Halo Cloud Secure Features

IaaS Resource Inventory

Key use cases

Gain visibility to all resources provisioned in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment for new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policy required.

IaaS Resource Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS resources based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment. These comprehensive best practices go above and beyond the CIS benchmarks with over 300 configuration rules across AWS and Azure.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

The report provides a single-pane of glass assessment for all IaaS accounts in a single, filterable view to create reports by owner, account, region, tags, resource type, and other metadata.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark
  • CloudPassage AWS
  • CloudFormation Best Practices
  • CloudPassage AWS CloudTrail Best Practices
  • CloudPassage AWS EC2 Best Practices
  • CloudPassage AWS ECR Best Practices
  • CloudPassage AWS ECS Best Practices
  • CloudPassage AWS IAM Best Practices
  • CloudPassage AWS Lambda Best Practices
  • CloudPassage AWS RDS Best Practices
  • CloudPassage AWS Route53 Best Practices
  • CloudPassage AWS S3 Best Practices
  • CloudPassage AWS VPC Best Practices
  • CloudPassage Azure Application Gateway Best Practices
  • CloudPassage Azure Compute Best Practices
  • CloudPassage Azure Function Best Practices
  • CloudPassage Azure IAM Best Practices
  • CloudPassage Azure Logging Monitoring Best Practices
  • CloudPassage Azure SQL Best Practices
  • CloudPassage Azure Storage Best Practices
  • CloudPassage Azure Virtual Network Best Practices
  • CloudPassage Azure Web Application Best Practices
  • CIS Azure Foundations Benchmark (2020 roadmap)
  • CIS GCP Foundations Benchmark (2020 roadmap)

IaaS Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from IaaS accounts that could indicate misuse, misconfiguration, or compromise.

Collect security-related events as required by compliance initiatives.

Detect unwanted behavior such as failed login attempts, logins without MFA, deletion of backups, audit policy changes, IAM changes, object deletion, and more.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Related Features

Not applicable.

Policies Used

  • AWS CloudTrail Event Monitoring (2020 roadmap)
  • Azure Event Monitoring (future roadmap)
  • GCP Event Monitoring (future roadmap)

Policy templates are provided for AWS, Azure (future roadmap), and GCP (future roadmap) cloud providers that specify which events to collect. These policies allow you to quickly configure IaaS event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

Users configure locations for the Halo IaaS connector to retrieve logs and add the IaaS account to be monitored by Halo.

Halo periodically obtains events matching the policy, and sends them to the Halo Portal where they are enriched with other information about the affected asset including facts and IaaS metadata.

The Halo Portal optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of events using the Event viewer in the Portal, or through the REST API.

IAM Service Monitoring Inventory

Key use cases

Gain visibility to IAM users, access keys, policies, and roles in your IaaS accounts, consolidated in a single view.

Maintain an up-to-date inventory of IAM accounts.

Query the inventory to report on IAM objects by account, when created, and last observed.

How it works

Gain visibility to IAM users, access keys, policies, and roles in your IaaS accounts, consolidated in a single view.

Maintain an up-to-date inventory of IAM accounts.

Query the inventory to report on IAM objects by account, when created, and last observed.

Related Features

Not applicable.

Policies Used

No policies required.

IAM Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS user accounts based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Identify unused access keys, lack of key rotation, lack of user MFA, inactive users, users with expired passwords, and more.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark v1.2
  • CloudPassage AWS IAM Best Practices v1.1
  • Azure detection for guest accounts

Virtual Machine Image Inventory

Key use cases

Gain visibility to all virtual machine images provisioned in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

Identify any active workloads created from a specific virtual machine image.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

View the details of each virtual machine image.

Related Features

Not applicable.

Policies Used

No policies required.

Virtual Machine Image Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of virtual machine images and their configured operating systems and applications based on industry best practices.

Ensure that AMIs are not publicly shared, and that they adhere to proper naming conventions.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, prioritize issues for remediation, and get remediation advice to remediate issues before creating server workloads based on the image.

How it works

Spin up the virtual machine image as part of the QA process in your development pipeline. Policy templates are provided for different versions of Windows and Linux operating systems and for many applications such as Apache and MySQL. These policy templates allow rapid compliance with a number of standards, while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies are applied to each image. For example, a global OS policy can be applied to all LInux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud.

