CLOUDCUSTODIAN
|
Count Virtual machines that are publicly accessible, have high CPU usage, underutilized memory, stopped state, unused network interfaces, and unused public IPs in Azure
Tasks:
Tasks:
- Check for VMs With Public IP in resource group `${AZURE_RESOURCE_GROUP}` in Azure Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for VMs With High CPU Usage in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for Stopped VMs in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for Underutilized VMs Based on CPU Usage in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for VMs With High Memory Usage in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for Underutilized VMs Based on Memory Usage in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for Unused Network Interfaces in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Check for Unused Public IPs in resource group `${AZURE_RESOURCE_GROUP}` in Subscription `${AZURE_SUBSCRIPTION_NAME}`
- Generate Health Score
List Virtual machines that are publicly accessible, have high CPU usage, underutilized memory, stopped state, unused network interfaces, and unused public IPs in Azure
Tasks:
Tasks:
- List VMs With Public IP in resource group `AZURE_RESOURCE_GROUP` in Azure Subscription `AZURE_SUBSCRIPTION_NAME`
- List for Stopped VMs in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List VMs With High CPU Usage in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List Underutilized VMs Based on CPU Usage in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List VMs With High Memory Usage in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List Underutilized VMs Based on Memory Usage in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List Unused Network Interfaces in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
- List Unused Public IPs in resource group `AZURE_RESOURCE_GROUP` in Subscription `AZURE_SUBSCRIPTION_NAME`
Check AWS Monitoring Configuration Health
Tasks:
Tasks:
- Check CloudWatch Log Groups Without Retention Period in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check if CloudTrail exists and is configured for multi-region in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Check CloudTrail Without CloudWatch Logs in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Generate Health Score
Check AWS Monitoring Configuration Health
Tasks:
Tasks:
- List CloudWatch Log Groups Without Retention Period in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- Check CloudTrail Configuration in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- Check for CloudTrail integration with CloudWatch Logs in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Count AWS ACM certificates that are unused, Expiring, or expired and failed status.
Tasks:
Tasks:
- Check for unused ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for Expiring ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for expired ACM certificates in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for Failed Status ACM Certificates in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Check for Pending Validation ACM Certificates in AWS Region `${AWS_REGION}` in AWS Account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List AWS ACM certificates that are unused, Expiring, or expired and failed status.
Tasks:
Tasks:
- List Unused ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Expiring ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Expired ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Failed Status ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Pending Validation ACM Certificates in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Check AWS RDS instances that are unencrypted, publicly accessible, or have backups disabled.
Tasks:
Tasks:
- Check for unencrypted RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for publicly accessible RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for disabled backup RDS instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List AWS RDS instances that are unencrypted, publicly accessible, or have backups disabled.
Tasks:
Tasks:
- List Unencrypted RDS Instances in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List Publicly Accessible RDS Instances in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
- List RDS Instances with Backups Disabled in AWS Region `AWS_REGION` in AWS Account `AWS_ACCOUNT_ID`
Count the number of EC2 instances that are stale or stopped
Tasks:
Tasks:
- Check for stale AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for stopped AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Check for invalid AWS Auto Scaling Groups in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
Check for EC2 instances that are stale or stopped
Tasks:
Tasks:
- List stale AWS EC2 instances in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List stopped AWS EC2 instances in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List invalid AWS Auto Scaling Groups in AWS Region AWS_REGION in AWS account AWS_ACCOUNT_ID
Counts the number of S3 buckets in an Account that are insecure or unhealthy.
Tasks:
Tasks:
- Count S3 Buckets With Public Access in AWS Account `${AWS_ACCOUNT_NAME}`
Generates a report on S3 buckets in an Account that are insecure or unhealthy.
Tasks:
Tasks:
- List S3 Buckets With Public Access in AWS Account `AWS_ACCOUNT_NAME`
Counts the number of EBS resources by identifying unattached volumes, unused and aged snapshots, and unencrypted volumes.
Tasks:
Tasks:
- Check Unattached EBS Volumes in `${AWS_REGION}`
- Check Unencrypted EBS Volumes in `${AWS_REGION}`
- Check Unused EBS Snapshots in `${AWS_REGION}`
- Generate EBS Score
Check for AWS EBS resources by identifying unattached volumes, unused snapshots, and unencrypted volumes.
Tasks:
Tasks:
- List Unattached EBS Volumes in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List Unencrypted EBS Volumes in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
- List Unused EBS Snapshots in AWS Region `AWS_REGION` in AWS account `AWS_ACCOUNT_ID`
Count publicly accessible security groups, unused EIPs, unused ELBs, and VPCs with flow logs disabled
Tasks:
Tasks:
- Check for publicly accessible security groups in AWS account `${AWS_ACCOUNT_ID}`
- Check for unused Elastic IPs in AWS account `${AWS_ACCOUNT_ID}`
- Check for unused ELBs in AWS account `${AWS_ACCOUNT_ID}`
- Check for VPCs with Flow Logs disabled in AWS account `${AWS_ACCOUNT_ID}`
- Generate Health Score
List publicly accessible security groups, unused EIPs, unused ELBs, and VPCs with flow logs disabled
Tasks:
Tasks:
- List Publicly Accessible Security Groups in AWS account `AWS_ACCOUNT_ID`
- List unused Elastic IPs in AWS account `AWS_ACCOUNT_ID`
- List unused ELBs in AWS account `AWS_ACCOUNT_ID`
- List VPCs with Flow Logs Disabled in AWS account `AWS_ACCOUNT_ID`