--- title: "Configuration File" --- Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**. This file can be found in the following [path](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/config.yaml): ``` prowler/config/config.yaml ``` Additionally, you can input a custom configuration file using the `--config-file` argument. ## AWS ### Configurable Checks The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `acm_certificates_expiration_check` | `days_to_expire_threshold` | Integer | | `appstream_fleet_maximum_session_duration` | `max_session_duration_seconds` | Integer | | `appstream_fleet_session_disconnect_timeout` | `max_disconnect_timeout_in_seconds` | Integer | | `appstream_fleet_session_idle_disconnect_timeout` | `max_idle_disconnect_timeout_in_seconds` | Integer | | `autoscaling_find_secrets_ec2_launch_configuration` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_no_secrets_in_code` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings | | `awslambda_function_using_supported_runtimes` | `obsolete_lambda_runtimes` | Integer | | `awslambda_function_vpc_is_in_multi_azs` | `lambda_min_azs` | Integer | | `cloudformation_stack_outputs_find_secrets` | `secrets_ignore_patterns` | List of Strings | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_actions` | List of Strings | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_entropy` | Integer | | `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_minutes` | Integer | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_actions` | List of Strings | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_entropy` | Integer | | `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_minutes` | Integer | | `cloudwatch_log_group_no_secrets_in_logs` | `secrets_ignore_patterns` | List of Strings | | `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days` | Integer | | `codebuild_github_allowed_organizations` | `github_allowed_organizations` | List of Strings | | `codebuild_project_no_secrets_in_variables` | `excluded_sensitive_environment_variables` | List of Strings | | `codebuild_project_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings | | `config_recorder_all_regions_enabled` | `mute_non_default_regions` | Boolean | | `drs_job_exist` | `mute_non_default_regions` | Boolean | | `ec2_elastic_ip_shodan` | `shodan_api_key` | String | | `ec2_instance_older_than_specific_days` | `max_ec2_instance_age_in_days` | Integer | | `ec2_instance_secrets_user_data` | `secrets_ignore_patterns` | List of Strings | | `ec2_launch_template_no_secrets` | `secrets_ignore_patterns` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_instance_owners` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_interface_types` | List of Strings | | `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_high_risk_ports` | List of Integer | | `ec2_securitygroup_with_many_ingress_egress_rules` | `max_security_group_rules` | Integer | | `ecs_task_definitions_no_environment_secrets` | `secrets_ignore_patterns` | List of Strings | | `ecr_repositories_scan_vulnerabilities_in_latest_image` | `ecr_repository_vulnerability_minimum_severity` | String | | `eks_cluster_uses_a_supported_version` | `eks_cluster_oldest_version_supported` | String | | `eks_control_plane_logging_all_types_enabled` | `eks_required_log_types` | List of Strings | | `elasticache_redis_cluster_backup_enabled` | `minimum_snapshot_retention_period` | Integer | | `elb_is_in_multiple_az` | `elb_min_azs` | Integer | | `elbv2_is_in_multiple_az` | `elbv2_min_azs` | Integer | | `apigateway_domain_name_pqc_tls_enabled` | `apigateway_pqc_tls_allowed_policies` | List of Strings | | `guardduty_is_enabled` | `mute_non_default_regions` | Boolean | | `iam_user_access_not_stale_to_sagemaker` | `max_unused_sagemaker_access_days` | Integer | | `iam_user_accesskey_unused` | `max_unused_access_keys_days` | Integer | | `iam_user_console_access_unused` | `max_console_access_days` | Integer | | `organizations_delegated_administrators` | `organizations_trusted_delegated_administrators` | List of Strings | | `organizations_scp_check_deny_regions` | `organizations_enabled_regions` | List of Strings | | `rds_instance_backup_enabled` | `check_rds_instance_replicas` | Boolean | | `securityhub_enabled` | `mute_non_default_regions` | Boolean | | `secretsmanager_secret_unused` | `max_days_secret_unused` | Integer | | `secretsmanager_secret_rotated_periodically` | `max_days_secret_unrotated` | Integer | | `ssm_document_secrets` | `secrets_ignore_patterns` | List of Strings | | `trustedadvisor_premium_support_plan_subscribed` | `verify_premium_support_plans` | Boolean | | `transfer_server_pqc_ssh_kex_enabled` | `transfer_pqc_ssh_allowed_policies` | List of Strings | | `dynamodb_table_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_bus_cross_account_access` | `trusted_account_ids` | List of Strings | | `eventbridge_schema_registry_cross_account_access` | `trusted_account_ids` | List of Strings | | `s3_bucket_cross_account_access` | `trusted_account_ids` | List of Strings | | `ssm_documents_set_as_public` | `trusted_account_ids` | List of Strings | | `vpc_endpoint_connections_trust_boundaries` | `trusted_account_ids` | List of Strings | | `vpc_endpoint_services_allowed_principals_trust_boundaries` | `trusted_account_ids` | List of Strings | | `opensearch_service_domains_not_publicly_accessible` | `trusted_ips` | List of Strings | ## Azure ### Configurable Checks The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `network_public_ip_shodan` | `shodan_api_key` | String | | `app_ensure_php_version_is_latest` | `php_latest_version` | String | | `app_ensure_python_version_is_latest` | `python_latest_version` | String | | `app_ensure_java_version_is_latest` | `java_latest_version` | String | | `sqlserver_recommended_minimal_tls_version` | `recommended_minimal_tls_versions` | List of Strings | | `vm_sufficient_daily_backup_retention_period` | `vm_backup_min_daily_retention_days` | Integer | | `vm_desired_sku_size` | `desired_vm_sku_sizes` | List of Strings | | `storage_smb_channel_encryption_with_secure_algorithm` | `recommended_smb_channel_encryption_algorithms` | List of Strings | | `defender_attack_path_notifications_properly_configured` | `defender_attack_path_minimal_risk_level` | String | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_threshold` | Float | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_minutes` | Integer | | `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_actions` | List of Strings | ## GCP ### Configurable Checks The following list includes all the GCP checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `compute_configuration_changes` | `compute_audit_log_lookback_days` | Integer | | `compute_instance_group_multiple_zones` | `mig_min_zones` | Integer | ## Kubernetes ### Configurable Checks The following list includes all the Kubernetes checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `audit_log_maxbackup` | `audit_log_maxbackup` | String | | `audit_log_maxsize` | `audit_log_maxsize` | String | | `audit_log_maxage` | `audit_log_maxage` | String | | `apiserver_strong_ciphers` | `apiserver_strong_ciphers` | String | | `kubelet_strong_ciphers_only` | `kubelet_strong_ciphers` | String | ## M365 ### Configurable Checks The following list includes all the Microsoft 365 checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| | `entra_admin_users_sign_in_frequency_enabled` | `sign_in_frequency` | Integer | | `teams_external_file_sharing_restricted` | `allowed_cloud_storage_services` | List of Strings | | `exchange_organization_mailtips_enabled` | `recommended_mailtips_large_audience_threshold` | Integer | ## GitHub ### Configurable Checks The following list includes all the GitHub checks with configurable variables that can be changed in the configuration yaml file: | Check Name | Value | Type | |--------------------------------------------|---------------------------------------------|---------| | `repository_inactive_not_archived` | `inactive_not_archived_days_threshold` | Integer | ## Vercel ### Configurable Checks The following list includes all the Vercel checks with configurable variables that can be changed in the configuration YAML file: | Check Name | Value | Type | |-----------------------------------------------------|------------------------------------|-----------------| | `authentication_no_stale_tokens` | `stale_token_threshold_days` | Integer | | `authentication_token_not_expired` | `days_to_expire_threshold` | Integer | | `deployment_production_uses_stable_target` | `stable_branches` | List of Strings | | `domain_ssl_certificate_valid` | `days_to_expire_threshold` | Integer | | `project_environment_no_secrets_in_plain_type` | `secret_suffixes` | List of Strings | | `team_member_role_least_privilege` | `max_owner_percentage` | Integer | | `team_member_role_least_privilege` | `max_owners` | Integer | | `team_no_stale_invitations` | `stale_invitation_threshold_days` | Integer | ## Okta ### Configurable Checks The following list includes all the Okta checks with configurable variables that can be changed in