| 1.1.6.1.1 Ensure when a cloud recording is available is set to enabled | CIS Zoom L1 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure That Service Account Has No Admin Privileges | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL |
| 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.12 Ensure API Keys Only Exist for Active Services | CIS Google Cloud Platform v3.0.0 L2 | GCP | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | CIS Google Cloud Platform v3.0.0 L2 | GCP | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.15 Ensure API Keys Are Rotated Every 90 Days | CIS Google Cloud Platform v3.0.0 L2 | GCP | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 1.66 (L1) Ensure 'Configure Related Matches in Find on Page' is set to 'Disabled' | CIS Microsoft Edge v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | CIS Google Cloud Platform v3.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.15 Ensure 'Access Approval' is 'Enabled' | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure That the Default Network Does Not Exist in a Project | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL |
| 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 4.4 Ensure http server is not running | CIS Apple OSX 10.11 El Capitan L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Ensure http server is not running | CIS Apple OSX 10.10 Yosemite L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | CIS Google Cloud Platform v3.0.0 L2 | GCP | CONFIGURATION MANAGEMENT |
| 4.10 Ensure That App Engine Applications Enforce HTTPS Connections | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.11 Ensure That Compute Instances Have Confidential Computing Enabled | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | CIS Google Cloud Platform v3.0.0 L2 | GCP | SYSTEM AND SERVICES ACQUISITION |
| 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | CIS Google Cloud Platform v3.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure all data in BigQuery has been classified | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY, RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.58.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.10.40.1 (L1) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.40.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows 10 Enterprise v3.0.0 L2 + BL | Windows | CONFIGURATION MANAGEMENT |
| 18.10.40.1 Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| AIOS-16-011100 - Apple iOS/iPadOS 16 must implement the management setting: Disable Allow Shared Albums. | MobileIron - DISA Apple iOS/iPadOS 16 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-17-003450 - Apple iOS/iPadOS 17 must not allow backup to remote systems (Cloud Photo Library). | MobileIron - DISA Apple iOS/iPadOS 17 v2r1 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| Android Device Configuration - Encryption on storage cards | Tenable Best Practices for Microsoft Intune Android v1.0 | microsoft_azure | ACCESS CONTROL |
| Android Device Configuration - Google account auto sync | Tenable Best Practices for Microsoft Intune Android v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| Android Device Configuration - Removable storage | Tenable Best Practices for Microsoft Intune Android v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| iOS Device Management - Backup to iCloud | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| iOS Device Management - Block iCloud Document sync | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| iOS Device Management - Encrypted backup | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL |
| iOS Device Management - iCloud Photo Library | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| iOS Device Management - Photo stream syncing to iCloud | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| OpenStack Identity - Disable admin token in /etc/keystone/keystone-paste.ini | TNS OpenStack Keystone/Identity Security Guide | Unix | ACCESS CONTROL |
| OpenStack Identity - Disable admin token in /etc/keystone/keystone.conf | TNS OpenStack Keystone/Identity Security Guide | Unix | ACCESS CONTROL |
| WN11-CC-000390 - Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications. | DISA Microsoft Windows 11 STIG v2r3 | Windows | CONFIGURATION MANAGEMENT |
