Security Manager Controls

Access Governance

The following are links to more detailed pages:

AWS

Showing 146 controls:
Control TitleControl TypeRisk Rating
AWS Amazon Machine Images (AMIs) shared with unknown AWS accounts without restrictions Cloud Controls High
AWS Amazon Machine Images (AMIs) using unencrypted Amazon Elastic Block Store (EBS) Cloud Controls High
Amazon Redshift clusters with Database Auditing disabled Cloud Controls High
AWS Account with CloudTrail and encryption not enabled for log files Cloud Controls, Data Controls Medium
AWS Account with CloudTrail not Enabled/Created Cloud Controls High
AWS Accounts with AWS Config disabled Cloud Controls, Configuration controls Medium
AWS security credentials stored in public repositories Cloud Controls High
AWS Default Security Groups allowing all traffic Cloud Controls High
AWS Identity and Access Management (IAM) inline policy usage Cloud Controls Medium
AWS IAM users deprovsioning Identity Governance High
AWS Identity and Access Management (IAM) with privileged access on AWS Customer Master Keys Cloud Controls, Least Privilege High
AWS Security Groups for EC2 instances allowing traffic through DNS Port Cloud Controls High
AWS Security Groups for workload allowing traffic through RDP Port Cloud Controls High
AWS Security Groups for EC2 instances allowing traffic through CIFS Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through FTP Command Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through FTP Data Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through Net-Bios Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through PostgreSQL Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through RPC Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through Telnet Port Cloud Controls High
AWS Security Groups for EC2 instances allowing traffic through VNC Listener Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through VNC Server Port Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through MySQL Port Cloud Controls High
AWS Security Groups for EC2 instances allowing traffic through RDP Port Cloud Controls High
AWS Security Groups for EC2 instances allowing traffic through SSH Port Cloud Controls High
AWS Security Groups – Orphaned and Unused Cloud Controls Medium
AWS Amazon Machine Images (AMIs) that are shared publicly Cloud Controls High
CloudFormation Templates created without Deletion Policy Attribute Cloud Controls High
CloudFormation Templates created without “Output” section Cloud Controls Medium
CloudFormation Templates not integrated with Simple Notification Service (SNS) Cloud Controls Medium
CloudFormation templates with Open RDP Port Security Groups Cloud Controls High
CloudFormation Templates used to create Security Groups that allow traffic though an SSH Port Cloud Controls High
CloudFormation templates created with password violations Cloud Controls, Password controls High
AWS Accounts with CloudTrail S3 Buckets publicly available Cloud Controls High
Ensure the Customer Gateways Limit is not reached Cloud Controls Medium
AWS Account with CloudTrail and Log Validation not enabled Cloud Controls Medium
Amazon Elastic Cloud Compute (EC2) with Termination Protection Disabled Cloud Controls Medium
Events based on DROP (Don’t Route Or Peer) IP List Cloud Controls High
Amazon Elastic Block Store (EBS) that are not encrypted and attached to an EC2 instance Cloud Controls, Data Controls High
Ensure the EBS Snapshot Limit is not reached Cloud Controls Low
Ensure the EBS Volume Limit is not reached Cloud Controls Low
Amazon Elastic Block Store (EBS) that are not Encrypted Cloud Controls, Data Controls High
Amazon Elastic Compute Cloud (EC2) instances affected by Saviynt Preventative Controls Cloud Controls Low
Amazon Elastic Compute Cloud (Amazon EC2) instances associated with default Security Groups Cloud Controls High
Amazon Elastic Compute Cloud (EC2) instances setup outside of the Virtual Private Network Cloud Controls High
Amazon Elastic Compute Cloud (EC2) instances missing tags Cloud Controls Low
AWS Security Groups for EC2 instances allowing traffic through SMTP Port Cloud Controls High
Amazon Elastic Cloud Compute (EC2) without IAM Roles Cloud Controls Low
Events based on EDROP (Extended Don’t Route Or Peer) IP List Cloud Controls High
Ensure Elastic IP address Limit is not reached Cloud Controls Medium
Ensure Elastic IP address Limit is not reached Cloud Controls High
Elastic Load Balancing (ELB) Certificates which are expired Cloud Controls High
Elastic Load Balancing (ELB) Certificates that will expire within 21 days Cloud Controls Low
Events based on Emerging Threats blocked IP list Cloud Controls High
Amazon Virtual Private Cloud (VPC) without any resources Cloud Controls Medium
Ensure the Expiry time for an unaccepted Virtual Private Cloud (VPC) peering connection request limit is not reached Cloud Controls Medium
Ensure VPC Flow Logs limit is not reached Cloud Controls Medium
GitHub – AWS CloudFormation Templates created without DeletionPolicy attribute Cloud Controls High
GitHub – AWS CloudFormation Templates created without “Output” section Cloud Controls Medium
AWS CloudFormation Templates not integrated with AWS Simple Notification Service (SNS) Cloud Controls Medium
GitHub – AWS CloudFormation Templates used to create Security groups allowing traffic though an RDP Port Cloud Controls High
GitHub – AWS CloudFormation Templates used to create Security groups allowing traffic though an SSH Port Cloud Controls High
GitHub – AWS CloudFormation templates created with password violations Cloud Controls, Password controls High
Terminated users with an AWS high privileged user account Cloud Controls, IT General Controls High
AWS Identity and Access Management (IAM) groups with high privileged access Cloud Controls, Least Privilege High
AWS Identity and Access Management (IAM) users with high privileged access Cloud Controls, Least Privilege High
AWS Identity and Access Management (IAM) policies with High Privileges Cloud Controls, Least Privilege High
High privileged Users with non-rotated creds Identity Governance Medium
AWS Identity and Access Management (IAM) Password Policy with disabled password expiration Password controls High
AWS Identity and Access Management (IAM) Password Policy with disabled password reuse Password controls High
AWS IAM user without Multi-Factor Authentication (MFA) enabled Cloud Controls High