the configuration YAML file: | Check Name | Value | Type | |---------------------------------------------------------------|------------------------------------|---------| | `application_admin_console_session_idle_timeout_15min` | `okta_admin_console_idle_timeout_max_minutes` | Integer | | `signon_global_session_idle_timeout_15min` | `okta_max_session_idle_minutes` | Integer | ## Config YAML File Structure This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider. ```yaml title="config.yaml" # AWS Configuration aws: # AWS Global Configuration # aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config mute_non_default_regions: False # If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`: # Mutelist: # Accounts: # "*": # Checks: # "*": # Regions: # - "ap-southeast-1" # - "ap-southeast-2" # Resources: # - "*" # AWS IAM Configuration # aws.iam_user_accesskey_unused --> CIS recommends 45 days max_unused_access_keys_days: 45 # aws.iam_user_console_access_unused --> CIS recommends 45 days max_console_access_days: 45 # aws.iam_user_access_not_stale_to_sagemaker --> default 90 days max_unused_sagemaker_access_days: 90 # AWS EC2 Configuration # aws.ec2_elastic_ip_shodan # TODO: create common config shodan_api_key: null # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules max_security_group_rules: 50 # aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days) max_ec2_instance_age_in_days: 180 # aws.ec2_securitygroup_allow_ingress_from_internet_to_any_port # allowed network interface types for security groups open to the Internet ec2_allowed_interface_types: [ "api_gateway_managed", "vpc_endpoint", ] # allowed network interface owners for security groups open to the Internet ec2_allowed_instance_owners: [ "amazon-elb" ] # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports ec2_high_risk_ports: [ 25, 110, 135, 143, 445, 3000, 4333, 5000, 5500, 8080, 8088, ] # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries) # AWS SSM Configuration (ssm_documents_set_as_public) # AWS S3 Configuration (s3_bucket_cross_account_access) # AWS EventBridge Configuration (eventbridge_schema_registry_cross_account_access, eventbridge_bus_cross_account_access) # AWS DynamoDB Configuration (dynamodb_table_cross_account_access) # Single account environment: No action required. The AWS account number will be automatically added by the checks. # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g. # trusted_account_ids : ["123456789012", "098765432109", "678901234567"] trusted_account_ids: [] # AWS Cloudwatch Configuration # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days log_group_retention_days: 365 # AWS AppStream Session Configuration # aws.appstream_fleet_session_idle_disconnect_timeout max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes # aws.appstream_fleet_session_disconnect_timeout max_disconnect_timeout_in_seconds: 300 # 5 Minutes # aws.appstream_fleet_maximum_session_duration max_session_duration_seconds: 36000 # 10 Hours # AWS Lambda Configuration # aws.awslambda_function_using_supported_runtimes obsolete_lambda_runtimes: [ "java8", "go1.x", "provided", "python3.6", "python2.7", "python3.7", "nodejs4.3", "nodejs4.3-edge", "nodejs6.10", "nodejs", "nodejs8.10", "nodejs10.x", "nodejs12.x", "nodejs14.x", "dotnet5.0", "dotnetcore1.0", "dotnetcore2.0", "dotnetcore2.1", "dotnetcore3.1", "ruby2.5", "ruby2.7", ] # AWS Organizations # aws.organizations_scp_check_deny_regions # aws.organizations_enabled_regions: [ # "eu-central-1", # "eu-west-1", # "us-east-1" # ] organizations_enabled_regions: [] organizations_trusted_delegated_administrators: [] # AWS ECR # aws.ecr_repositories_scan_vulnerabilities_in_latest_image # CRITICAL # HIGH # MEDIUM ecr_repository_vulnerability_minimum_severity: "MEDIUM" # AWS Trusted Advisor # aws.trustedadvisor_premium_support_plan_subscribed verify_premium_support_plans: True # AWS CloudTrail Configuration # aws.cloudtrail_threat_detection_privilege_escalation threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%) threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours) threat_detection_privilege_escalation_actions: [ "AddPermission", "AddRoleToInstanceProfile", "AddUserToGroup", "AssociateAccessPolicy", "AssumeRole", "AttachGroupPolicy", "AttachRolePolicy", "AttachUserPolicy", "ChangePassword", "CreateAccessEntry", "CreateAccessKey", "CreateDevEndpoint", "CreateEventSourceMapping", "CreateFunction", "CreateGroup", "CreateJob", "CreateKeyPair", "CreateLoginProfile", "CreatePipeline", "CreatePolicyVersion", "CreateRole", "CreateStack", "DeleteRolePermissionsBoundary", "DeleteRolePolicy", "DeleteUserPermissionsBoundary", "DeleteUserPolicy", "DetachRolePolicy", "DetachUserPolicy", "GetCredentialsForIdentity", "GetId", "GetPolicyVersion", "GetUserPolicy", "Invoke", "ModifyInstanceAttribute", "PassRole", "PutGroupPolicy", "PutPipelineDefinition", "PutRolePermissionsBoundary", "PutRolePolicy", "PutUserPermissionsBoundary", "PutUserPolicy", "ReplaceIamInstanceProfileAssociation", "RunInstances", "SetDefaultPolicyVersion", "UpdateAccessKey", "UpdateAssumeRolePolicy", "UpdateDevEndpoint", "UpdateEventSourceMapping", "UpdateFunctionCode", "UpdateJob", "UpdateLoginProfile", ] # aws.cloudtrail_threat_detection_enumeration threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%) threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours) threat_detection_enumeration_actions: [ "DescribeAccessEntry", "DescribeAccountAttributes", "DescribeAvailabilityZones", "DescribeBundleTasks", "DescribeCarrierGateways", "DescribeClientVpnRoutes", "DescribeCluster", "DescribeDhcpOptions", "DescribeFlowLogs", "DescribeImages", "DescribeInstanceAttribute", "DescribeInstanceInformation", "DescribeInstanceTypes", "DescribeInstances", "DescribeInstances", "DescribeKeyPairs", "DescribeLogGroups", "DescribeLogStreams", "DescribeOrganization", "DescribeRegions", "DescribeSecurityGroups", "DescribeSnapshotAttribute", "DescribeSnapshotTierStatus", "DescribeSubscriptionFilters", "DescribeTransitGatewayMulticastDomains", "DescribeVolumes", "DescribeVolumesModifications", "DescribeVpcEndpointConnectionNotifications", "DescribeVpcs", "GetAccount", "GetAccountAuthorizationDetails", "GetAccountSendingEnabled", "GetBucketAcl", "GetBucketLogging", "GetBucketPolicy", "GetBucketReplication", "GetBucketVersioning", "GetCallerIdentity", "GetCertificate", "GetConsoleScreenshot", "GetCostAndUsage", "GetDetector", "GetEbsDefaultKmsKeyId", "GetEbsEncryptionByDefault", "GetFindings", "GetFlowLogsIntegrationTemplate", "GetIdentityVerificationAttributes", "GetInstances", "GetIntrospectionSchema", "GetLaunchTemplateData", "GetLaunchTemplateData", "GetLogRecord", "GetParameters", "GetPolicyVersion", "GetPublicAccessBlock", "GetQueryResults", "GetRegions", "GetSMSAttributes", "GetSMSSandboxAccountStatus", "GetSendQuota", "GetTransitGatewayRouteTableAssociations", "GetUserPolicy", "HeadObject", "ListAccessKeys", "ListAccounts", "ListAllMyBuckets", "ListAssociatedAccessPolicies", "ListAttachedUserPolicies", "ListClusters", "ListDetectors", "ListDomains", "ListFindings", "ListHostedZones", "ListIPSets", "ListIdentities", "ListInstanceProfiles", "ListObjects", "ListOrganizationalUnitsForParent", "ListOriginationNumbers", "ListPolicyVersions", "ListRoles", "ListRoles", "ListRules", "ListServiceQuotas", "ListSubscriptions", "ListTargetsByRule", "ListTopics", "ListUsers", "LookupEvents", "Search", ] # aws.cloudtrail_threat_detection_llm_jacking threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%) threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours) threat_detection_llm_jacking_actions: [ "PutUseCaseForModelAccess", # Submits a use case for model access, providing justification (Write). "PutFoundationModelEntitlement", # Grants entitlement for accessing a foundation model (Write). "PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write). "CreateFoundationModelAgreement", # Creates a new agreement to use a foundation model (Write). "InvokeModel", # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read). "InvokeModelWithResponseStream", # Invokes a Bedrock model for inference with real-time token streaming (Read). "GetUseCaseForModelAccess", # Retrieves an existing use case for model access (Read). "GetModelInvocationLoggingConfiguration", # Fetches the logging configuration for model invocations (Read). "GetFoundationModelAvailability", # Checks the availability of a foundation model for use (Read). "ListFoundationModelAgreementOffers", # Lists available agreement offers for accessing foundation models (List). "ListFoundationModels", # Lists the available foundation models in Bedrock (List). "ListProvisionedModelThroughputs", # Lists the provisioned throughput for previously created models (List). ] # AWS RDS Configuration # aws.rds_instance_backup_enabled # Whether to check RDS instance replicas or not check_rds_instance_replicas: False # AWS ACM Configuration # aws.acm_certificates_expiration_check days_to_expire_threshold: 7 # AWS EKS Configuration # aws.eks_control_plane_logging_all_types_enabled # EKS control plane logging types