Policy list for scanning cloud accounts

  • Release version: Yokohama
  • Updated August 2, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy list for scanning cloud accounts

    This document outlines the default policies provided by ServiceNow for scanning cloud accounts across AWS, Azure, and GCP platforms. These policies help customers maintain secure, well-managed cloud environments by verifying configurations that impact security, accountability, and compliance.

    Show full answer Show less

    Key Features

    • Discovery Schedule Checks: Ensure each cloud account (AWS, Azure, GCP) has an active discovery schedule, enabling regular scans to identify potential security risks and maintain up-to-date resource inventories.
    • Account Owner Tag Verification: Check for designated owner tags on cloud accounts to improve accountability, streamline incident response, and enhance communication within the organization.
    • Account Alias and Naming (AWS-specific): Verify that AWS accounts have unique aliases for better management, error reduction, and traceability.
    • Password Policy Checks (AWS-specific): Confirm that custom and strong password policies are enforced for IAM users, increasing protection against brute-force and credential theft attacks. These checks require appropriate IAM API permissions.
    • Certification Status Monitoring: Detect accounts with failed or pending certifications across AWS, Azure, and GCP to reduce security vulnerabilities by ensuring compromised credentials are promptly addressed.

    Practical Importance for ServiceNow Customers

    By applying these default policies, customers can proactively monitor cloud account configurations and security postures. This facilitates compliance with best practices, reduces the risk of unauthorized access, and enables faster response to security incidents. The policies leverage API permissions where needed to accurately assess account settings.

    Next Steps

    To implement these policies effectively, customers should configure scan schedules within ServiceNow and ensure appropriate API permissions are granted for AWS IAM-related checks. For additional configuration guidance, refer to the procedure on setting up scan configuration for data visualization.

    A list of default policies provided for scanning the cloud accounts.

    Default policies for scan accounts

    Policy Name Description
    Check AWS Discovery Schedule Verifies whether an AWS account has a discovery schedule attached. Running discovery regularly helps facilitate the identification and management of potential security risks.
    Check AWS Account Alias Verifies an AWS account has a unique alias to improve account management, reduce errors, and promote clarity and traceability within your AWS infrastructure.
    Note:
    Make sure you have API permission for iam: ListAccountAliases.
    Check AWS Account Owner Tag Verifies whether an AWS account has a designated owner to enhance accountability, streamline incident response, and facilitate communication within your AWS environment.
    Check AWS Custom Password Policy Verifies whether a custom password policy is set for every AWS account. A robust password requirement for all IAM users significantly increases the difficulty for attackers to crack passwords through brute-force attacks or credential theft attempts, ultimately enhancing the overall security of your AWS infrastructure.
    Note:
    Make sure you have API permission for iam: GetAccountPasswordPolicy.
    Check AWS Failed Certification Verifies the AWS account certification status. Failed certifications indicate potential security vulnerabilities because compromised credentials might not be deactivated promptly and provide a window of opportunity for attackers to exploit these weaknesses.
    Check AWS Pending Certification Verifies whether an AWS account certification is in a pending state to enable the prompt resolution of pending certifications and avoid potential security vulnerabilities.
    Check AWS Strong Password Policy Verifies whether an AWS account adheres to a strong password policy to promote security. This policy mandates robust password complexity requirements, significantly bolstering your AWS environment's defense against unauthorized access.
    Note:
    Make sure you have API permission for iam: GetAccountPasswordPolicy.
    Check Azure Discovery Schedule Verifies whether Azure account has a discovery schedule attached. This policy helps secure and up-to-date resource landscape to facilitate the identification and management of potential security risks.
    Check Azure Account Owner Tag Verifies if Azure account has a designated owner tag to enhance accountability and facilitate communication within your Azure environment. This policy readily identifies the responsible party for each account, promoting a culture of ownership and streamlined incident response.
    Check Azure Failed Certification Verifies Azure account certification status for failure to promote strong access control by proactively monitoring for any service account with a failed certification status. Failed certifications indicate potential security vulnerabilities, as compromised credentials might not be deactivated promptly. This policy minimizes the window of opportunity for attackers to exploit these weaknesses.
    Check Azure Pending Certification Verifies if Azure service account certification is in a pending state. This monitoring enables prompt resolution of pending certification and avoids potential security vulnerabilities.
    Check GCP Discovery Schedule Verifies whether GCP account has a discovery schedule attached. This policy helps secure and up-to-date resource landscape to facilitate the identification and management of potential security risks.
    Check GCP Account Owner Tag Verifies if GCP account has a designated owner tag to enhance accountability and facilitate communication within your GCP environment. This policy readily identifies the responsible party for each account, promoting a culture of ownership and streamlined incident response.
    Check GCP Failed Certification Verifies GCP account certification status for failure to promote strong access control by proactively monitoring for any service account with a failed certification status. Failed certifications indicate potential security vulnerabilities, as compromised credentials might not be deactivated promptly. This policy minimizes the window of opportunity for attackers to exploit these weaknesses.
    Check GCP Pending Certification Verifies if GCP account certification is in a pending state. This monitoring enables prompt resolution of pending certification and avoids potential security vulnerabilities.

    To return to the procedure, see Set up scan configuration for data visualization.