AWS Identity and Access Management (IAM) user not following organization’s naming standard Cloud Controls Medium
AWS Identity and Access Management (IAM) user with access to delete CloudFormation Templates Cloud Controls, Least Privilege High
IAM users with delete rights on CF templates Identity Governance High
AWS Identity and Access Management (IAM) user with non-rotated Access Keys Cloud Controls High
AWS Identity and Access Management (IAM) user with non-rotated credentials Cloud Controls High
Inactive AWS IAM Users Identity Governance Medium
AWS Identity and Access Management (IAM) High Privileged inactive users Cloud Controls High
Amazon instances/hosts setup on dedicated tenancy Cloud Controls High
Amazon instances/hosts setup on default tenancy Cloud Controls Low
Amazon Elastic Compute Cloud (EC2) instances setup with non-approved DNS names Cloud Controls Medium
Ensure the Internet Gateways Limit is not reached Cloud Controls Medium
AWS Key Management Service (KMS) scheduled for deletion Cloud Controls High
AWS Key Management Service (KMS) with rotation disabled Cloud Controls High
AWS accounts with not AWS Identity and Access Management (IAM) Password Policy Password controls High
AWS Network Access Control List (NACL) allowing traffic through CIFS Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through FTP Command Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through FTP Data Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through Net-Bios Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through PostgreSQL Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through RPC Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through Telnet Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through VNC Listener Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through VNC Server Port Cloud Controls Low
AWS Network Access Control List (NACL) restricting incoming traffic Cloud Controls High
AWS Network Access Control List (NACL) allowing traffic through RDP Port Cloud Controls High
AWS Network Access Control List (NACL) allowing traffic through DNS Port Cloud Controls High
AWS Network Access Control List (NACL) allowing traffic through MySQL Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through SMTP Port Cloud Controls Low
AWS Network Access Control List (NACL) allowing traffic through SSH Port Cloud Controls High
AWS Network Access Control List (NACL) restricting outgoing traffic Cloud Controls High
Ensure the NACLs rule Limit is not reached Cloud Controls Medium
Ensure the NACLs Limit is not reached Cloud Controls Medium
Ensure the Network Address Translation (NAT) Gateways Limit is not reached Cloud Controls Medium
Amazon Redshift clusters that are unencrypted Cloud Controls, Data Controls High
AWS IAM High Privileged user without Multi-Factor Authentication (MFA) enabled Cloud Controls Medium
Ensure the Outstanding Virtual Private Cloud (VPC) peering connection requests limit is not reached Cloud Controls Medium
Amazon Relational Database Service (RDS) granting access to AWS accounts outside the organization Cloud Controls, Data Controls, Least Privilege Medium
Amazon Relational Database Service (RDS) should not be accessible publicly Cloud Controls, Least Privilege High
Amazon Relational Database Service (RDS) which are not Encrypted Cloud Controls, Data Controls High
Amazon Relational Database Service (RDS) with last restorable time greater than 5 minutes Cloud Controls, Data Controls Low
Amazon Relational Database Service (RDS) with retention policy greater than 2 weeks Cloud Controls, Data Controls Low
AWS Security Groups for RedShift clustered DB allowing traffic through RDP Port Cloud Controls High
AWS Security Groups for AWS RedShift VPC allowing traffic through SSH Port Cloud Controls High
AWS Security Groups for AWS RedShift VPC allowing traffic through RDP Port Cloud Controls High
AWS Security Groups for RedShift clustered DB allowing traffic through SSH Port Cloud Controls High
AWS Root Accounts with API Keys Enabled Cloud Controls High
AWS Root accounts with Multi-Factor Authentication disabled Cloud Controls High
Ensure the Route Tables Limit is not reached Cloud Controls Medium
Amazon S3 Buckets without MFA Delete enabled Cloud Controls Medium
Amazon S3 Buckets with logging disabled Cloud Controls Medium
Amazon S3 Buckets with versioning disabled Cloud Controls Low
Amazon S3 Buckets allowing Full access to everyone via ACL Cloud Controls Medium
Amazon S3 Buckets having explicit Global List access via ACL Cloud Controls Medium
Amazon S3 Buckets allowing explicit Read/Write access via ACL Cloud Controls Medium
Amazon S3 Buckets allowing access to Everyone via ACL Cloud Controls High
Amazon S3 Buckets with server side encryption disabled Cloud Controls High
AWS Security Groups allowing all incoming traffic Cloud Controls High
Ensure the Security Groups limit per VPC is not reached Cloud Controls Medium
AWS Security Groups allowing all outgoing traffic Cloud Controls High
Ensure the Security Groups per network interface limit is not reached Cloud Controls Medium
Terminated users with an AWS Identity and Access Management (IAM) user account Identity Governance, IT General Controls High
Events Based on TOR (“The Onion Router”) IP List Cloud Controls High
Elastic Load Balancing (ELB) with zero associated EC2 instances or zero EC2 instances in service Cloud Controls Medium
Track the unused Elastic IP addresses in the account Cloud Controls Medium
Track the unused Elastic IP addresses in your account Cloud Controls High
Ensure the Virtual Private Gateways Limit is not reached Cloud Controls Medium
Ensure the Virtual Private Cloud (VPC) Endpoints limit is not reached Cloud Controls Medium
Ensure the VPC Limit is not reached Cloud Controls Medium
Ensure the Virtual Private Cloud (VPC) Peering Active Connections limit is not reached Cloud Controls Medium
Ensure the VPC Subnet Limit is not reached Cloud Controls Medium
Amazon Virtual Private Cloud (VPC) setup on dedicated tenancy Cloud Controls High
Amazon Virtual Private Cloud (VPC) setup on default tenancy Cloud Controls High
Ensure the Virtual Private Network (VPN) connections per region limit is not reached Cloud Controls Medium
Ensure the Virtual Private Network (VPN) Connections per Virtual Private Cloud (VPC) limit is not reached Cloud Controls Medium
AWS Workloads without Amazon Elastic Block Store (EBS) optimized instance Cloud Controls Low