that must be enabled eks_required_log_types: [ "api", "audit", "authenticator", "controllerManager", "scheduler", ] # aws.eks_cluster_uses_a_supported_version # EKS clusters must be version 1.28 or higher eks_cluster_oldest_version_supported: "1.28" # AWS CodeBuild Configuration # aws.codebuild_project_no_secrets_in_variables # CodeBuild sensitive variables that are excluded from the check excluded_sensitive_environment_variables: [ ] # Azure Configuration azure: # Azure Network Configuration # azure.network_public_ip_shodan # TODO: create common config shodan_api_key: null # Azure App Service # azure.app_ensure_php_version_is_latest php_latest_version: "8.2" # azure.app_ensure_python_version_is_latest python_latest_version: "3.12" # azure.app_ensure_java_version_is_latest java_latest_version: "17" # Azure SQL Server # azure.sqlserver_minimal_tls_version recommended_minimal_tls_versions: [ "1.2", "1.3" ] # Azure Storage # azure.storage_smb_channel_encryption_with_secure_algorithm # List of SMB channel encryption algorithms allowed on file shares. A storage # account passes only if every enabled algorithm is in this list. Defaults to # the value required by CIS (AES-256-GCM only, excluding weaker AES-128 ciphers). recommended_smb_channel_encryption_algorithms: [ "AES-256-GCM", # "AES-128-CCM", # "AES-128-GCM", ] # Azure Virtual Machines # azure.vm_desired_sku_size # List of desired VM SKU sizes that are allowed in the organization desired_vm_sku_sizes: [ "Standard_A8_v2", "Standard_DS3_v2", "Standard_D4s_v3", ] # Azure VM Backup Configuration # azure.vm_sufficient_daily_backup_retention_period vm_backup_min_daily_retention_days: 7 # Azure API Management Threat Detection Configuration # azure.apim_threat_detection_llm_jacking apim_threat_detection_llm_jacking_threshold: 0.1 apim_threat_detection_llm_jacking_minutes: 1440 apim_threat_detection_llm_jacking_actions: [ # OpenAI API endpoints "ImageGenerations_Create", "ChatCompletions_Create", "Completions_Create", "Embeddings_Create", "FineTuning_Jobs_Create", "Models_List", # Azure OpenAI endpoints "Deployments_List", "Deployments_Get", "Deployments_Create", "Deployments_Delete", # Anthropic endpoints "Messages_Create", "Claude_Create", # Google AI endpoints "GenerateContent", "GenerateText", "GenerateImage", # Meta AI endpoints "Llama_Create", "CodeLlama_Create", # Other LLM endpoints "Gemini_Generate", "Claude_Generate", "Llama_Generate" ] # GCP Configuration gcp: # GCP Compute Configuration # gcp.compute_public_address_shodan shodan_api_key: null # gcp.compute_configuration_changes # Number of days to look back for Compute Engine configuration changes in audit logs compute_audit_log_lookback_days: 1 # gcp.compute_instance_group_multiple_zones # Minimum number of zones a MIG should span for high availability mig_min_zones: 2 # Kubernetes Configuration kubernetes: # Kubernetes API Server # kubernetes.apiserver_audit_log_maxbackup_set audit_log_maxbackup: 10 # kubernetes.apiserver_audit_log_maxsize_set audit_log_maxsize: 100 # kubernetes.apiserver_audit_log_maxage_set audit_log_maxage: 30 # kubernetes.apiserver_strong_ciphers_only apiserver_strong_ciphers: [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", ] # Kubelet # kubernetes.kubelet_strong_ciphers_only kubelet_strong_ciphers: [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", ] # M365 Configuration m365: # Entra Conditional Access Policy # m365.entra_admin_users_sign_in_frequency_enabled sign_in_frequency: 4 # 4 hours # Teams Settings # m365.teams_external_file_sharing_restricted allowed_cloud_storage_services: [ #"allow_box", #"allow_drop_box", #"allow_egnyte", #"allow_google_drive", #"allow_share_file", ] # Exchange Organization Settings # m365.exchange_organization_mailtips_enabled recommended_mailtips_large_audience_threshold: 25 # maximum number of recipients # GitHub Configuration github: # github.repository_inactive_not_archived inactive_not_archived_days_threshold: 180 # Vercel Configuration vercel: # vercel.deployment_production_uses_stable_target stable_branches: - "main" - "master" # vercel.authentication_token_not_expired & vercel.domain_ssl_certificate_valid days_to_expire_threshold: 7 # vercel.authentication_no_stale_tokens stale_token_threshold_days: 90 # vercel.team_no_stale_invitations stale_invitation_threshold_days: 30 # vercel.team_member_role_least_privilege max_owner_percentage: 20 max_owners: 3 # vercel.project_environment_no_secrets_in_plain_type secret_suffixes: - "_KEY" - "_SECRET" - "_TOKEN" - "_PASSWORD" - "_API_KEY" - "_PRIVATE_KEY" ```