The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Requires Server Secure and use of the Halo microagent for operating system and application configuration assessment.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu
    CloudPassage AWS EC2 Best Practices

Virtual Machine Image Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each virtual machine image’s operating system and installed applications based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation before creating server workloads based on the image.

How it works

Spin up the virtual machine image as part of the QA process in your development pipeline.

At workload boot time, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Portal.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE. For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Requires Server Secure and use of the Halo microagent.

Policies Used

No policies required.

Virtual Machine Instance Inventory

Key use cases

Gain visibility to virtual machine instances provisioned in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each virtual machine instance.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Virtual Machine Instance Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of virtual machines based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, prioritize issues for remediation, and get remediation advice to remediate issues before creating server workloads based on the image.

Ensure that all virtual machines deployed in IaaS environments have a Halo microagent installed for deeper inspection.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems and for many applications such as Apache and MySQL. These policy templates allow rapid compliance with a number of standards, while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies are applied to each image. For example, a global OS policy can be applied to all LInux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Portal.

The Halo Portal analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Requires Server Secure and use of the Halo microagent.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu
  • Apache
  • Cassandra
  • Docker
  • Kubernetes MasterNode & WorkerNode
  • Microsoft Internet Information Server (IIS)
  • Microsoft SQL Server
  • MongoDB
  • MySQL
  • Nginx
  • PostgreSQL
  • Tomcat
  • WordPress

Virtual Machine Instance Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each workload’s operating system and installed applications based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

How it works

At workload boot time, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Portal.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE. For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Requires Server Secure and use of the Halo microagent.

Policies Used

No policies required.

Virtual Machine Instance Integrity Monitoring

Key use cases

Confirm integrity of new workloads against their source image, and detect unauthorized changes made to a running workload by checking for changes to important system files and registry keys.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify critical system files and registry keys to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to Halo. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline will generate failed findings.

For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Requires Server Secure and use of the Halo microagent.

Policies Used

  • Core Registry Keys (Windows Server 2008 R2 through 2019)
  • Core System Files (Amazon Linux)
  • Core System Files (CentOS)
  • Core System Files (Debian)
  • Core System Files (Oracle Linux)
  • Core System Files (Red Hat)
  • Core System Files (Ubuntu)
  • Linux Privilege Escalation Detection
  • HAProxy
  • Kubernetes MasterNode and Workernode
  • Microsoft Internet Information Server (IIS)
  • Microsoft SQL Server
  • MongoDB
  • WordPress

Virtual Machine Instance Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from server operating systems and running applications that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as attempted logins to immutable systems, logins as specific users such as “root” or “administrator”, privileged changes, addition/deletion/modification of user accounts, changes to audit policies, installation/de-installation of software.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

The Halo Portal optionally alerts the user and creates an issue indicating that the event should be investigated.

Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Requires Server Secure and use of the Halo microagent.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Debian)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Core System (Windows Server 2008 R2 through 2019)
  • Auditd – Integrity policy
  • Auditd – Abnormal behavior policy
  • Auditd – Access policy
  • Auditd – Configuration policy
  • Auditd – Cryptographic policy
  • Auditd – Daemon policy
  • Auditd – Storage policy
  • Auditd – System policy
  • Auditd – Malicious Activity policy
  • Cross Site Scripting (XSS) Detection

Network Inventory

Key use cases

Gain visibility to all IaaS network service components in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of virtual private networks, subnets, ACLs, security groups, firewall rules, and load balancers.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment for new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Network Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of network services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigured network objects, such as those allowing unrestricted access inbound or outbound, or allowing access to dangerous ports.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

  • Policies used: CIS AWS Foundations Benchmark
  • CIS Azure Foundations Benchmark (2020 roadmap)
  • CloudPassage AWS EC2 Best Practices
  • CloudPassage AWS VPC Best Practices
  • CloudPassage Azure Virtual Network Best Practices”

Policies Used

No policies required.

