- [general] What are my information assets?
- [general] What are my production data stores and databases?
- [general] What are my production resources?
- [general] What are my production applications?
[general] Which devices have been disposed in the last 12 months?
[access] Who has been assigned permissions with 'Admin' access?
- [access] Who owns which user accounts?
- [access] What are the shared/generic/service accounts? (user accounts that are not individually owned)
- [access] Show me the current password policy and compliance status.
[access] Find anything that allows public access to everyone.
[appdev] Were there any Code Repos added in the last 24 hours?
[data] Is my production or PHI/PII data stores encrypted?
[data] Are there any non-public data stores incorrectly configured with public access to everyone?
[endpoint] What is the configuration and compliance status of my endpoint devices?
- [endpoint] Whose endpoint is out of compliance?
- [endpoint] Is there malware protection for all endpoints?
- [endpoint] Are there security agents monitoring and protecting my endpoint hosts/devices?
[endpoint] Are my servers and systems protected by hosted-based firewall?
[infra] Are there potential IP collisions among the networks/subnets in my environment?
- [infra] What are directly connected to the Internet?
- [infra] What network traffic is allowed between internal and external networks?
- [infra] Is there proper segmentation/segregation of internal networks?
- [infra] Are wireless networks segmented and protected by firewalls?
- [infra] Are there VPN configured for remote access?
- [infra] Show all inbound SSH firewall rules across my network environments.
[infra] Is inbound SSH allowed directly from an external host or network?
[aws] Is MFA enabled for the Account Root User for all my AWS accounts?
- [aws] Are there root user access keys in use for any of my AWS accounts?
- [aws] Is public access block configured for non-public S3 Buckets?
- [aws] Is public read access enabled for any S3 Bucket?
- [aws] Is public write access enabled for any S3 Bucket?
- [aws] Is S3 bucket access granted to anybody outside of the account?
- [aws] Is there any S3 bucket that grants full control access to anybody other than the owner?
- [aws] What are the service roles in my AWS accounts (i.e. an IAM Role that has a trust policy to an AWS Service)?
- [aws] Are all EBS volumes encrypted?
- [aws] Is default server side encryption enabled for all S3 Buckets?
- [aws] Who has been assigned full Administrator access?
- [aws] Are there assume role trusts to external entities?
- [aws] Are all the AWS Config rules complaint? (if AWS Config service is enabled)
- [aws] Are there any noncompliant production resources in AWS per Config evaluation? (if AWS Config is enabled)
- [aws] Are there EC2 instances exposed to the Internet?
- [aws] Which EC2 instances may have external network connections?