JD Edwards

Showing 4 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High

MS Dynamics GP

Showing 10 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Customer Account Maintenance – Critical Access Least Privilege, Segregation of Duties High
General Ledger Periods – Critical Access Least Privilege, Segregation of Duties High
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Maintain Chart of Accounts – Critical Access Least Privilege, Segregation of Duties High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Receivables Setup – Critical Access Least Privilege, Segregation of Duties High
Set Up Payment – Critical Access Least Privilege, Segregation of Duties High

Office 365

Oracle EBS

Showing 7 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Supplier – Critical Access Least Privilege, Segregation of Duties High
Monitor employees with more than one user account Identity Governance High
Monitor unlocked stale accounts with no activity for more than 3 months Identity Governance Medium
Oracle EBS – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High

Oracle ERP Cloud

Showing 2 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High

PeopleSoft

Showing 11 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Development – Critical Access Least Privilege, Segregation of Duties Critical
General Ledger Periods – Critical Access Least Privilege, Segregation of Duties High
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Maintain Chart of Accounts – Critical Access Least Privilege, Segregation of Duties High
Maintain Hierarchies – Critical Access Least Privilege, Segregation of Duties High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Receivables Setup – Critical Access Least Privilege, Segregation of Duties High
Set Up Payment – Critical Access Least Privilege, Segregation of Duties High

SalesForce

Showing 17 controls:
Control TitleControl TypeRisk Rating
Attachments with Sensitive content – UK National Insurance Data Controls Medium
External users with Write access to object records Identity Governance High
Groups with access to Object records Identity Governance Medium
Groups with no users Identity Governance Low
Manual Sharing of object records to External Users Identity Governance High
Manual Sharing of object records to Internal Users Least Privilege Medium
Permission Set Usage Identity Governance Low
Permission Sets with High Risk Permissions Least Privilege High
Permission Sets with Modify All Data Permissions Least Privilege High
Permission Sets with View All Data Permissions Least Privilege High
Profile Usage Identity Governance Low
Profiles with High Risk Permissions Least Privilege High
Profiles with Modify All Data Permissions Least Privilege High
Profiles with View All Data Permissions Least Privilege High
Users with high risk permissions Identity Governance, Least Privilege High
Users with Modify All Data Permissions Identity Governance High
Users with View All Data Permissions Identity Governance Low

Workday

Showing 7 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Application Administrator – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Customer Account Maintenance – Critical Access Least Privilege, Segregation of Duties High
Development – Critical Access Least Privilege, Segregation of Duties Critical
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High