Storage Service Inventory

Key use cases

Gain visibility to storage services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each storage bucket.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Storage Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS storage services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover internet exposed storage buckets, those with insecure read/write permissions, those without encryption, and more.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark
  • CloudPassage AWS S3 Best Practices
  • CloudPassage Azure Storage Account Best Practices

Database Service Inventory

Key use cases

Gain visibility to IaaS database services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Database Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS database services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.
Discover misconfigured databases, including lack of encryption, publicly accessible instances, listening on default ports, and more.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark
  • CloudPassage AWS RDS Best Practices
  • CloudPassage Azure SQL Best Practices

Logging and Monitoring Service Inventory

Key use cases

Gain visibility to IaaS logging and monitoring services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of objects such as AWS CloudTrails and Azure Log Profiles.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Logging and Monitoring Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS logging and monitoring services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigured auditing settings, including lack of logging for certain events, poor log retention, and failure to encrypt and otherwise protect log stores from tampering.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark
  • CloudPassage AWS CloudTrail Best Practices
  • CloudPassage Azure Logging Monitoring Best Practices

Serverless Function Inventory

Key use cases

Gain visibility to all serverless functions in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each serverless function.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Serverless Function Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of serverless functions based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment. Over 20 configuration checks for serverless applications across AWS and Azure.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover internet exposed functions, functions with admin privileges, expired certificates, and more.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CloudPassage AWS Lambda Best Practices
  • CloudPassage Azure Function Application Best Practices

Key Management Service Inventory

Key use cases

Gain visibility to key management services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each encryption key.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Key Management Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS key management services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover keys that have not been rotated, are not well protected, and whose access logs are not encrypted.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS AWS Foundations Benchmark

DNS Service Inventory

Key use cases

Gain visibility to DNS services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each hosted zone and domain.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

DNS Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS DNS services based on industry best practices. Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigured hosted zones and domains including dangling DNS records, private DNS records in public zones, hosted zones without SPF records, and lack of domain transfer locks.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage AWS Route53 Best Practices

Infrastructure-As-Code Services Inventory

Key use cases

Gain visibility to infrastructure-as-code services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata. View the details of resources such as CloudFormation stacks.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Infrastructure-As-Code Services Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS infrastructure-as-code services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigured stacks such as those configured with too many permissions, missing termination protection, and audit logging

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage AWS CloudFormation Best Practices

API Management Service Inventory

Key use cases

Gain visibility to IaaS API management services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata. View the details of each API.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Web Application Inventory

Key use cases

Gain visibility to IaaS web applications in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each web app.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Web Application Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS web application services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigured web apps, including those without SSL certificates or those with expired certificates, using outdated libraries, not using https, allowing FTP access.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage Azure Web Application Best Practices

Certificate Service Inventory

Key use cases

Gain visibility to IaaS certificate services in each IaaS account, consolidated in a single view.
Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of each certificate.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Certificate Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS certificate services based on industry best practices. Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards. Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover expired certificates and those that will be expiring within a certain time period; as well as those that are improperly attached to your AWS root account.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage AWS IAM Best Practices

Container Registry Service Inventory

Key use cases

Gain visibility to IaaS container registry services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata. View the details of each registry.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Container Registry Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS container registry services based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover registries exposed by incorrect policies or cross-account access.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage AWS ECR Best Practices

Container Service Inventory

Key use cases

Gain visibility to IaaS container services in each IaaS account, consolidated in a single view.

Maintain an up-to-date inventory as resources come and go with infrastructure deployments.

Query the inventory to report on resources by owner, account ID, region, tags, and other metadata.

View the details of clusters, tasks, task definitions, and containers.

How it works

Halo periodically connects to each configured IaaS account using read-only API permissions, scans the IaaS environment to discover new and updated resources, and updates the inventory accordingly.

Related Features

Not applicable.

Policies Used

No policies required.

Container Service Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of IaaS container services based on industry best practices. Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Query the findings to obtain reports by owner, account ID, region, tags, and other metadata.

Discover misconfigurations and continuously monitor your ECS clusters and their container instances, tasks, and task definitions for secure configuration to help prevent potential attacks or breach attempts.

How it works

Policy templates are provided for IaaS Services in AWS, Azure, and GCP (coming soon). These policies allow rapid compliance with a number of standards, while allowing customization for the individual environment.

For each resource discovered in the inventory process, Halo runs applicable policy rules and provides a report of the findings.

For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

CloudPassage AWS ECS Best Practices