # azure.sqlserver_minimal_tls_version recommended_minimal_tls_versions: [ "1.2", "1.3" ] # Azure Storage # azure.storage_smb_channel_encryption_with_secure_algorithm # List of SMB channel encryption algorithms allowed on file shares. A storage # account passes only if every enabled algorithm is in this list. Defaults to # the value required by CIS (AES-256-GCM only, excluding weaker AES-128 ciphers). recommended_smb_channel_encryption_algorithms: [ "AES-256-GCM", # "AES-128-CCM", # "AES-128-GCM", ] # Azure Virtual Machines # azure.vm_desired_sku_size # List of desired VM SKU sizes that are allowed in the organization desired_vm_sku_sizes: [ "Standard_A8_v2", "Standard_DS3_v2", "Standard_D4s_v3", ] # Azure VM Backup Configuration # azure.vm_sufficient_daily_backup_retention_period vm_backup_min_daily_retention_days: 7 # Azure API Management Threat Detection Configuration # azure.apim_threat_detection_llm_jacking apim_threat_detection_llm_jacking_threshold: 0.1 apim_threat_detection_llm_jacking_minutes: 1440 apim_threat_detection_llm_jacking_actions: [ # OpenAI API endpoints "ImageGenerations_Create", "ChatCompletions_Create", "Completions_Create", "Embeddings_Create", "FineTuning_Jobs_Create", "Models_List", # Azure OpenAI endpoints "Deployments_List", "Deployments_Get", "Deployments_Create", "Deployments_Delete", # Anthropic endpoints "Messages_Create", "Claude_Create", # Google AI endpoints "GenerateContent", "GenerateText", "GenerateImage", # Meta AI endpoints "Llama_Create", "CodeLlama_Create", # Other LLM endpoints "Gemini_Generate", "Claude_Generate", "Llama_Generate" ] # GCP Configuration gcp: # GCP Compute Configuration # gcp.compute_public_address_shodan shodan_api_key: null # gcp.compute_configuration_changes # Number of days to look back for Compute Engine configuration changes in audit logs compute_audit_log_lookback_days: 1 # gcp.compute_instance_group_multiple_zones # Minimum number of zones a MIG should span for high availability mig_min_zones: 2 # Kubernetes Configuration kubernetes: # Kubernetes API Server # kubernetes.apiserver_audit_log_maxbackup_set audit_log_maxbackup: 10 # kubernetes.apiserver_audit_log_maxsize_set audit_log_maxsize: 100 # kubernetes.apiserver_audit_log_maxage_set audit_log_maxage: 30 # kubernetes.apiserver_strong_ciphers_only apiserver_strong_ciphers: [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", ] # Kubelet # kubernetes.kubelet_strong_ciphers_only kubelet_strong_ciphers: [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", ] # M365 Configuration m365: # Entra Conditional Access Policy # m365.entra_admin_users_sign_in_frequency_enabled sign_in_frequency: 4 # 4 hours # Teams Settings # m365.teams_external_file_sharing_restricted allowed_cloud_storage_services: [ #"allow_box", #"allow_drop_box", #"allow_egnyte", #"allow_google_drive", #"allow_share_file", ] # Exchange Organization Settings # m365.exchange_organization_mailtips_enabled recommended_mailtips_large_audience_threshold: 25 # maximum number of recipients # GitHub Configuration github: # github.repository_inactive_not_archived inactive_not_archived_days_threshold: 180 # Vercel Configuration vercel: # vercel.deployment_production_uses_stable_target stable_branches: - "main" - "master" # vercel.authentication_token_not_expired & vercel.domain_ssl_certificate_valid days_to_expire_threshold: 7 # vercel.authentication_no_stale_tokens stale_token_threshold_days: 90 # vercel.team_no_stale_invitations stale_invitation_threshold_days: 30 # vercel.team_member_role_least_privilege max_owner_percentage: 20 max_owners: 3 # vercel.project_environment_no_secrets_in_plain_type secret_suffixes: - "_KEY" - "_SECRET" - "_TOKEN" - "_PASSWORD" - "_API_KEY" - "_PRIVATE_KEY" ```